On 09/26/12 16:56, Nigel Taylor wrote: > On 09/26/12 09:54, Stuart Henderson wrote: >> On 2012/09/25 18:08, Gleydson Soares wrote: >>> @comment no checksum >>> -share/nikto/plugins/db_tests >>> +share/nikto/plugins/JSON-PP.pm >>> @comment no checksum >>> -share/nikto/plugins/db_variables >>> +share/nikto/plugins/LW2.pm >>> @comment no checksum >> >> urgh, I really don't like these "@comment no checksum", people shouldn't >> use the internal update facility if they are installing from packages. >> I would patch to disable -update and kill these @comment's. >> >> > I have looked back and this has been present for some years. Since a bug > reported when using -update. > > I agree need to remove the -update or -update should put updates under > user home directory or under /var/.... > > I will look at removing -update, likely to be the simpler choice, less > patching of upstream code required. > /usr/share/nikto/databases contains signatures which should be allowed to be updated. In the same way signatures for clamav can be updated. /usr/share/nikto/plugins contains the plugins, these shouldn't be updated. The split into separate directories for plugins and test databases is new at version 2.1.5 - Ticket 214 Move database out of the plugins directory into their own directory.
nikto.conf has DBDIR= which can be set to defined the location of the test database this will be set to /var/db/nikto/databases, and PLUGINDIR to defined the location of plugins, left unchanged. Checking back, the db_* files for previous versions did get updated, but there was only one case of a plugin being updated, SVN shows two plugins have been updated but not released, file db_tests has already been updated since the 2.1.5 release. $ diff -ru /usr/local/share/nikto/databases/ /var/db/nikto/databases/ diff -ru /usr/local/share/nikto/databases/db_tests /var/db/nikto/databases/db_tests --- /usr/local/share/nikto/databases/db_tests Thu Sep 27 17:12:22 2012 +++ /var/db/nikto/databases/db_tests Thu Sep 27 18:15:41 2012 @@ -1,5 +1,5 @@ -#VERSION,2.019 -# $Id$ +#VERSION,2.020 +# $Id: db_tests 862 2012-09-26 02:05:48Z sullo $ ####################################################################### # Source: http://cirt.net # This file may only be distributed and used with the full Nikto package. @@ -6570,3 +6570,4 @@ "006605","0","1b","/mobileadmin/logs/","GET","Directory\sListing","","","","","RoveIT Mobile logs accessible","","" "006606","0","1b","/mobileadmin/bin/","GET","Directory\sListing","","","","","RoveIT Mobile executable dir accessible","","" "006607","0","3","/mobileadmin/home.cs","GET","Server\sVersion","","","","","RoveIT Mobile gives a list of a server's Windows domains","","" +"006608","0","8","@PHPMYADMINserver_sync.php?c=phpinfo()","GET","PHP\sVersion","","","","","phpMyAdmin contains a backdoor which allows remote PHP execution. http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php","",""; Revised nikto should allow either the _nikto user or a member of the _nikto group to update the tests database $ sudo -u _nikto nikto -update + Retrieving 'db_tests' + CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2 $ sudo pkg_delete nikto nikto-2.1.5v0: ok Read shared items: ok --- -nikto-2.1.5v0 ------------------- You should also remove /var/db/nikto/databases/db_tests (which was modified) You should also run /usr/sbin/userdel _nikto You should also run /usr/sbin/groupdel _nikto No checksum issues reported. Attached new diff for comment
Index: Makefile =================================================================== RCS file: /home/cvs/ports/security/nikto/Makefile,v retrieving revision 1.20 diff -u -p -r1.20 Makefile --- Makefile 7 Sep 2011 13:21:11 -0000 1.20 +++ Makefile 27 Sep 2012 15:47:39 -0000 @@ -2,9 +2,8 @@ COMMENT = web and CGI vulnerability scanner with SSL support -DISTNAME = nikto-2.1.4 +DISTNAME = nikto-2.1.5 EPOCH = 0 -REVISION = 0 CATEGORIES = security www HOMEPAGE = http://www.cirt.net/nikto2 @@ -25,7 +24,6 @@ EXTRACT_SUFX = .tar.bz2 RUN_DEPENDS = security/p5-Net_SSLeay NO_BUILD = Yes -USE_GROFF = Yes NO_REGRESS = Yes PKG_ARCH = * @@ -34,8 +32,11 @@ pre-configure: ${WRKSRC}/nikto.conf perl -pi -e 's,# DOCDIR=.+,DOCDIR=${PREFIX}/share/doc/nikto,' \ ${WRKSRC}/nikto.conf + perl -pi -e 's,# DBDIR=.+,DBDIR=/var/db/nikto/databases,' \ + ${WRKSRC}/nikto.conf do-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/nikto/databases ${INSTALL_DATA_DIR} ${PREFIX}/share/nikto/plugins ${INSTALL_DATA_DIR} ${PREFIX}/share/nikto/templates ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/nikto @@ -45,8 +46,9 @@ do-install: ${INSTALL_DATA} ${WRKSRC}/nikto.conf \ ${PREFIX}/share/examples/nikto/nikto.conf - ${INSTALL_DATA} ${WRKSRC}/plugins/* ${PREFIX}/share/nikto/plugins - ${INSTALL_DATA} ${WRKSRC}/templates/* ${PREFIX}/share/nikto/templates + ${INSTALL_DATA} ${WRKSRC}/databases/!(*.orig) ${PREFIX}/share/nikto/databases + ${INSTALL_DATA} ${WRKSRC}/plugins/!(*.orig) ${PREFIX}/share/nikto/plugins + ${INSTALL_DATA} ${WRKSRC}/templates/!(*.orig) ${PREFIX}/share/nikto/templates ${INSTALL_DATA} ${WRKSRC}/docs/nikto_manual.html ${PREFIX}/share/doc/nikto ${INSTALL_DATA} ${WRKSRC}/docs/CHANGES.txt ${PREFIX}/share/doc/nikto Index: distinfo =================================================================== RCS file: /home/cvs/ports/security/nikto/distinfo,v retrieving revision 1.14 diff -u -p -r1.14 distinfo --- distinfo 27 Mar 2011 16:41:37 -0000 1.14 +++ distinfo 25 Sep 2012 22:20:40 -0000 @@ -1,5 +1,2 @@ -MD5 (nikto-2.1.4.tar.bz2) = DVjZyie584e2ATDhJduGhw== -RMD160 (nikto-2.1.4.tar.bz2) = rbiEHSKlHX+fjwybjkOqlCVU2kM= -SHA1 (nikto-2.1.4.tar.bz2) = 0284XasENSM2wJt+V2SWproYSEo= -SHA256 (nikto-2.1.4.tar.bz2) = mvkw/qPxJOJi0OY5dyRLa9GeInSfTe+oGLtNmxB61gM= -SIZE (nikto-2.1.4.tar.bz2) = 288160 +SHA256 (nikto-2.1.5.tar.bz2) = ZbmcH97BTR1efLyWT3D84WLL7FCu6HjhUA4tIt8HmzQ= +SIZE (nikto-2.1.5.tar.bz2) = 311580 Index: patches/patch-nikto_pl =================================================================== RCS file: /home/cvs/ports/security/nikto/patches/patch-nikto_pl,v retrieving revision 1.5 diff -u -p -r1.5 patch-nikto_pl --- patches/patch-nikto_pl 27 Mar 2011 16:41:37 -0000 1.5 +++ patches/patch-nikto_pl 25 Sep 2012 22:20:40 -0000 @@ -1,12 +1,12 @@ $OpenBSD: patch-nikto_pl,v 1.5 2011/03/27 16:41:37 jasper Exp $ ---- nikto.pl.orig Fri Feb 18 23:53:23 2011 -+++ nikto.pl Fri Mar 11 16:55:57 2011 -@@ -313,7 +313,7 @@ sub setup_dirs { +--- nikto.pl.orig Mon Sep 10 05:22:36 2012 ++++ nikto.pl Tue Sep 25 14:13:34 2012 +@@ -333,7 +333,7 @@ sub setup_dirs { $CONFIGFILE{'TEMPLATEDIR'} = "$CONFIGFILE{'EXECDIR'}/templates"; } unless (defined $CONFIGFILE{'DOCUMENTDIR'}) { - $CONFIGFILE{'DOCUMENTDIR'} = "$CONFIGFILE{'EXECDIR'}/docs"; + $CONFIGFILE{'DOCUMENTDIR'} = "$CONFIGFILE{'DOCDIR'}/docs"; } - return; - } + unless (defined $CONFIGFILE{'DBDIR'}) { + $CONFIGFILE{'DBDIR'} = "$CONFIGFILE{'EXECDIR'}/databases"; Index: patches/patch-plugins_nikto_core_plugin =================================================================== RCS file: patches/patch-plugins_nikto_core_plugin diff -N patches/patch-plugins_nikto_core_plugin --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-plugins_nikto_core_plugin 27 Sep 2012 15:29:01 -0000 @@ -0,0 +1,13 @@ +$OpenBSD$ +--- plugins/nikto_core.plugin.orig Fri Sep 14 07:52:12 2012 ++++ plugins/nikto_core.plugin Thu Sep 27 16:24:36 2012 +@@ -1901,8 +1901,7 @@ sub check_updates { + if ($remotemsg ne "") { nprint("+ $server message: $remotemsg"); } + exit; + } +- push(@DBTOGET, $remotefile); +- if ($remotefile !~ /^db_/) { $code_updates = 1; } ++ if ($remotefile =~ /^db_/) { push(@DBTOGET, $remotefile); } + } + } + Index: pkg/PLIST =================================================================== RCS file: /home/cvs/ports/security/nikto/pkg/PLIST,v retrieving revision 1.12 diff -u -p -r1.12 PLIST --- pkg/PLIST 27 Mar 2011 16:41:37 -0000 1.12 +++ pkg/PLIST 27 Sep 2012 17:13:19 -0000 @@ -1,8 +1,9 @@ @comment $OpenBSD: PLIST,v 1.12 2011/03/27 16:41:37 jasper Exp $ +@newgroup _nikto:705 +@newuser _nikto:705:705:daemon:Nikto web scanner:/nonexistent:/sbin/nologin bin/nikto @man man/man1/nikto.1 share/doc/nikto/ -@comment no checksum share/doc/nikto/CHANGES.txt share/doc/nikto/nikto.dtd share/doc/nikto/nikto_manual.html @@ -10,118 +11,88 @@ share/examples/nikto/ share/examples/nikto/nikto.conf @sample ${SYSCONFDIR}/nikto.conf share/nikto/ +@sample /var/db/nikto/ +share/nikto/databases/ +@sample /var/db/nikto/databases/ +share/nikto/databases/db_404_strings +@sample /var/db/nikto/databases/db_404_strings +share/nikto/databases/db_content_search +@sample /var/db/nikto/databases/db_content_search +share/nikto/databases/db_dictionary +@sample /var/db/nikto/databases/db_dictionary +share/nikto/databases/db_embedded +@sample /var/db/nikto/databases/db_embedded +share/nikto/databases/db_favicon +@sample /var/db/nikto/databases/db_favicon +share/nikto/databases/db_headers +@sample /var/db/nikto/databases/db_headers +share/nikto/databases/db_httpoptions +@sample /var/db/nikto/databases/db_httpoptions +share/nikto/databases/db_multiple_index +@sample /var/db/nikto/databases/db_multiple_index +share/nikto/databases/db_outdated +@sample /var/db/nikto/databases/db_outdated +share/nikto/databases/db_parked_strings +@sample /var/db/nikto/databases/db_parked_strings +share/nikto/databases/db_realms +@sample /var/db/nikto/databases/db_realms +share/nikto/databases/db_server_msgs +@sample /var/db/nikto/databases/db_server_msgs +share/nikto/databases/db_subdomains +@sample /var/db/nikto/databases/db_subdomains +share/nikto/databases/db_tests +@sample /var/db/nikto/databases/db_tests +share/nikto/databases/db_variables +@sample /var/db/nikto/databases/db_variables +@exec chown -R _nikto:_nikto /var/db/nikto/databases +@exec chmod -R g+w /var/db/nikto/databases share/nikto/plugins/ +share/nikto/plugins/JSON-PP.pm share/nikto/plugins/LW2.pm -@comment no checksum -share/nikto/plugins/db_404_strings -@comment no checksum -share/nikto/plugins/db_content_search -@comment no checksum -share/nikto/plugins/db_embedded -@comment no checksum -share/nikto/plugins/db_favicon -@comment no checksum -share/nikto/plugins/db_headers -@comment no checksum -share/nikto/plugins/db_httpoptions -@comment no checksum -share/nikto/plugins/db_multiple_index -@comment no checksum -share/nikto/plugins/db_outdated -@comment no checksum -share/nikto/plugins/db_realms -@comment no checksum -share/nikto/plugins/db_server_msgs -@comment no checksum -share/nikto/plugins/db_subdomains -@comment no checksum -share/nikto/plugins/db_tests -@comment no checksum -share/nikto/plugins/db_variables -@comment no checksum share/nikto/plugins/nikto_apache_expect_xss.plugin -@comment no checksum share/nikto/plugins/nikto_apacheusers.plugin -@comment no checksum share/nikto/plugins/nikto_auth.plugin -@comment no checksum share/nikto/plugins/nikto_cgi.plugin -@comment no checksum +share/nikto/plugins/nikto_clientaccesspolicy.plugin share/nikto/plugins/nikto_content_search.plugin -@comment no checksum share/nikto/plugins/nikto_cookies.plugin -@comment no checksum share/nikto/plugins/nikto_core.plugin -@comment no checksum -share/nikto/plugins/nikto_core.plugin.debug -@comment no checksum share/nikto/plugins/nikto_dictionary_attack.plugin -@comment no checksum share/nikto/plugins/nikto_embedded.plugin -@comment no checksum share/nikto/plugins/nikto_favicon.plugin -@comment no checksum +share/nikto/plugins/nikto_fileops.plugin share/nikto/plugins/nikto_headers.plugin -@comment no checksum share/nikto/plugins/nikto_httpoptions.plugin -@comment no checksum share/nikto/plugins/nikto_msgs.plugin -@comment no checksum share/nikto/plugins/nikto_multiple_index.plugin -@comment no checksum share/nikto/plugins/nikto_outdated.plugin -@comment no checksum +share/nikto/plugins/nikto_parked.plugin +share/nikto/plugins/nikto_paths.plugin share/nikto/plugins/nikto_put_del_test.plugin -@comment no checksum share/nikto/plugins/nikto_report_csv.plugin -@comment no checksum share/nikto/plugins/nikto_report_html.plugin -@comment no checksum share/nikto/plugins/nikto_report_msf.plugin -@comment no checksum share/nikto/plugins/nikto_report_nbe.plugin -@comment no checksum share/nikto/plugins/nikto_report_text.plugin -@comment no checksum share/nikto/plugins/nikto_report_xml.plugin -@comment no checksum share/nikto/plugins/nikto_robots.plugin -@comment no checksum -share/nikto/plugins/nikto_single.plugin -@comment no checksum +share/nikto/plugins/nikto_siebel.plugin share/nikto/plugins/nikto_ssl.plugin -@comment no checksum share/nikto/plugins/nikto_subdomain.plugin -@comment no checksum share/nikto/plugins/nikto_tests.plugin share/nikto/templates/ -@comment no checksum share/nikto/templates/htm_close.tmpl -@comment no checksum share/nikto/templates/htm_end.tmpl -@comment no checksum share/nikto/templates/htm_host_head.tmpl -@comment no checksum share/nikto/templates/htm_host_im.tmpl -@comment no checksum share/nikto/templates/htm_host_item.tmpl -@comment no checksum share/nikto/templates/htm_start.tmpl -@comment no checksum share/nikto/templates/htm_stop.tmpl -@comment no checksum share/nikto/templates/htm_summary.tmpl -@comment no checksum share/nikto/templates/xml_close.tmpl -@comment no checksum share/nikto/templates/xml_end.tmpl -@comment no checksum share/nikto/templates/xml_host_head.tmpl -@comment no checksum share/nikto/templates/xml_host_im.tmpl -@comment no checksum share/nikto/templates/xml_host_item.tmpl -@comment no checksum share/nikto/templates/xml_start.tmpl -@comment no checksum share/nikto/templates/xml_summary.tmpl
