1.46b: Security fix and cleanup
- Security: fixed a potential read past EOB in scrape_response() on zero-sized payloads. Credit to Jeff Johnson. - Removed redundant fdopen() in dictionary management,
This commit is contained in:
parent
38ca4b24a5
commit
72804b90f0
|
@ -1,3 +1,11 @@
|
|||
Version 1.46b:
|
||||
--------------
|
||||
|
||||
- Security: fixed a potential read past EOB in scrape_response() on
|
||||
zero-sized payloads. Credit to Jeff Johnson.
|
||||
|
||||
- Removed redundant fdopen() in dictionary management,
|
||||
|
||||
Version 1.45b:
|
||||
--------------
|
||||
|
||||
|
|
15
README
15
README
|
@ -407,15 +407,18 @@ issues):
|
|||
$ ./skipfish -MEU -C "AuthCookie=value" -X /logout.aspx -o output_dir \
|
||||
http://www.example.com/
|
||||
|
||||
Five-connection crawl, but no brute-force; pretending to be MSIE and caring
|
||||
less about ambiguous MIME or character set mismatches:
|
||||
Five-connection crawl, but no brute-force; pretending to be MSIE, caring
|
||||
less about ambiguous MIME or character set mismatches, and trusting
|
||||
example.com links:
|
||||
|
||||
$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie http://www.example.com/
|
||||
$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie -B example.com \
|
||||
http://www.example.com/
|
||||
|
||||
Brute force only (no HTML link extraction), trusting links within example.com
|
||||
and timing out after 5 seconds:
|
||||
Brute force only (no HTML link extraction), limited to a specific
|
||||
directory, timing out after 5 seconds:
|
||||
|
||||
$ ./skipfish -B .example.com -O -o output_dir -t 5 http://www.example.com/
|
||||
$ ./skipfish -P -I http://www.example.com/dir1/ -O -o output_dir -t 5 \
|
||||
http://www.example.com/dir1/
|
||||
|
||||
For a short list of all command-line options, try ./skipfish -h.
|
||||
|
||||
|
|
|
@ -839,7 +839,8 @@ next_tag:
|
|||
|
||||
/* Skip to next tag. */
|
||||
|
||||
cur_str = (u8*)strchr((char*)tag_end + 1, '<');
|
||||
if (*tag_end) cur_str = (u8*)strchr((char*)tag_end + 1, '<');
|
||||
else cur_str = 0;
|
||||
|
||||
} while (cur_str);
|
||||
|
||||
|
@ -1894,7 +1895,7 @@ static void detect_mime(struct http_request* req, struct http_response* res) {
|
|||
memcpy(sniffbuf, res->payload,
|
||||
(res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len);
|
||||
|
||||
sniffbuf[SNIFF_LEN - 1] = 0;
|
||||
sniffbuf[(res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len] = 0;
|
||||
|
||||
if (is_mostly_ascii(res)) {
|
||||
|
||||
|
@ -2219,7 +2220,7 @@ static void check_for_stuff(struct http_request* req,
|
|||
memcpy(sniffbuf, res->payload,
|
||||
(res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len);
|
||||
|
||||
sniffbuf[SNIFF_LEN - 1] = 0;
|
||||
sniffbuf[(res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len] = 0;
|
||||
|
||||
res->stuff_checked = 1;
|
||||
|
||||
|
|
2
config.h
2
config.h
|
@ -23,7 +23,7 @@
|
|||
#ifndef _HAVE_CONFIG_H
|
||||
#define _HAVE_CONFIG_H
|
||||
|
||||
#define VERSION "1.45b"
|
||||
#define VERSION "1.46b"
|
||||
|
||||
#define USE_COLOR 1 /* Use terminal colors */
|
||||
|
||||
|
|
|
@ -1141,9 +1141,6 @@ schedule_next:
|
|||
n->user_val = 7;
|
||||
async_request(n);
|
||||
|
||||
|
||||
|
||||
|
||||
/* TODO: We should probably also attempt cookie injection here. */
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -1069,14 +1069,12 @@ void save_keywords(u8* fname) {
|
|||
|
||||
fd = open((char*)fname, O_WRONLY | O_CREAT | O_EXCL, 0644);
|
||||
|
||||
if (fd < 0 || !(out = fdopen(fd,"a"))) {
|
||||
if (fd < 0 || !(out = fdopen(fd,"w"))) {
|
||||
WARN("Unable to save new wordlist to '%s'", fname);
|
||||
close(fd);
|
||||
return;
|
||||
}
|
||||
|
||||
out = fdopen(fd, "w");
|
||||
|
||||
for (kh=0;kh<WORD_HASH;kh++)
|
||||
for (i=0;i<keyword_cnt[kh];i++)
|
||||
fprintf(out,"%c %u %u %u %s\n", keyword[kh][i].is_ext ? 'e' : 'w',
|
||||
|
|
|
@ -258,6 +258,7 @@ w 1 1 1 addressbook
|
|||
w 1 1 1 adm
|
||||
w 1 1 1 admin
|
||||
w 1 1 1 admin_
|
||||
w 1 1 1 admins
|
||||
w 1 1 1 adodb
|
||||
w 1 1 1 ads
|
||||
w 1 1 1 adv
|
||||
|
|
|
@ -230,6 +230,7 @@ w 1 1 1 addressbook
|
|||
w 1 1 1 adm
|
||||
w 1 1 1 admin
|
||||
w 1 1 1 admin_
|
||||
w 1 1 1 admins
|
||||
w 1 1 1 adodb
|
||||
w 1 1 1 ads
|
||||
w 1 1 1 adv
|
||||
|
|
|
@ -193,6 +193,7 @@ w 1 1 1 addressbook
|
|||
w 1 1 1 adm
|
||||
w 1 1 1 admin
|
||||
w 1 1 1 admin_
|
||||
w 1 1 1 admins
|
||||
w 1 1 1 adodb
|
||||
w 1 1 1 ads
|
||||
w 1 1 1 adv
|
||||
|
|
Loading…
Reference in New Issue