From 4378ecc226259e734cbbfb2e70ba86e05f0553e6 Mon Sep 17 00:00:00 2001
From: sullo <sullo@cirt.net>
Date: Mon, 10 Dec 2012 00:37:26 -0500
Subject: [PATCH] Updated README.md Issue #11: Alert on HTTP PATCH option

---
 README.md                                | 8 +++++---
 program/databases/db_httpoptions         | 1 +
 program/plugins/nikto_httpoptions.plugin | 3 ++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 02bee240..a0070bd6 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,11 @@
 nikto
 =====
 
-Nikto web server scanner
+Nikto web server scanner  - https://cirt.net/Nikto2
 
-https://cirt.net/
+Full documentation - https://cirt.net/nikto2-docs/
+
+Basic usage:
 
 ```
    Options:
@@ -95,4 +97,4 @@ https://cirt.net/
        -Version           Print plugin and database versions
        -vhost+            Virtual host (for Host header)
               + requires a value
-```
\ No newline at end of file
+```
diff --git a/program/databases/db_httpoptions b/program/databases/db_httpoptions
index 20eeb208..ac27a3bf 100644
--- a/program/databases/db_httpoptions
+++ b/program/databases/db_httpoptions
@@ -16,6 +16,7 @@
 "999978","PUT","397","HTTP method ('@TYPE@' Header): 'PUT' method could allow clients to save files on the web server."
 "999982","MOVE","5647","HTTP method ('@TYPE@' Header): 'MOVE' may allow clients to change file locations on the web server."
 "999983","CONNECT","0","HTTP method ('@TYPE@' Header): 'CONNECT' may allow server to proxy client requests."
+"999984","PATCH","0","HTTP method: 'PATCH' may allow client to issue patch commands to server. See RFC-5789."
 # WebDAV methods - "0" in nikto_id tells the code to treat it differently
 "0","PROPFIND","0","webdav"
 "0","PROPPATCH","0","webdav"
diff --git a/program/plugins/nikto_httpoptions.plugin b/program/plugins/nikto_httpoptions.plugin
index 4af4ad6a..8557b258 100644
--- a/program/plugins/nikto_httpoptions.plugin
+++ b/program/plugins/nikto_httpoptions.plugin
@@ -58,11 +58,12 @@ sub nikto_httpoptions {
     # lots of FP on this one; disabling for now
     #if (($content ne '') && ($res !~ /^3\d\d$/)) { 
     #    add_vulnerability($mark, "Response body of OPTIONS / request is not empty--this may describe additonal REST/API services", 999980, 0, "OPTIONS", "/", $request, $response);
-#	}
+    #	}
 
     foreach my $o (split(/,[ ]?/, $aoptions)) {
         $allow_methods .= ", $o" unless ($allow_methods =~ /\b$o\b/ || $o eq '');
     }
+
     $allow_methods =~ s/^[ ]?, //;
     foreach my $o (split(/,[ ]?/, $poptions)) {
         $public_methods .= ", $o" unless ($public_methods =~ /\b$o\b/ || $o eq '');