no404

["Paul Johnston" <paul_at_westpoint.ltd.uk>]

Hi,

I made some changes to no404.nasl but they weren't committed. The change
is to include the no404 string in the security warning, and also an
extra possible error string.

BTW, some of the French version seems to have gone missing between the
version of the plugin I first worked against, and the current version in
Nessus. I've merged all changes as best I can.

Paul

-- 
Paul Johnston
Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul_at_westpoint.ltd.uk
web: www.westpoint.ltd.uk




#
# This script was written by Renaud Deraison <deraison_at_cvs.nessus.org>
# - rewritten in parts by H D Moore <hdmoore_at_digitaldefense.net>
# - updated for Westpoint Ltd by Paul Johnston <paul_at_westpoint.ltd.uk>
#
# See the Nessus Scripts License for details
#

desc["english"] = "
Some web servers are [mis]configured in that they
do not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map or search page instead.

This script will retrieve the default page which
is issued when a non-existent file is requested, and
will use this information to minimize the risks 
of false positives for the other tests.";

desc["francais"] = "
Certains serveurs web n'affichent pas d'erreur 404
lorsqu'un client leur demande une page qui n'existe
pas.

Ce script récupère donc la page d'erreur qui est
affichée et la garde en mémoire afin de pouvoir
minimiser par la suite les risques d'erreur
dus a ce comportement";

if(description)
{
 script_id(10386);
 script_version ("$Revision: 1.29.2.1 $");

 name["english"] = "No 404 check";
 name["francais"] = "No 404 check";
 script_name(english:name["english"], francais:name["francais"]);
 
 script_description(english:desc["english"], francais:desc["francais"]);
 
 summary["english"] = "Checks if the remote webserver issues 404 errors";
 summary["francais"] = "Vérifie que le serveur web distant sort des erreurs 404";
 
 script_summary(english:summary["english"], francais:summary["francais"]);
 
 script_category(ACT_GATHER_INFO);
 
 
 script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison",
    francais:"Ce script est Copyright (C) 2000 Renaud Deraison");
 family["english"] = "CGI abuses";
 family["francais"] = "Abus de CGI";
 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes", "httpver.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

function check(url, port)
{
    req = http_get(item:url, port:port);
    
    soc = open_sock_tcp(port:port);
    if (!soc) { return (0); }
    
    send(socket:soc, data:req);
    result = recv(socket:soc, length:16384, timeout:20);
    close(soc);
    return(result);
}

function find_err_msg(buffer)
{
    cmsg = 0;
    for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1)
    {
	cpat = errmsg[cmsg];
	if (ereg(pattern:cpat, string:buffer, icase:TRUE))
	{
	    #if (debug) display("'",cpat, "' found in '", buffer, "'\n");
	    return(cpat);
	}
    }

    return (0);
}

function found_string(magic, source)
{
  kb_key = string("www/no404/", port);
  set_kb_item(name:kb_key, value:magic);
  if(debug) { display("200: Using string from ", source, ": ", magic, "\n"); }
  msg = string(desc["english"], "\n\nUsing string from ", source, ":\n  '", magic, "'");
  security_note(data:msg, port:port);
  exit(0);              
}

# build list of test urls

basename="404";
while ("404" >< basename) basename=string("/NessusTest", rand());

badurl[0] = string(basename, ".html");
badurl[1] = string(basename, ".cgi");
badurl[2] = string(basename, ".sh");
badurl[3] = string(basename, ".pl");
badurl[4] = string(basename, ".inc");
badurl[5] = string(basename, ".shtml");

badurl[6] = string("/cgi-bin", basename, ".html");
badurl[7] = string("/cgi-bin", basename, ".cgi");
badurl[8] = string("/cgi-bin", basename, ".sh");
badurl[9] = string("/cgi-bin", basename, ".pl");
badurl[10] = string("/cgi-bin", basename, ".inc");
badurl[11] = string("/cgi-bin", basename, ".shtml");

errmsg[0] = "not found";
errmsg[1] = "404";
errmsg[2] = "error has occurred";
errmsg[3] = "FireWall-1 message";
errmsg[4] = "Reload acp_userinfo database";
errmsg[5] = "IMail Server Web Messaging";
errmsg[6] = "HP Web JetAdmin";
errmsg[7] = "Error processing SSI file";
errmsg[8] = "ExtendNet DX Configuration";
errmsg[9] = "Unable to complete your request due to added security features";
errmsg[10] = "Client Authentication Remote Service</font>";
errmsg[11] = "Error - Bad Request";
errmsg[12] = "Webmin server";
errmsg[13] = "Management Console";  
errmsg[14] = "TYPE=password"; # As in "<input type=password>"
errmsg[15] = "The userid or password that was specified is not valid."; # Tivoli server administrator
errmsg[17] = "Access Failed";
errmsg[16] = "encountered an error while publishing this resource";

debug = 0;

port = get_kb_item("Services/www");
if(!port)port = 80;

for (c = 0; badurl[c]; c = c + 1)
{
    url = badurl[c];
    
    if(debug) display("Checking URL ", url, "\n");
    ret = check(url:url, port:port);
  
    if (!(ret == 0))
    {

	raw_http_line = egrep(pattern:"^HTTP/", string:ret);
  
	# check for a 200 OK
	if(ereg(pattern:"^HTTP.*200", string:raw_http_line))
	{
	     # look for common "not found": indications
	     not_found = find_err_msg(buffer:ret);
	     if (not_found != 0) {
		found_string(magic:string(not_found), source:"known error messages");
	     } else {
		
		# try to match the title
		title = egrep(pattern:"<title", string:ret, icase:TRUE);
		if (title)
		{
		    title = ereg_replace(string:title, pattern:"<title>(.*)</title>", replace:"\1", icase:TRUE);
		    found_string(magic:title, source:"title tag");
		}
		
		# try to match the body tag
		body = egrep(pattern:"<body", string:ret, icase:TRUE);
		if (body)
		{
		    body = ereg_replace(string:body, pattern:"<body(.*)>", replace:"\1", icase:TRUE);
		    found_string(magic:body, source:"body tag");
		}
		
		# get mad and give up
		if(debug)display("argh! could not find something to match against.\n");
		if(debug)display("[response]", ret, "\n");
    msg = "
This web server is [mis]configured in that it
does not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map or search page or authentication page instead.

Unfortunately, we were unable to find a way to recognize this page.
Expect *many* false positives from the CGI testing scripts.
";
    security_note(port: port, data: msg);
		exit(0);
		
	     }
	}
	
	# check for a 302 Moved
	if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
	{
	  found_string(magic:raw_http_line, source:"raw HTTP");
	}
	
    } else {
	if(debug) display("An error occurred when trying to request: ", url, "\n");
    }
}