[Nikto-discuss] Encoding in xml output

David Lodge dave at cirt.net
Tue Mar 30 21:04:01 UTC 2010


On Tue, 30 Mar 2010 21:44:36 +0200, Erik Stephens <erik at edgeos.com> wrote:
> On 3/29/10 8:36 AM, david lodge wrote:
>> I'm interested in which malformed bits you found though - we should be
>> trapping anything that can have strange characters within CDATA tags,
>> anything else that gets through is a bug. Some redacted samples would
>> be useful (or a copy and paste of the bad bit).
>
> One bad byte I found was 0xca, as in:
> """
> I n c . ca C o n t e n t S e r v e r
> """
>
> Looks like 0xca is an E with circumflex in iso-8859-1 and the start of a
> two-byte character in utf-8.  Doesn't look like valid utf-8.  I'm using
> this as a reference:

That's not actually as bad as it looks - that bytes in the message, which  
we can easily fix. What I guess has happened as db_tests has been edited  
on various platforms (Solaris<->Linux<->Windows<->Mac OS X) somewhere a  
conversion has happened from UTF-8 to iso-8859-1.

The message is "Open Market Inc.ÊContentServer is vulnerable to Cross Site  
Scripting (XSS) in the login-error page. CA-2000-02."; which would  
logically place a copyright symbol before ContentServer, which is 0xc2  
0xa9 in UTF-8. Having checked, it was first imported like this when Nikto  
went into Assembla, so, it may have been like this since Nikto 1.0!

I'll fix this.

>> IIRC, perl 5.6+, like python, uses UTF-8 internally. This is a pretty
>> moot point at the moment as the databases and messages only use ASCII
>> codes from<127. I'd go with UTF-8 to be safe :-)
> I'm seeing this byte in plugins/db_tests (the ContentServer on), so
> maybe it was just a typo and simpler to edit that file?

There's always one thing to prove me wrong :-)

Seriously though this is probably something we should take note of in  
future, if it's in the data or match field the encoding could become  
important, and restricting Nikto to iso-8859-1 may remove any  
vulnerabilities in non-latin character sets.

I need to think this one through.

Thanks for reporting it

dave


More information about the Nikto-discuss mailing list