watobo 0.9.21 → 0.9.23

data/lib/watobo/utils/print_debug.rb

@@ -1,23 +1,14 @@
-#.
-# print_debug.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  def self.print_debug(*m)
-    fl = m.shift
-    puts "#"
-    puts "# #{fl} #"
-    if m.length > 0
-      m.each do |l|
-        puts l
-      end
-      puts "# " + "-"*fl.length + " #"
-    end
-  end
+module Watobo#:nodoc: all
+  def self.print_debug(*m)
+    fl = m.shift
+    puts "#"
+    puts "# #{fl} #"
+    if m.length > 0
+      m.each do |l|
+        puts l
+      end
+      puts "# " + "-"*fl.length + " #"
+    end
+  end
 end

data/lib/watobo/utils/response_builder.rb

@@ -1,101 +1,92 @@
-#.
-# response_builder.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Utils
-      def self.string2response( text, opts = {} )
-        options = { :update_content_length => false }
-        options.update opts
-        begin
-          hb_sep = "\r\n\r\n"
-          eoh = text.index(hb_sep)
-          if eoh.nil?
-            hb_sep = "\n\n"
-            eoh = text.index(hb_sep)
-          end
-          unless eoh.nil?
-          raw_header = text[0..eoh-1]
-          raw_body = text[eoh+hb_sep.length..-1]
-          puts ">> RawBody: #{raw_body}"
-          else
-            raw_header = text
-            raw_body = nil
-          end
-
-          response = raw_header.split("\n")
-          response.map!{|r| "#{r.strip}\r\n" }
-         # Watobo::Response.create response
-          unless raw_body.nil?
-          response << "\r\n"
-          response << raw_body unless raw_body.strip.empty?
-          end
-          #return response
-          return Watobo::Response.new(response)
-
-        rescue => bang
-          puts bang
-          puts bang.backtrace
-        end
-        return nil
-    end
-  end
-end
-
-if $0 == __FILE__
-  inc_path = File.expand_path(File.join(File.dirname(__FILE__), "..", ".."))
-  $: << inc_path
-
-  require 'watobo'
-  
-text =<<'EOF'
-HTTP/1.1 200 OK
-Content-Type: text/html
-Vary: Accept-Encoding
-Expires: Thu, 19 Jul 2012 06:57:20 GMT
-Cache-Control: max-age=0, no-cache, no-store
-Pragma: no-cache
-Date: Thu, 19 Jul 2012 06:57:20 GMT
-Content-Length: 203
-Connection: close
-
-<html></html>
-EOF
-
-text2 ="HTTP/1.1 200 OK\r\n" +
-"Content-Type: text/html\r\n" +
-"Vary: Accept-Encoding\r\n" +
-"Expires: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
-"Cache-Control: max-age=0, no-cache, no-store\r\n" +
-"Pragma: no-cache\r\n" +
-"Date: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
-"Content-Length: 203\r\n" +
-"Connection: close\r\n\r\n" +
-"<html></html>\r\n"
-
-unless ARGV[0].nil?
-if File.exist? ARGV[0]
-  text = File.open(ARGV[0],"rb").read
-end
-end
-r = Watobo::Utils.string2response text
-puts r.class
-puts r.status
-puts r.content_type
-puts r
-puts
-puts "="
-puts 
-r = Watobo::Utils.string2response text2
-puts r.class
-puts r.status
-puts r.content_type
-puts r
-
+module Watobo#:nodoc: all
+  module Utils
+      def self.string2response( text, opts = {} )
+        options = { :update_content_length => false }
+        options.update opts
+        begin
+          hb_sep = "\r\n\r\n"
+          eoh = text.index(hb_sep)
+          if eoh.nil?
+            hb_sep = "\n\n"
+            eoh = text.index(hb_sep)
+          end
+          unless eoh.nil?
+          raw_header = text[0..eoh-1]
+          raw_body = text[eoh+hb_sep.length..-1]
+          puts ">> RawBody: #{raw_body}"
+          else
+            raw_header = text
+            raw_body = nil
+          end
+
+          response = raw_header.split("\n")
+          response.map!{|r| "#{r.strip}\r\n" }
+         # Watobo::Response.create response
+          unless raw_body.nil?
+          response << "\r\n"
+          response << raw_body unless raw_body.strip.empty?
+          end
+          #return response
+          return Watobo::Response.new(response)
+
+        rescue => bang
+          puts bang
+          puts bang.backtrace
+        end
+        return nil
+    end
+  end
+end
+
+if $0 == __FILE__
+  inc_path = File.expand_path(File.join(File.dirname(__FILE__), "..", ".."))
+  $: << inc_path
+
+  require 'watobo'
+  
+text =<<'EOF'
+HTTP/1.1 200 OK
+Content-Type: text/html
+Vary: Accept-Encoding
+Expires: Thu, 19 Jul 2012 06:57:20 GMT
+Cache-Control: max-age=0, no-cache, no-store
+Pragma: no-cache
+Date: Thu, 19 Jul 2012 06:57:20 GMT
+Content-Length: 203
+Connection: close
+
+<html></html>
+EOF
+
+text2 ="HTTP/1.1 200 OK\r\n" +
+"Content-Type: text/html\r\n" +
+"Vary: Accept-Encoding\r\n" +
+"Expires: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
+"Cache-Control: max-age=0, no-cache, no-store\r\n" +
+"Pragma: no-cache\r\n" +
+"Date: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
+"Content-Length: 203\r\n" +
+"Connection: close\r\n\r\n" +
+"<html></html>\r\n"
+
+unless ARGV[0].nil?
+if File.exist? ARGV[0]
+  text = File.open(ARGV[0],"rb").read
+end
+end
+r = Watobo::Utils.string2response text
+puts r.class
+puts r.status
+puts r.content_type
+puts r
+puts
+puts "="
+puts 
+r = Watobo::Utils.string2response text2
+puts r.class
+puts r.status
+puts r.content_type
+puts r
+
 end

data/lib/watobo/utils/response_hash.rb

@@ -1,12 +1,3 @@
-#.
-# response_hash.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'digest/md5'
 
 # @private 

data/lib/watobo/utils/secure_eval.rb

@@ -1,12 +1,3 @@
-#.
-# secure_eval.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Utils

data/lib/watobo/utils/strings.rb

@@ -1,21 +1,12 @@
-#.
-# strings.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Utils
-    def self.camelcase(string)
-      string.strip.gsub(/[^[a-zA-Z\-_]]/,"").gsub( "-" , "_").split("_").map{ |s| s.downcase.capitalize }.join
-    end
-    
-    def self.snakecase(string)
-      string.gsub(/([A-Z])([A-Z][a-z])/, '\1_\2').gsub(/([a-z\d])([A-Z])/, '\1_\2').tr("-","_").downcase
-    end
-  end
+module Watobo#:nodoc: all
+  module Utils
+    def self.camelcase(string)
+      string.strip.gsub(/[^[a-zA-Z\-_]]/,"").gsub( "-" , "_").split("_").map{ |s| s.downcase.capitalize }.join
+    end
+    
+    def self.snakecase(string)
+      string.gsub(/([A-Z])([A-Z][a-z])/, '\1_\2').gsub(/([a-z\d])([A-Z])/, '\1_\2').tr("-","_").downcase
+    end
+  end
 end

data/lib/watobo/utils/text2request.rb

@@ -1,12 +1,3 @@
-#.
-# text2request.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Utils

data/lib/watobo/utils/url.rb

@@ -1,34 +1,25 @@
-#.
-# url.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Utils
-    module URL
-      def self.create_url(chat, path)
-        url = path
-        # only expand path if not url
-        unless path =~ /^http/
-          # check if path is absolute
-          if path =~ /^\//
-            url = File.join("#{chat.request.proto}://#{chat.request.host}", path)
-          else
-            # it's relative
-            url = File.join(File.dirname(chat.request.url.to_s), path)
-          end
-        end
-        # resolve path traversals
-        while url =~ /(\/[^\.\/]*\/\.\.\/)/
-          url.gsub!( $1,"/")
-        end
-        url
-      end
-    end
-  end
+module Watobo#:nodoc: all
+  module Utils
+    module URL
+      def self.create_url(chat, path)
+        url = path
+        # only expand path if not url
+        unless path =~ /^http/
+          # check if path is absolute
+          if path =~ /^\//
+            url = File.join("#{chat.request.proto}://#{chat.request.host}", path)
+          else
+            # it's relative
+            url = File.join(File.dirname(chat.request.url.to_s), path)
+          end
+        end
+        # resolve path traversals
+        while url =~ /(\/[^\.\/]*\/\.\.\/)/
+          url.gsub!( $1,"/")
+        end
+        url
+      end
+    end
+  end
 end

data/lib/watobo/utils/utf16.rb

@@ -1,22 +1,13 @@
-#.
-# utf16.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+module Watobo
+  module UTF16
+     def self.decode_utf16le(str)
+        str.force_encoding(Encoding::UTF_16LE)
+        str.encode(Encoding::UTF_8, Encoding::UTF_16LE).force_encoding('UTF-8')
+      end
 
