From 35fdf1473ba667acf6e6309e86ecd1a9dfd79fee Mon Sep 17 00:00:00 2001 From: Jin Qian Date: Fri, 2 Dec 2016 18:07:18 -0600 Subject: [PATCH 1/2] Fixed issue #7650 where etherpad_duo_login module may crash Add check for presence of Server header. --- modules/auxiliary/scanner/http/etherpad_duo_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb index a4daa7af24..a002bd5415 100644 --- a/modules/auxiliary/scanner/http/etherpad_duo_login.rb +++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb @@ -58,7 +58,7 @@ class MetasploitModule < Msf::Auxiliary return false end - if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) + if (res and res.code == 200 and res.headers['Server'] and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) vprint_good("Running EtherPAD Duo application ...") return true else From 4a35f8449a303dbb01c73c9cab54850bae1690d9 Mon Sep 17 00:00:00 2001 From: Jin Qian Date: Fri, 2 Dec 2016 20:26:38 -0600 Subject: [PATCH 2/2] Fixed issue #7650 by matching Server header using regex as Wei suggested The suggestion by Wei is simpler than the one I checked in which checks for presence of Server header before calling include method. --- modules/auxiliary/scanner/http/etherpad_duo_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb index a002bd5415..3356508d56 100644 --- a/modules/auxiliary/scanner/http/etherpad_duo_login.rb +++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb @@ -58,7 +58,7 @@ class MetasploitModule < Msf::Auxiliary return false end - if (res and res.code == 200 and res.headers['Server'] and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) + if (res and res.code == 200 and res.headers['Server'] =~ /EtherPAD/ and res.body.include?("EtherPAD Duo")) vprint_good("Running EtherPAD Duo application ...") return true else