Ksaok,
Thanks for the bug report and for letting us debug using the
website that was triggering the vulnerability. Javier just commited a
fix for the bug you identified. Please verify that everything works
smoothly now.
Regards,
On Tue, Oct 18, 2011 at 11:21 PM, Andres Riancho
<[email protected]> wrote:
> Ksaok,
>
> Which version of w3af are you using? If you're not using the
> latest, please update :) If you're... please send me a private email
> with the target domain/URL so I can try to debug it.
>
> Regards,
>
> On Tue, Oct 18, 2011 at 3:50 PM, <[email protected]> wrote:
>> hello all,again!
>>
>> trying to webSpider site and got this:
>>
>>
>> ----------------
>> w3af/plugins>>> back
>> w3af>>> start
>> Auto-enabling plugin: grep.httpAuthDetect
>> Error in grep plugin, "httpAuthDetect" raised the exception: 'utf8' codec
>> can't decode byte 0xd8 in position 0: invalid continuation byte. Please
>> report this bug to the w3af sourceforge project page [
>> https://sourceforge.net/apps/trac/w3af/newticket ]
>> Exception: Traceback (most recent call last):
>> File "/mnt/1/w3af/core/data/url/xUrllib.py", line 847, in _grep_worker
>> timedout_grep_wrapper(request, response)
>> UnicodeDecodeError: 'utf8' codec can't decode byte 0xd8 in position 0:
>> invalid continuation byte
>>
>> Traceback (most recent call last):
>> File "/mnt/1/w3af/core/controllers/misc/timeout_function.py", line 76,
>> in run
>> self._result_ = function(*args, **kwds)
>> File "/mnt/1/w3af/core/controllers/basePlugin/baseGrepPlugin.py", line
>> 61, in grep_wrapper
>> self.grep(fuzzableRequest, response)
>> File "/mnt/1/w3af/plugins/grep/httpAuthDetect.py", line 161, in grep
>> self._find_auth_uri(response)
>> File "/mnt/1/w3af/plugins/grep/httpAuthDetect.py", line 196, in
>> _find_auth_uri
>> documentParser = dpCache.dpc.getDocumentParserFor(response)
>> File "/mnt/1/w3af/core/data/parsers/dpCache.py", line 69, in
>> getDocumentParserFor
>> res = documentParser.documentParser(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/documentParser.py", line 54, in
>> __init__
>> parser = htmlParser.HTMLParser(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/htmlParser.py", line 51, in __init__
>> SGMLParser.__init__(self, http_resp)
>> File "/mnt/1/w3af/core/data/parsers/sgmlParser.py", line 73, in __init__
>> self._parse(http_resp)
>> File "/mnt/1/w3af/core/data/parsers/sgmlParser.py", line 138, in _parse
>> etree.fromstring(resp_body, parser)
>> File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring
>> (src/lxml/lxml.etree.c:48634)
>> File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument
>> (src/lxml/lxml.etree.c:72245)
>> File "parser.pxi", line 1424, in lxml.etree._parseDoc
>> (src/lxml/lxml.etree.c:71106)
>> File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc
>> (src/lxml/lxml.etree.c:67875)
>> File "parsertarget.pxi", line 138, in
>> lxml.etree._TargetParserContext._handleParseResultDoc
>> (src/lxml/lxml.etree.c:78243)
>> File "lxml.etree.pyx", line 230, in
>> lxml.etree._ExceptionContext._raise_if_stored
>> (src/lxml/lxml.etree.c:6821)
>> File "saxparser.pxi", line 258, in lxml.etree._handleSaxData
>> (src/lxml/lxml.etree.c:74548)
>> UnicodeDecodeError: 'utf8' codec can't decode byte 0xd8 in position 0:
>> invalid continuation byte
>>
>>