-module Watobo
-  module UTF16
-     def self.decode_utf16le(str)
-        str.force_encoding(Encoding::UTF_16LE)
-        str.encode(Encoding::UTF_8, Encoding::UTF_16LE).force_encoding('UTF-8')
-      end
-
-      def self.encode_utf16le(str)
-        str = str.force_encoding('UTF-8') if [::Encoding::ASCII_8BIT,::Encoding::US_ASCII].include?(str.encoding)
-        str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('UTF-8')
-      end
-  end
+      def self.encode_utf16le(str)
+        str = str.force_encoding('UTF-8') if [::Encoding::ASCII_8BIT,::Encoding::US_ASCII].include?(str.encoding)
+        str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('UTF-8')
+      end
+  end
 end

data/modules/active/Apache/mod_status.rb

@@ -1,12 +1,3 @@
-#.
-# mod_status.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # .
 # mod_status.rb
 #

data/modules/active/Apache/multiview.rb

@@ -1,161 +1,152 @@
-#.
-# multiview.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+=begin
+http://www.wisec.it/sectou.php?id=4698ebdc59d15
 
-=begin
-http://www.wisec.it/sectou.php?id=4698ebdc59d15
-
-$ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
-HTTP/1.1 406 Not Acceptable
-Date: Fri, 24 Jan 2014 08:46:35 GMT
-Server: Apache/2.2.22 (Debian)
-Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
-Vary: negotiate,accept,Accept-Encoding
-TCN: list
-Content-Length: 568
-Content-Type: text/html; charset=iso-8859-1
-
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
-<html><head>
-<title>406 Not Acceptable</title>
-</head><body>
-<h1>Not Acceptable</h1>
-<p>An appropriate representation of the requested resource /index could not be found on this server.</p>
-Available variants:
-<ul>
-<li><a href="index.bak">index.bak</a> , type application/x-trash</li>
-<li><a href="index.html">index.html</a> , type text/html</li>
-<li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
-</ul>
-<hr>
-<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
-</body></html>
-
-=end
-
-# @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Apache
-        
-        
-        class Multiview < Watobo::ActiveCheck
-          
-          @@tested_paths = []
-          
-          details =<<EOD           
-$ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
-HTTP/1.1 406 Not Acceptable
-Date: Fri, 24 Jan 2014 08:46:35 GMT
-Server: Apache/2.2.22 (Debian)
-Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
-Vary: negotiate,accept,Accept-Encoding
-TCN: list
-Content-Length: 568
-Content-Type: text/html; charset=iso-8859-1
-
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
-<html><head>
-<title>406 Not Acceptable</title>
-</head><body>
-<h1>Not Acceptable</h1>
-<p>An appropriate representation of the requested resource /index could not be found on this server.</p>
-Available variants:
-<ul>
-<li><a href="index.bak">index.bak</a> , type application/x-trash</li>
-<li><a href="index.html">index.html</a> , type text/html</li>
-<li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
-</ul>
-<hr>
-<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
-</body></html>
-EOD
-          
-           @info.update(
-                         :check_name => 'MultiViews',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :description => "Checks if MultiViews option is present in Apache. See http://www.wisec.it/sectou.php?id=4698ebdc59d15",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :check_group => AC_GROUP_APACHE,
-            :version => "1.0"   # check version
-            )
-            
-            @finding.update(
-                            :threat => 'Makes enumeration of backup or renamed files easier. see also http://www.wisec.it/sectou.php?id=4698ebdc59d15',        # thread of vulnerability, e.g. loss of information
-            :class => "MultiViews",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :rating => VULN_RATING_INFO,
-            :measure => "Disable MultiViews in your Apache configuration.",
-            :details => details,
-            :type => FINDING_TYPE_VULN         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
-            )
-            
-          
-          def initialize(session_name=nil, prefs={})
-          #  @project = project
-            super(session_name, prefs)
-            
-            #  @tested_directories = Hash.new
-            @fext = %w( php asp aspx jsp cfm shtm htm html shml )
-            
-          end
-          
-          def reset()
-            @@tested_paths.clear
-          end
-          
-          
-          def generateChecks(chat)
-            
-            begin
-              file = chat.request.file              
-              return nil if @@tested_paths.include? file
-              @@tested_paths << file
-              
-              if file != "" and file =~ /\.(#{@fext.join("|")})$/ then
-                 checker = proc{
-                      test_request = nil
-                      test_response = nil
-                      new_file = file.gsub(/\.\w{1,4}$/, "")
-                      test_request = chat.copyRequest
-                      #test_request.addHeader("Vary","negotiate,accept")
-                      test_request.set_header("Accept","application/watobo; q=1.0")
-                      
-                      test_request.replaceFileExt(new_file)
-                      result_request, result_response = doRequest(test_request, :default => true)
-                      
-                      tcn_headers = result_response.headers("^TCN")
-                      unless tcn_headers.empty?                     
-                        puts "MULTIVIEW - #{self.class}!!!\n"
-                        #test_chat = Chat.new(test_request, test_response, chat.id)
-                        addFinding( result_request, result_response,
-                                   :check_pattern => "#{new_file}",
-                                   :test_item => file,
-                        :proof_pattern => "#{new_file}",
-                        :chat => chat,
