New version is available since 2007 :) Reproducible: Always
Created attachment 210094 [details] nikto-2.1.0.ebuild Let me know if it works OK.
Created attachment 210096 [details] nikto-2.1.0.ebuild This one installs the package in the location more in line with the man page.
Created attachment 210097 [details] /etc/nikto.conf Working configuration file.
Thank you for your work. I tried run nikto with default config but i got: "Could not work out the nikto EXECDIR, try setting it in niktorc" So /etc/nikto.conf should has set correct EXECDIR (e.g. /usr/share/nikto ). I found another problem, nikto -update can retrieve new plugins and databases from cirt.net , so i wonder if plugins dir (/usr/share/nikto/plugins) should be in /var/lib/nikto/plugins ? (Then option PLUGINDIR in nikto.conf should have value /var/lib/nikto/plugins). What do you think about it?
Created attachment 210173 [details] nikto-2.1.0.ebuild Updated the ebuild to install the default /etc/nikto.conf. Just need to put it into net-analyzer/nikto/files.
(In reply to comment #4) > Thank you for your work. > I tried run nikto with default config but i got: > "Could not work out the nikto EXECDIR, try setting it in niktorc" > So /etc/nikto.conf should has set correct EXECDIR (e.g. /usr/share/nikto ). > I found another problem, nikto -update can retrieve new plugins and databases > from cirt.net , so i wonder if plugins dir (/usr/share/nikto/plugins) should be > in /var/lib/nikto/plugins ? (Then option PLUGINDIR in nikto.conf should have > value /var/lib/nikto/plugins). What do you think about it? > I just ran nikto -h 192.168.0.3 with the updated /etc/nikto.conf and it worked here. I also get the error when I run nikto -update + ERROR: Unable to open '/usr/local/bin/nikto/docs/CHANGES.txt' for write: 1 at /usr/share/nikto/plugins/nikto_core.plugin line 1485. I will have to work on patching that file or you can if you want. I am not a full developer, I am a staff member doing on the job ebuild training :)
Created attachment 210174 [details] nikto-2.1.0.ebuild Ok I got -update to work. You need the updated nikto.conf just put it into /usr/local/portage/net-analyzer/nikto/files I quess you are installing from a local overlay
Created attachment 210176 [details] /etc/nikto.conf
(In reply to comment #6) > I also get the error when I run nikto -update > + ERROR: Unable to open '/usr/local/bin/nikto/docs/CHANGES.txt' for write: > 1 at /usr/share/nikto/plugins/nikto_core.plugin line 1485. > > I will have to work on patching that file or you can if you want. I've made patch. > I am not a full developer, I am a staff member doing on the job ebuild training > :) So i did training too ;) I attached ebuild i move all plugins dir to /var/lib/nikto (and CHANGES.txt), so nikot -update works with /usr mount RO (i think usr shouldn't be modified by application, only by portage). I did it in dirty way, i'm not sure is it completly in gentoo-way. I removed nmap from DEPEND, now it's needed (http://cirt.net/nikto2-docs/configuration.html#id2788191 )
Created attachment 210231 [details] nikto.conf
Created attachment 210233 [details, diff] change CHANGES.txt dir patch
Created attachment 210235 [details] "fake" changes.txt
Created attachment 210237 [details] nikto-2.1.0.ebuild
Ping.
while i'm also extremely frustrated about "gentoo kabbalah" not answering for _years_ i also think that Voting would be a good idea (above "commenting" field). there is also a "new" release of nikto (2.1.1)
(In reply to comment #15) > while i'm also extremely frustrated about "gentoo kabbalah" not answering for > _years_ i also think that Voting would be a good idea (above "commenting" > field). I don't see how voting would help - the simple cause of this bug not being fixed yet is simply lack of manpower. I can't even promise to have a look at it in the next days ... So please, have some more patience. We're doing what we can. > > there is also a "new" release of nikto (2.1.1) Yey!
Marcin Thanks for your input, it is currently in [perl-experimental] overlay http://git.overlays.gentoo.org/gitweb/?p=proj/perl-overlay.git;a=tree Soon I will update it to 2.1.1 so we can test it.
(In reply to comment #16) > I don't see how voting would help - the simple cause of this bug not being > fixed yet is simply lack of manpower. I can't even promise to have a look at it > in the next days ... So please, have some more patience. We're doing what we > can. really ? because 1) if ignoring bugs for _years_ is considered a way to go this should be pretty big lack of manpower. possible one worthy of some indication on gentoo's main page and some actions in favour of expanding this "manpower" even by sacrificing something else. 2) how is it a manpower what is lacking if there are completed ebuild lying RIGHT HERE ? 3) and most important, how do you not see how voting would help if its very reason of existence is to prioritize needed (voted) bugs in a state of lacking manpower ? > Yey! really funny, huh ?
Ditto that. Please test and release to the main portage tree. Thanks!
Please, let us wait a one moment more, let David prepare nikto-2.1.
Created attachment 220113 [details] nikto-2.1.1.ebuild When I run nikto -update + Retrieving 'db_tests' + www.cirt.net message: Please submit your bugs!! qlist net-analyzer/nikto-2.1.1 /usr/bin/nikto /usr/bin/nikto.pl /usr/share/nikto/docs/nikto_manual.html /usr/share/nikto/docs/nikto.1 /usr/share/nikto/docs/LICENSE.txt /usr/share/nikto/docs/CHANGES.txt /usr/share/nikto/docs/nikto.dtd /usr/share/nikto/plugins/db_realms /usr/share/nikto/plugins/nikto_subdomain.plugin /usr/share/nikto/plugins/db_httpoptions /usr/share/nikto/plugins/nikto_dictionary_attack.plugin /usr/share/nikto/plugins/nikto_passfiles.plugin /usr/share/nikto/plugins/nikto_embedded.plugin /usr/share/nikto/plugins/nikto_outdated.plugin /usr/share/nikto/plugins/nikto_headers.plugin /usr/share/nikto/plugins/nikto_cgi.plugin /usr/share/nikto/plugins/nikto_multiple_index.plugin /usr/share/nikto/plugins/nikto_apacheusers.plugin /usr/share/nikto/plugins/db_subdomains /usr/share/nikto/plugins/db_headers /usr/share/nikto/plugins/LW2.pm /usr/share/nikto/plugins/db_server_msgs /usr/share/nikto/plugins/db_favicon /usr/share/nikto/plugins/nikto_report_xml.plugin /usr/share/nikto/plugins/db_multiple_index /usr/share/nikto/plugins/nikto_put_del_test.plugin /usr/share/nikto/plugins/nikto_single.plugin /usr/share/nikto/plugins/nikto_msgs.plugin /usr/share/nikto/plugins/nikto_httpoptions.plugin /usr/share/nikto/plugins/nikto_report_text.plugin /usr/share/nikto/plugins/nikto_robots.plugin /usr/share/nikto/plugins/nikto_mutate.plugin /usr/share/nikto/plugins/nikto_tests.plugin /usr/share/nikto/plugins/db_embedded /usr/share/nikto/plugins/nikto_core.plugin /usr/share/nikto/plugins/nikto_apache_expect_xss.plugin /usr/share/nikto/plugins/db_variables /usr/share/nikto/plugins/nikto_user_enum_apache.plugin /usr/share/nikto/plugins/nikto_report_csv.plugin /usr/share/nikto/plugins/nikto_report_html.plugin /usr/share/nikto/plugins/db_404_strings /usr/share/nikto/plugins/nikto_favicon.plugin /usr/share/nikto/plugins/db_outdated /usr/share/nikto/plugins/db_tests /usr/share/nikto/templates/xml_summary.tmpl /usr/share/nikto/templates/htm_stop.tmpl /usr/share/nikto/templates/xml_host_item.tmpl /usr/share/nikto/templates/xml_end.tmpl /usr/share/nikto/templates/htm_summary.tmpl /usr/share/nikto/templates/htm_end.tmpl /usr/share/nikto/templates/._xml_summary.tmpl /usr/share/nikto/templates/htm_start.tmpl /usr/share/nikto/templates/htm_host_head.tmpl /usr/share/nikto/templates/htm_host_im.tmpl /usr/share/nikto/templates/._xml_host_im.tmpl /usr/share/nikto/templates/htm_close.tmpl /usr/share/nikto/templates/xml_host_head.tmpl /usr/share/nikto/templates/xml_close.tmpl /usr/share/nikto/templates/xml_start.tmpl /usr/share/nikto/templates/xml_host_im.tmpl /usr/share/nikto/templates/htm_host_item.tmpl /usr/share/doc/nikto-2.1.1/LICENSE.txt.bz2 /usr/share/doc/nikto-2.1.1/CHANGES.txt.bz2 /usr/share/doc/nikto-2.1.1/html/nikto_manual.html /usr/share/man/man1/nikto.1.bz2 /etc/nikto.conf
Created attachment 220115 [details] net-analyzer/nikto/files/nikto.conf This is the nikto.conf I used.
(In reply to comment #21) > When I run nikto -update > + Retrieving 'db_tests' > + www.cirt.net message: Please submit your bugs!! It seems it's nothing to worry. There was nothing to update and you are getting only info message. I've noticed you changed location plugins dir to /usr/share . Imho it's not good idea. /usr should be modified only by root, when i.e. install/upgrade new software. After i run nikto i'm getting: # equery k nikto * Checking net-analyzer/nikto-2.1.1 ... !!! /usr/share/nikto/plugins/db_tests has incorrect MD5sum 78 out of 79 files passed If nikto -update change any plugin, there will be more files with incorrect md5sum
(In reply to comment #23) > (In reply to comment #21) > > When I run nikto -update > > + Retrieving 'db_tests' > > + www.cirt.net message: Please submit your bugs!! > > It seems it's nothing to worry. There was nothing to update and you are getting > only info message. I've noticed you changed location plugins dir to /usr/share > . Imho it's not good idea. /usr should be modified only by root, when i.e. > install/upgrade new software. After i run nikto i'm getting: > # equery k nikto > * Checking net-analyzer/nikto-2.1.1 ... > !!! /usr/share/nikto/plugins/db_tests has incorrect MD5sum > 78 out of 79 files passed > If nikto -update change any plugin, there will be more files with incorrect > md5sum > So this is the part we should change; dodir /var/lib/nikto || die "dodir failed" insinto /var/lib/nikto doins -r plugins || die "doins failed" insinto /var/lib/nikto/plugins and PLUGINDIR=/var/lib/nikto/plugins
Also tove told me latest nikto contains LW2.pm which is from libwhisker AFAICS, so we should bump libwhisker to 2.5 and use this LW2.pm.
Created attachment 220213 [details] nikto-2.1.1.ebuild Added the dep for net-libs/libwhisker-2.5 which is on perl-experimental overlay both templates and plugins /var/lib/nikto moved conf to /etc/nikto/nikto.conf following the way Debian set up their file structure
Created attachment 220215 [details] net-analyzer/nikto/files/nikto.conf
Created attachment 220235 [details] net-analyzer/nikto/nikto-2.1.1.ebuild added a patch for conf file location
Created attachment 220237 [details] net-analyzer/nikto/files/nikto.conf
Created attachment 220239 [details] net-analyzer/nikto/files/nikto.conf.patch
What do you think about this changes to ebuild: insinto /usr/share/nikto - doins -r docs || die "doins failed" + doins docs/nikto.dtd || die "dodoc failed" dodir /var/lib/nikto || die "dodir failed" + rm plugins/LW2.pm || die "removing bundled library die" insinto /var/lib/nikto doins -r templates plugins || die "doins failed"
(In reply to comment #31) > What do you think about this changes to ebuild: > insinto /usr/share/nikto > - doins -r docs || die "doins failed" > + doins docs/nikto.dtd || die "dodoc failed" > > dodir /var/lib/nikto || die "dodir failed" > + rm plugins/LW2.pm || die "removing bundled library die" I did not do this only because net-libs/libwhisker does the same thing and will need to be fixed I think. nikto.pl would need to be patched here; setup_dirs(); require "$NIKTOCONFIG{'PLUGINDIR'}/nikto_core.plugin"; nprint("T:$starttime: Starting", "d"); require "$NIKTOCONFIG{'PLUGINDIR'}/nikto_single.plugin"; require "$NIKTOCONFIG{'PLUGINDIR'}/LW2.pm"; ### remove this to use the system LW@.pm # use LW2; ### Change this line to use a different installed version # not sure how to do this > insinto /var/lib/nikto > doins -r templates plugins || die "doins failed" > uploaded to [perl-experimental] perl-overlay for testing http://xrl.us/bgwg4o (Link to git.overlays.gentoo.org) Seemed to work fine here; perl /usr/bin/nikto.pl -h 192.168.0.3 - Nikto v2.1.1 --------------------------------------------------------------------------- + Target IP: 192.168.0.3 + Target Hostname: dwabbott.com + Target Port: 80 + Start Time: 