>> Unhandled error, traceback: Traceback (most recent call last):
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 440, in start
>> self._realStart()
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 539, in _realStart
>> self._fuzzableRequestList = self._discover_and_bruteforce()
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 351, in
>> _discover_and_bruteforce
>> discovered_fr_list = self._discover( tmp_list )
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 770, in _discover
>> result = self._discoverWorker( toWalk )
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 842, in
>> _discoverWorker
>> pluginResult = plugin.discover_wrapper( fr )
>> File "/mnt/1/w3af/core/controllers/basePlugin/baseDiscoveryPlugin.py",
>> line 48, in discover_wrapper
>> return self.discover( fuzzable_request_copy )
>> File "/mnt/1/w3af/plugins/discovery/webSpider.py", line 203, in discover
>> self._tm.join(self)
>> File "/mnt/1/w3af/core/controllers/threads/threadManager.py", line 120,
>> in join
>> self._threadPool.wait( ownerObj, joinAll )
>> File "/mnt/1/w3af/core/controllers/threads/threadpool.py", line 271, in
>> wait
>> self.poll(block=True, ownerObj=ownerObj, joinAll=joinAll)
>> File "/mnt/1/w3af/core/controllers/threads/threadpool.py", line 108, in run
>> self.resultQueue.put( (request, request.callable(*request.args,
>> **request.kwds)) )
>> File "/mnt/1/w3af/plugins/discovery/webSpider.py", line 343, in
>> _verify_reference
>> request=original_request)
>> File "/mnt/1/w3af/core/controllers/basePlugin/baseDiscoveryPlugin.py",
>> line 63, in _createFuzzableRequests
>> return createFuzzableRequests( httpResponse, request, add_self )
>> File "/mnt/1/w3af/core/data/request/frFactory.py", line 89, in
>> createFuzzableRequests
>> dp = dpCache.dpc.getDocumentParserFor(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/dpCache.py", line 69, in
>> getDocumentParserFor
>> res = documentParser.documentParser(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/documentParser.py", line 54, in
>> __init__
>> parser = htmlParser.HTMLParser(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/htmlParser.py", line 51, in __init__
>> SGMLParser.__init__(self, http_resp)
>> File "/mnt/1/w3af/core/data/parsers/sgmlParser.py", line 73, in __init__
>> self._parse(http_resp)
>> File "/mnt/1/w3af/core/data/parsers/sgmlParser.py", line 138, in _parse
>> etree.fromstring(resp_body, parser)
>> File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring
>> (src/lxml/lxml.etree.c:48634)
>> File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument
>> (src/lxml/lxml.etree.c:72245)
>> File "parser.pxi", line 1424, in lxml.etree._parseDoc
>> (src/lxml/lxml.etree.c:71106)
>> File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc
>> (src/lxml/lxml.etree.c:67875)
>> File "parsertarget.pxi", line 138, in
>> lxml.etree._TargetParserContext._handleParseResultDoc
>> (src/lxml/lxml.etree.c:78243)
>> File "lxml.etree.pyx", line 230, in
>> lxml.etree._ExceptionContext._raise_if_stored
>> (src/lxml/lxml.etree.c:6821)
>> File "saxparser.pxi", line 258, in lxml.etree._handleSaxData
>> (src/lxml/lxml.etree.c:74548)
>> UnicodeDecodeError: 'utf8' codec can't decode byte 0xd8 in position 0:
>> invalid continuation byte
>>
>>
>> Scan finished in 16 seconds.
>> Exception in thread Thread-11:
>> Traceback (most recent call last):
>> File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
>> self.run()
>> File "/usr/lib/python2.6/threading.py", line 484, in run
>> self.__target(*self.__args, **self.__kwargs)
>> File "/mnt/1/w3af/core/ui/consoleUi/rootMenu.py", line 112, in _real_start
>> self._w3af.start()
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 440, in start
>> self._realStart()
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 539, in _realStart
>> self._fuzzableRequestList = self._discover_and_bruteforce()
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 351, in
>> _discover_and_bruteforce
>> discovered_fr_list = self._discover( tmp_list )
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 770, in _discover
>> result = self._discoverWorker( toWalk )
>> File "/mnt/1/w3af/core/controllers/w3afCore.py", line 842, in
>> _discoverWorker
>> pluginResult = plugin.discover_wrapper( fr )
>> File "/mnt/1/w3af/core/controllers/basePlugin/baseDiscoveryPlugin.py",
>> line 48, in discover_wrapper
>> return self.discover( fuzzable_request_copy )
>> File "/mnt/1/w3af/plugins/discovery/webSpider.py", line 203, in discover
>> self._tm.join(self)
>> File "/mnt/1/w3af/core/controllers/threads/threadManager.py", line 120,
>> in join
>> self._threadPool.wait( ownerObj, joinAll )
>> File "/mnt/1/w3af/core/controllers/threads/threadpool.py", line 271, in
>> wait
>> self.poll(block=True, ownerObj=ownerObj, joinAll=joinAll)
>> File "/mnt/1/w3af/core/controllers/threads/threadpool.py", line 108, in run
>> self.resultQueue.put( (request, request.callable(*request.args,
>> **request.kwds)) )
>> File "/mnt/1/w3af/plugins/discovery/webSpider.py", line 343, in
>> _verify_reference
>> request=original_request)
>> File "/mnt/1/w3af/core/controllers/basePlugin/baseDiscoveryPlugin.py",
>> line 63, in _createFuzzableRequests
>> return createFuzzableRequests( httpResponse, request, add_self )
>> File "/mnt/1/w3af/core/data/request/frFactory.py", line 89, in
>> createFuzzableRequests
>> dp = dpCache.dpc.getDocumentParserFor(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/dpCache.py", line 69, in
>> getDocumentParserFor
>> res = documentParser.documentParser(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/documentParser.py", line 54, in
>> __init__
>> parser = htmlParser.HTMLParser(httpResponse)
>> File "/mnt/1/w3af/core/data/parsers/htmlParser.py", line 51, in __init__
>> SGMLParser.__init__(self, http_resp)
>> File "/mnt/1/w3af/core/data/parsers/sgmlParser.py", line 73, in __init__
>> self._parse(http_resp)
>> File "/mnt/1/w3af/core/data/parsers/sgmlParser.py", line 138, in _parse
>> etree.fromstring(resp_body, parser)
>> File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring
>> (src/lxml/lxml.etree.c:48634)
>> File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument
>> (src/lxml/lxml.etree.c:72245)
>> File "parser.pxi", line 1424, in lxml.etree._parseDoc
>> (src/lxml/lxml.etree.c:71106)
>> File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc
>> (src/lxml/lxml.etree.c:67875)
>> File "parsertarget.pxi", line 138, in
>> lxml.etree._TargetParserContext._handleParseResultDoc
>> (src/lxml/lxml.etree.c:78243)
>> File "lxml.etree.pyx", line 230, in
>> lxml.etree._ExceptionContext._raise_if_stored
>> (src/lxml/lxml.etree.c:6821)
>> File "saxparser.pxi", line 258, in lxml.etree._handleSaxData
>> (src/lxml/lxml.etree.c:74548)
>> UnicodeDecodeError: 'utf8' codec can't decode byte 0xd8 in position 0:
>> invalid continuation byte
>>
>> Exception in thread Thread-3:
>> Traceback (most recent call last):
>> File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
>> self.run()
>> File "/mnt/1/w3af/core/controllers/threads/threadpool.py", line 108, in run
>> self.resultQueue.put( (request, request.callable(*request.args,
>> **request.kwds)) )
>> File "/mnt/1/w3af/plugins/discovery/webSpider.py", line 269, in
>> _verify_reference
>> headers=headers)
>> File "/mnt/1/w3af/core/controllers/basePlugin/basePlugin.py", line 261,
>> in meth
>> return attr(*args, **kwargs)
>> File "/mnt/1/w3af/core/data/url/xUrllib.py", line 321, in GET
>> return self._send(req, useCache=useCache, grepResult=grepResult)
>> File "/mnt/1/w3af/core/data/url/xUrllib.py", line 503, in _send
>> self._callBeforeSend()
>> File "/mnt/1/w3af/core/data/url/xUrllib.py", line 109, in _callBeforeSend
>> self._sleepIfPausedDieIfStopped()
>> File "/mnt/1/w3af/core/data/url/xUrllib.py", line 138, in
>> _sleepIfPausedDieIfStopped
>> raise KeyboardInterrupt
>> KeyboardInterrupt
>> -------------------
>>
>>
>> cheers!
>>
>>
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure contains a
>> definitive record of customers, application performance, security
>> threats, fraudulent activity and more. Splunk takes this data and makes
>> sense of it. Business sense. IT sense. Common sense.
>> http://p.sf.net/sfu/splunk-d2d-oct
>> _______________________________________________
>> W3af-develop mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
