Improve check for BASH HTTP modules #3897
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@wchen-r7 pointed which when targeting a #!/bin/bash cgi, something like:
Even when it should be vulnerable, the check on both modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb and modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb isn't reporting it. It's because the injection trashes the output generated by the CGI which makes Apache to fail and return an 500 error code:
This pull request tries to improve check method. If the original check fails, but the answer is a 500 result, it makes a second legit request, and compares res.code, returning
Appears
if the http code is different.Feedback is welcome. I won't be hurt if the additional complexity to the check method doesn't worth and is discarded. I think is an interesting case, so here it's the proposed code :)
After this pull request, with the example CGI: