source: trunk/plugins/nikto_httpoptions.plugin @ 70

#VERSION,2.04
# $Id$

###############################################################################
#  Copyright (C) 2006 CIRT, Inc.
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; version 2
#  of the License only.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
###############################################################################

###############################################################################
# PURPOSE
# HTTP options check
###############################################################################

# This just gets the HTTP options & checks 'em out.
# See RFC 2626 for more info...

sub nikto_httpoptions
{
   # test for both OPTIONS / and OPTIONS * as they may give different results
   (my $RES, $CONTENT) = fetch("*", "OPTIONS");
   my $aoptions = "$result{allow}, ";
   my $poptions = "$result{public}, ";
   my ($allow_methods, $public_methods, $txt);
   my $dbarray;

   $dbarray=initialise_db("db_httpoptions");

   ($RES, $CONTENT) = fetch("/", "OPTIONS");
   $aoptions .= $result{allow};
   $poptions .= $result{public};

   foreach my $o (split(/,[ ]?/, $aoptions)) { $allow_methods .= ", $o" unless ($allow_methods =~ /\b$o\b/ || $o eq ''); }
   $allow_methods =~ s/^[ ]?, //;
   foreach my $o (split(/,[ ]?/, $poptions)) { $public_methods .= ", $o" unless ($public_methods =~ /\b$o\b/ || $o eq ''); }
   $public_methods =~ s/^[ ]?, //;

   # proxy can impose it's methods... should actually check this not just warn
   if ($CLI{useproxy} ne "") { $txt = "(May be proxy's methods, not server's)"; }

   if ($allow_methods ne "")
   {
      $TARGETS{$CURRENT_HOST_ID}{positives}{999990} = 1;
      $TESTS{999990}{message}                       = "Allowed HTTP Methods: $allow_methods $txt";
      $TESTS{999990}{osvdb}                         = 0;
      $TARGETS{$CURRENT_HOST_ID}{total_vulns}++;
      nprint("- $TESTS{999990}{message}");
      foreach my $m (split /,? /, $allow_methods) { eval_methods($m, "Allow", $dbarray); }
   }

   if ($public_methods ne "")
   {
      $TESTS{999985}{message}                       = "Public HTTP Methods: $public_methods $txt";
      $TESTS{999985}{osvdb}                         = 0;
      $TARGETS{$CURRENT_HOST_ID}{positives}{999985} = 1;
      $TARGETS{$CURRENT_HOST_ID}{total_vulns}++;
      nprint("- $TESTS{999985}{message}");
      foreach my $m (split /,? /, $public_methods) { eval_methods($m, "Public", $dbarray); }
   }
 
   # Now release memory for the dbarray
   undef @$dbarray;
   return;
}

sub eval_methods
{
   my $method = $_[0] || return;
   my $type = $_[1];
   my $dbarray = $_[2];
   $method = uc($method);

   # Now search database for the method.
   foreach my $item (@$dbarray)
   {
      if ($item->{method} eq $method)
      {
         $TESTS{$item->{nikto_id}}{message} = $item->{message};
         $TESTS{$item->{nikto_id}}{message} =~ s/\@TYPE\@/$type/;
         $TESTS{$item->{nikto_id}}{osvdb} = $item->{osvdb};
         nprint("+ OSVDB-$item->{osvdb}: $TESTS{$item->{nikto_id}}{message}");
         $TARGETS{$CURRENT_HOST_ID}{positives}{$item->{nikto_id}} = 1;
         $TARGETS{$CURRENT_HOST_ID}{total_vulns}++;
      }
   }
}

1;