2010-02-20 19:57:14 --------------------------------------------------------------------------- + Server: Apache + robots.txt contains 1 entry which should be manually viewed. + Retrieved X-Powered-By header: PHP/5.2.6-pl7-gentoo + ETag header found on server, inode: 2826503, size: 5211, mtime: 0x456b4b85c4780 + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + /index.php?module=My_eGallery: My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. + OSVDB-3233: /phpinfo.php: Contains PHP configuration information + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-3092: /downloads/: This might be interesting... + OSVDB-3092: /phpmyadmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3093: /index.php?base=test%20: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /index.php?IDAdmin=test: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /index.php?pymembs=admin: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /index.php?SqlQuery=test%20: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /index.php?tampon=test%20: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /index.php?topic=<script>alert(document.cookie)</script>%20: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3268: /icons/: Directory indexing is enabled: /icons + OSVDB-3233: /icons/README: Apache default file found. + 3818 items checked: 17 item(s) reported on remote host + End Time: 2010-02-20 19:57:23 (9 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Created attachment 220419 [details] net-analyzer/nikto/nikto-2.1.1.ebuild
Created attachment 220421 [details] net-analyzer/nikto/files/nikto.conf
Created attachment 220423 [details] net-analyzer/nikto/files/nikto.conf.patch
(In reply to comment #32) > I did not do this only because net-libs/libwhisker does the same thing and will > need to be fixed I think. I'm not sure what you mean. Bundled library should be blocked/removed/etc , because: # emerge -C libwhisker # nikto -update + No updates required. + www.cirt.net message: Please submit your bugs!! We are not sure, which library (shipped by libwhsker or by nikto) is used by nikto. Removing LW from nikto makes it clear. > nikto.pl would need to be patched here; [...] > # not sure how to do this This change: -require "$NIKTOCONFIG{'PLUGINDIR'}/LW2.pm"; +#require "$NIKTOCONFIG{'PLUGINDIR'}/LW2.pm"; -#use LW2; ### Change this line to use a different installed version +use LW2; ### Change this line to use a different installed version Seems to work fine. Nikto uses system LW library.
With proposed above patch, LW2.pm in plugins/ dir is not used.
Created attachment 220757 [details] net-analyzer/nikto/nikto-2.1.1.ebuild Update ebuild to include new for patch to use system LW2.pm and Removing bundled LW2.pm and put the conf file in /etc/nikto/nikto.conf
Created attachment 220759 [details, diff] net-analyzer/nikto/files/nikto-2.1.1-PL.patch Current version in perl-overlay [perl-experimental]
Created attachment 220793 [details] net-analyzer/nikto/nikto-2.1.1.ebuild moved removing bundled lib LW2.pm in src_prepare
It's ok for me :)
*** Bug 307431 has been marked as a duplicate of this bug. ***
Is something in ebuild that needs more work?
half year ping;)
we've reached 2.1.3 now from the official site. And still no update in gentoo since 2007 ?
nikto 2.1.4 is out. This is the change log: New interactive feature: press N to skip current host and move to next Updated XML schema Check for private IP addresses in cookies Report certificate CN which doesn’t match hostname Allow multiple cookies to be set in the config file Regular expressions in test database allow more accurate checks More data in XML and HTML reports http://trac.pentoo.ch/browser/portage/trunk/net-analyzer/nikto
+ 01 Aug 2011; Patrick Lauer <patrick@gentoo.org> +nikto-2.1.4.ebuild: + Bump, fixes #292312. Thanks to everyone who worked on it
