''' htaccessMethods.py Copyright 2006 Andres Riancho This file is part of w3af, w3af.sourceforge.net . w3af is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License. w3af is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with w3af; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ''' import core.controllers.outputManager as om from core.controllers.basePlugin.baseAuditPlugin import baseAuditPlugin import core.data.kb.knowledgeBase as kb from core.controllers.w3afException import w3afException import core.data.kb.vuln as vuln from core.data.constants.httpConstants import * class htaccessMethods(baseAuditPlugin): ''' This plugin searches for misconfigurations in the "" configuration of Apache. @author: Andres Riancho ( andres.riancho@gmail.com ) ''' def __init__(self): baseAuditPlugin.__init__(self) self._firstTime = True self._authURIs = [] self._badMethods = [ UNAUTHORIZED, NOT_IMPLEMENTED, METHOD_NOT_ALLOWED] def _fuzzRequests(self, freq ): ''' Tests an URL for htaccess misconfigurations. @param freq: A fuzzableRequest ''' authURLList = [ v.getURL() for v in kb.kb.getData( 'httpAuthDetect', 'auth' ) ] if freq.getURL() in authURLList: # Try to get/post/put/index that uri and check that all # responses are 401 self._checkMethods( freq.getURL() ) else: # Just in case grep plugin did not find this before # this only happends if the page wasnt requested response = self._urlOpener.GET( freq.getURL() , useCache=True ) if response.getCode() == UNAUTHORIZED: self._checkMethods( freq.getURL() ) # not needed, the grep plugin will do this for us # kb.kb.save( 'httpAuthDetect', 'auth', response ) def _checkMethods( self, url ): allowedMethods = [] for method in ['OPTIONS','GET','HEAD','POST','DELETE','TRACE','PROPFIND','PROPPATCH','COPY','MOVE','LOCK','UNLOCK' ]: methodFunctor = getattr( self._urlOpener, method ) try: response = apply( methodFunctor, (url,) , {} ) code = response.getCode() except: pass else: if code not in self._badMethods: allowedMethods.append( method ) if len(allowedMethods)>0: v = vuln.vuln() v.setURL( url ) v.setDesc( 'The resource: '+ url + ' requires authentication but htaccess is misconfigured' + ' and can be bypassed using these methods: ' + ' '.join(allowedMethods) ) v['methods'] = allowedMethods kb.kb.append( self , 'auth' , v ) om.out.vulnerability( v.getDesc() ) def getOptionsXML(self): ''' This method returns a XML containing the Options that the plugin has. Using this XML the framework will build a window, a menu, or some other input method to retrieve the info from the user. The XML has to validate against the xml schema file located at : w3af/core/ui/userInterface.dtd @return: XML with the plugin options. ''' return '\ \ \ ' def setOptions( self, OptionList ): ''' This method sets all the options that are configured using the user interface generated by the framework using the result of getOptionsXML(). @parameter OptionList: A dictionary with the options for the plugin. @return: No value is returned. ''' pass def getPluginDeps( self ): ''' @return: A list with the names of the plugins that should be runned before the current one. ''' return ['grep.httpAuthDetect'] def getLongDesc( self ): ''' @return: A DETAILED description of the plugin functions and features. ''' return ''' This plugin will find htaccess misconfiguration in the LIMIT configuration parameter. This plugin is based on a paper written by Frame and madjoker from kernelpanik.org. The paper is called : "htaccess: bilbao method exposed" The idea of this method (and the plugin) is to exploit common misconfigurations of .htaccess files like this one: require valid-used The misconfiguration above is that using other methods an unauthorized user can still obtain the information from that directory. '''