Webmin.nasl appears to be non-functional due to no404.nasl behavior

While troubleshooting a false negative detection of a webmin miniserv service, I noticed that the webmin.nasl script is likely unable to generate a correct report when run in conjunction with no404.nasl.

The issue is that no404.nasl specifically uses the MiniServ banner to mark that port as broken:

# WebMin's miniserv and CompaqDiag behave strangely
if( egrep( pattern:"^Server\s*:\s*MiniServ", string:banner, icase:TRUE ) ) {
    reason = "The 'MiniServ' embedded server was found which is fragile when getting scanned. HTTP scanning will be disabled for this host.";
    http_set_no404_string( port:port, host:host, string:"HTTP" );
    http_set_is_marked_broken( port:port, host:host, reason:reason );
    log_message( port:port, data:reason );
    exit( 0 );
}

Once webmin.nasl runs, it calls http_get_ports without the ignore_broken option:

ports = http_get_ports(default_port_list: make_list(10000, 20000));

But checking http_func.inc shows that this means webmin.nasl will never see the webmin ports as active.

if( ! ignore_broken ) {
    if( http_get_is_marked_broken( port:_port, host:host ) )
        continue;
}
1 Like

Hello,

and also thanks a lot for this (throughout and informative) posting. Depending on the dependency chain of the scanner the no404.nasl might have indeed marked a system exposing a MiniServ banner as “broken”.

While webmin.nasl doesn’t have a direct dependency to no404.nasl it could also be possible that it is running before so not all scans might be affected.

Nevertheless it is absolutely right and better to set ignore_broken to TRUE just to be on the safe side for all cases / scans.

I just have submitted a fix (including some additional VTs which might be similar affected) for a review by the feed team, the changes should arrive in the feed in the next few days.

1 Like