changes.txt

一个用perl写的功能强大的cgi漏洞检测程序

02.23.2003 	
	nikto_core.plugin	1.04
		- Added a work around for servers that answer with blank www-authenticate headers with invalid id/pass combos
	nikto_realms.plugin 1.00
		- Added to distro
	realms.db	1.00
		- Added to distro
	plugins_order.txt 	1.02
		- Added nikto_realms.plugin

01.22.2003
	nikto_httpoptions.plugin	1.03	
		- standardized wording, added TRACE option, added more description to WebDAV msgs (thanks Jericho at attrition.org).

01.22.2003
	nikto_core.plugin	1.03	
		- fixed a bug with matching proper server categories, thanks to Paul Woroshow.

01.17.2003
	nikto_core.plugin	1.02	
		- fixed the GetOptions only looking for "-gener" instead of "-generic", thanks to Michel Arboi

01.02.2003
	nikto_core.plugin	1.01	
		- fixed proxy authentication not prompting for -update option

01.01.2003 
	Nikto	1.23
		- added nikto_plugin_order.txt to force plugin order to something we want rather than alpha
		- added nikto_core.plugin & removed most functions from nikto.pl
		- added -cookies option
		- enhanced db syntax error checking (spurred by syntax problems Thomas Reinke found)
		- started using the LW 1.6 libraries
		- fixed infinite loop output problem (no longer wrapping long lines)
		- removed usage from saved output (too long)
		- remove nikto_frontpage.plugin and put checks in scan_database.db
		- moved server categories from scan_database.db to servers.db
		- got rid of the leading "c," requirement from scan_database.db
		- added STATIC-COOKIE config item as suggested by Eyal Udassin
		- made CLI options case sensitive (to support more options, hosts files, etc)
		- added Javier Fernandez-Sanguino Pen~a's Apache user enumeration plugin
		- added -r (-root) file prepend as suggested by Eyal Udassin
		- many DB typo fixes from Jay Swofford
		- fixed a regex bug in nikto_robots.plugin and nikto_apacheusers.plugin
		- new update location (path) to better support upgrades that don't effect db syntax

08.21.2002
	Nikto	1.21	
		- Fixed all the proxy code--none of it was working due to where it was set in the initialization.
		- Added -update to the help output. Not sure why it wasn't there.

08.12.2002
	Nikto	1.20
		- Re-packaged to take out a testing line from LW.pm. Thanks to D Rhoades for the catch

08.11.2002
	Nikto	1.20	
		- Moved all mutate options to plugins
		- Added password file mutate plugin
		- Added better error messages if problems arise
		- Test for false-positives on all CGI directories
		- Added -useproxy CLI
		- Printing SSL certs the server accepts
		- Fixed port sorting if -f is used
		- Forked 1.20DCX edition for DefCon 10 CD: difference is only output
		- Fixed a bug where "findonly" was referenced as "findports" (thanks J DePriest)
		- Added properly wrapped text output in saved files

05.25.2002	
	Nikto	1.100	
		- stopped nikto from dying if no config.txt file found	
		- added Apache user enumeration plugin
		- added robots.txt plugin
		- set false-positive message to display at end of run as well as during
		- 
04.23.2002	
	Nikto	1.10BETA_3	
		- fixed CAN/CVE links, added BID/CA/MS links (suggested by Jericho).
		- prints total number of 'issues' found (suggested by Jericho).
		- fixed proxy usage in the cirt.net update function.
		- updated to use LW 1.4, which fixes an SSL infinite loop problem.
		- fixed 401 auth suppression (broken in beta 2).
		- added robots plugin to examine robots.txt & add items found to the mutate check
		- 
03.31.2002 
	Nikto	1.10BETA_2	
		- fixed the config.txt DEFAULTHTTPVER variable setting so it really works
		- made proxy_check run only once per session
		- removed all reference to "nikto" in the scan_database.db
		- 
03.23.2002	
	Nikto	1.10BETA_1
		- renamed plugins from .pl to .plugin, just for clarity. but they're still perl files
		- allowed nikto.pl to update plugins the same as .db files
		- usage of LW 1.2
		- countless "under the hood" type things
		- lowercase-incoming-headers to more easily handle case sensitive nonsense
		- compartmentalized a LOT more code to make things easier to read
		- created config.txt file configuration w/o midifying nikto.pl itself
		- added user_scan_database.db so that it won't get ovwr-written if the user adds checks
		- enabled RFP's LibWhisker anti-ids options
		- change "check," to "c," in scan_database, just to save a little bandwidth on cirt.net :)
		- added plugin to check HTTP methods
		- created a 'mutate' mode for really brute force finding stuff on servers
		- added the ability to set default CLI options via config file
		- added PLUGINDIR config variable
		- added plugin to check other HTTP headers (just x-powered-by for now)
		- added ability for nikto to auto-determine ssl v non-ssl on a port
		- added port scanning ability (with or without nmap)
		- added ability to send message via the update script's versions.txt file. I don't know why, but it may  be handy to let folks know if a new beta is out, or something.
		- implemented the virtual host headers as patched by Pasi Eronen
		- 
01.17.2002 
	Nikto	1.018 
		- Added /mpcgi/ to the @CGIDIRS array based on some suggestions.
		- Fixed a bug in the auth_check function (thanks RFP), and cleaned up error reporting on failed auths
		- 
01.12.2002	
	Nikto	1.017
		- Fixed a bug where the data portion of a request did not reset to null after some checks (thanks to Phil Brass for pointing me at it & letting me test against his server). 
		- 
01.10.2002
	Nikto	1.016
		- Add dump_*hash functions
		- Added pause (-x) in scan loop
		- Fixed a bug which caused a major slowdown
		- Added load_conf for setup for configuration files (future)
		- Fixed http vs. https links in output files
		- 
01.08.2002
	Nikto	1.015 
		- Fixed a bug (?) in Libwhisker PR4 (will check v1 code...)
		- Corrected an error which caused a few false-positives (404 really IS not found :)
                    
01.07.2002	
	Nikto	1.014
		- Removed comment filtering from lines in scan_database.db to accommodate SSI includes
		- Fixed quoting removal for data portions in checks (so " is valid).
		- 
01.06.2002
	Nikto	1.013	
		- Made major globabl variable changes, moved tons of them to hashes
		- Wrote some basic plugin writing documentation & added 'docs' directory
		- 
01.03.2002
	Nikto	1.012
		- Added extended output for scan archival reasons (suggested by Steve Saady)
		- Changed host auth failure to a warning, not stoppage
		- Added "data" portion to scan_database.db
		- Added @IP and @HOSTNAME substitutions for scan_database.db checks (will be replaced by actual IP/hostname)
		- in case they are needed in the future.
		- Added JUNK() to scan_database.db checks to facilitate future buffer-overflows (non-DoS), and future DoS plugins
		- Added Proxy-agent as valid the same as Server result strings
		- Changed -l to -n ("nolookup") to be more accurate
		- 
01.02.2002
	Nikto	1.011
		- Added proxy auth for db update requests (oops).
		- Started .xxx version numbering scheme to make life easier
		- Fixed href tags in HTM output (< and > encoding and target host/ip)
		- Added "caseless" WWW-Authenticate finding (for iPlanet Proxy)
		- 
12.31.2001
	Nikto	1.01
		- Added regex to remove comments from scan_database.db in case they ever exist
		- Fixed extra 'Host:' line being sent to server (duh).
		- Fixed non 'GET' request data posting (duh).
		- Added -timeout option
		- 
12.27.2001	
	Nikto	1.00
		- Finalized beta version for release