Port specification in the location data returned from http-headers and html-title.nse

This email is a combination of a request for comments as well as a reminder for myself.

Some time ago I noticed that the html-title.nse script did not return the proper
value for location when it was run against a web server running on a port other than
80.

For example:

        nmap -sV --script=html-title.nse -p 8080 www.someserver.com

would return this

        8080/tcp open  http    Apache httpd 2.0.46 ((Red Hat))
        |  html-title: My Site
        |_ Requested resource was http://www.someserver.com/


That last line should actually be

        |_ Requested resource was http://www.someserver.com:8080/



I noticed this due to a service I was seeing on a regular basis that redirects
via a HTTP 302 to a subdirectory on the same host and port.


Digging around a bit I see what I think is the cause in http.lau at the following lines in
the "buildGet" function:



      header = {
-->  Host = get_hostname(host),
       ["User-Agent"]  = "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
      }


This syntax also shows up in a couple other, similar functions such as buildHead and
buildPost.

When building the headers to send the hostname is set, but the port number is not on it.
The value of the Host: header is returned as part of the Location server header.
The result trickles down in the Location values of a couple scripts like html-title.nse
and http-headers.nse.

I did some preliminary testing and found that changing the line to

        Host = get_hostname(host) .. port.number,

corrected the problem without breaking anything.

If I am right, the fix seems to be easy.  I don't have time at the moment to test this
change with the depth that it needs so I figured I would toss this out to see what you
folks had to say.

I will probably work on changing and testing this sometime this weekend.

Thanks,

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

On Thu, Oct 15, 2009 at 05:56:41PM -0500, Tom Sellers wrote:
Thanks, Tom. Your analysis is correct. However I think you meant

        Host = get_hostname(host) .. ":" .. port.number,

I committed something like this in r16030. The port number is appended
to the value whenever it is not equal to 80.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

David Fifield wrote:
> On Thu, Oct 15, 2009 at 05:56:41PM -0500, Tom Sellers wrote:

>> I did some preliminary testing and found that changing the line to
>>
>> Host = get_hostname(host) .. port.number,
>>
>> corrected the problem without breaking anything.
>
> Thanks, Tom. Your analysis is correct. However I think you meant
>
> Host = get_hostname(host) .. ":" .. port.number,

You are right, was working from memory and got sloppy.  Thanks!

>
> I committed something like this in r16030. The port number is appended
> to the value whenever it is not equal to 80.

Thanks for making the change.  My machine was down for about 3 weeks. I finally
have it working and finished getting my dev environment re-established this weekend.

Tom


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/