-                        :title => "#{new_file}"
-                        #:debug => true
-                        )                        
-                      end
-                      [ test_request, test_response ] 
-                    }
-                    yield checker
-              end
-            rescue => bang
-              
-              puts "ERROR!! #{Module.nesting[0].name} "
-              puts "chatid: #{chat.id}"
-              puts bang
-              puts 
-              
-            end
-          end
-        end
-      end
-    end
-  end
-end
+$ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
+HTTP/1.1 406 Not Acceptable
+Date: Fri, 24 Jan 2014 08:46:35 GMT
+Server: Apache/2.2.22 (Debian)
+Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
+Vary: negotiate,accept,Accept-Encoding
+TCN: list
+Content-Length: 568
+Content-Type: text/html; charset=iso-8859-1
+
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>406 Not Acceptable</title>
+</head><body>
+<h1>Not Acceptable</h1>
+<p>An appropriate representation of the requested resource /index could not be found on this server.</p>
+Available variants:
+<ul>
+<li><a href="index.bak">index.bak</a> , type application/x-trash</li>
+<li><a href="index.html">index.html</a> , type text/html</li>
+<li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
+</ul>
+<hr>
+<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
+</body></html>
+
+=end
+
+# @private 
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Apache
+        
+        
+        class Multiview < Watobo::ActiveCheck
+          
+          @@tested_paths = []
+          
+          details =<<EOD           
+$ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
+HTTP/1.1 406 Not Acceptable
+Date: Fri, 24 Jan 2014 08:46:35 GMT
+Server: Apache/2.2.22 (Debian)
+Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
+Vary: negotiate,accept,Accept-Encoding
+TCN: list
+Content-Length: 568
+Content-Type: text/html; charset=iso-8859-1
+
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>406 Not Acceptable</title>
+</head><body>
+<h1>Not Acceptable</h1>
+<p>An appropriate representation of the requested resource /index could not be found on this server.</p>
+Available variants:
+<ul>
+<li><a href="index.bak">index.bak</a> , type application/x-trash</li>
+<li><a href="index.html">index.html</a> , type text/html</li>
+<li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
+</ul>
+<hr>
+<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
+</body></html>
+EOD
+          
+           @info.update(
+                         :check_name => 'MultiViews',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "Checks if MultiViews option is present in Apache. See http://www.wisec.it/sectou.php?id=4698ebdc59d15",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :check_group => AC_GROUP_APACHE,
+            :version => "1.0"   # check version
+            )
+            
+            @finding.update(
+                            :threat => 'Makes enumeration of backup or renamed files easier. see also http://www.wisec.it/sectou.php?id=4698ebdc59d15',        # thread of vulnerability, e.g. loss of information
+            :class => "MultiViews",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :rating => VULN_RATING_INFO,
+            :measure => "Disable MultiViews in your Apache configuration.",
+            :details => details,
+            :type => FINDING_TYPE_VULN         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+            )
+            
+          
+          def initialize(session_name=nil, prefs={})
+          #  @project = project
+            super(session_name, prefs)
+            
+            #  @tested_directories = Hash.new
+            @fext = %w( php asp aspx jsp cfm shtm htm html shml )
+            
+          end
+          
+          def reset()
+            @@tested_paths.clear
+          end
+          
+          
+          def generateChecks(chat)
+            
+            begin
+              file = chat.request.file              
+              return nil if @@tested_paths.include? file
+              @@tested_paths << file
+              
+              if file != "" and file =~ /\.(#{@fext.join("|")})$/ then
+                 checker = proc{
+                      test_request = nil
+                      test_response = nil
+                      new_file = file.gsub(/\.\w{1,4}$/, "")
+                      test_request = chat.copyRequest
+                      #test_request.addHeader("Vary","negotiate,accept")
+                      test_request.set_header("Accept","application/watobo; q=1.0")
+                      
+                      test_request.replaceFileExt(new_file)
+                      result_request, result_response = doRequest(test_request, :default => true)
+                      
+                      tcn_headers = result_response.headers("^TCN")
+                      unless tcn_headers.empty?                     
+                        puts "MULTIVIEW - #{self.class}!!!\n"
+                        #test_chat = Chat.new(test_request, test_response, chat.id)
+                        addFinding( result_request, result_response,
+                                   :check_pattern => "#{new_file}",
+                                   :test_item => file,
+                        :proof_pattern => "#{new_file}",
+                        :chat => chat,
+                        :title => "#{new_file}"
+                        #:debug => true
+                        )                        
+                      end
+                      [ test_request, test_response ] 
+                    }
+                    yield checker
+              end
+            rescue => bang
+              
+              puts "ERROR!! #{Module.nesting[0].name} "
+              puts "chatid: #{chat.id}"
+              puts bang
+              puts 
+              
+            end
+          end
+        end
+      end
+    end
+  end
+end