Lucene search

openvasCopyright (C) 2005 Digital Defense Inc.OPENVAS:136141256231011032
HistoryNov 03, 2005 - 12:00 a.m.

Directory Scanner

Copyright (C) 2005 Digital Defense Inc.

9.9 High


Attack Vector


Attack Complexity


Privileges Required


User Interaction




Confidentiality Impact


Integrity Impact


Availability Impact



8.1 High

AI Score



10 High


Access Vector

Access Complexity



Confidentiality Impact


Integrity Impact


Availability Impact



0.975 High




This plugin attempts to determine the presence of various
common dirs on the remote web server.

# SPDX-FileCopyrightText: 2005 Digital Defense Inc.
# SPDX-FileCopyrightText: Improved code and additional directories since 2009 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
# SPDX-License-Identifier: GPL-2.0-or-later

  script_tag(name:"last_modification", value:"2024-06-12 05:05:44 +0000 (Wed, 12 Jun 2024)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
  script_tag(name:"cvss_base", value:"0.0");
  script_xref(name:"OWASP", value:"OWASP-CM-006");
  script_name("Directory Scanner");
  script_copyright("Copyright (C) 2005 Digital Defense Inc.");
  script_family("Service detection");
  script_dependencies("find_service.nasl", "httpver.nasl", "no404.nasl",
                      "global_settings.nasl", "gb_ssl_sni_supported.nasl"); # SNI support should be determined first
  script_require_ports("Services/www", 80);

  script_tag(name:"summary", value:"This plugin attempts to determine the presence of various
  common dirs on the remote web server.");

  script_tag(name:"qod_type", value:"remote_banner");



debug = 0;

# this arrays contains the results
discoveredDirList = make_list();
authDirList = make_list();

cgi_dirs_exclude_pattern = get_kb_item( "global_settings/cgi_dirs_exclude_pattern" );
use_cgi_dirs_exclude_pattern = get_kb_item( "global_settings/use_cgi_dirs_exclude_pattern" );
cgi_dirs_exclude_servermanual = get_kb_item( "global_settings/cgi_dirs_exclude_servermanual" );

function check_cgi_dir( dir, port ) {

  local_var req, res, dir, port;

  req = http_get( item:dir + "/non-existent"  + rand(), port:port );
  res = http_keepalive_send_recv( data:req, port:port, bodyonly:FALSE );
  if( ! res )

  if( res =~ "^HTTP/1\.[01] 404" ) {
    return TRUE;
  } else {
    return FALSE;

function add_discovered_list( dir, port, host ) {

  local_var dir, port, host, dir_key;

  if( ! in_array( search:dir, array:discoveredDirList ) ) {
    discoveredDirList = make_list( discoveredDirList, dir );

    if( use_cgi_dirs_exclude_pattern ) {
      if( egrep( pattern:cgi_dirs_exclude_pattern, string:dir ) ) {
        set_kb_item( name:"www/" + host + "/" + port + "/content/excluded_directories", value:dir );

    #TBD: Do a check_cgi_dir( dir:dir, port:port ); before?
    dir_key = "www/" + host + "/" + port + "/content/directories";
    if( debug ) display( "Setting KB key: ", dir_key, " to '", dir );
    set_kb_item( name:dir_key, value:dir );

function add_auth_dir_list( dir, port, host, basic, realm ) {

  local_var dir, port, host, dir_key, basic, realm;

  if( ! in_array( search:dir, array:authDirList ) ) {

    authDirList = make_list( authDirList, dir );

    if( use_cgi_dirs_exclude_pattern ) {
      if( egrep( pattern:cgi_dirs_exclude_pattern, string:dir ) ) {
        set_kb_item( name:"www/" + host + "/" + port + "/content/excluded_directories", value:dir );

    set_kb_item( name:"www/content/auth_required", value:TRUE );
    dir_key = "www/" + host + "/" + port + "/content/auth_required";
    if( debug ) display( "Setting KB key: ", dir_key, " to '", dir );
    set_kb_item( name:dir_key, value:dir );

    # Used in 2018/gb_http_cleartext_creds_submit.nasl
    if( basic ) {
      set_kb_item( name:"www/basic_auth/detected", value:TRUE );
      set_kb_item( name:"www/pw_input_field_or_basic_auth/detected", value:TRUE );
      # Used in 2018/gb_http_cleartext_creds_submit.nasl
      set_kb_item( name:"www/" + host + "/" + port + "/content/basic_auth/" + dir, value:http_report_vuln_url( port:port, url:dir, url_only:TRUE ) + ":" + realm );

# nb:
# - Some entries might be duplicated, this is acceptable because the list will be made "unique" later
# - Don't add more dirs here and add them in the second testDirList2 below instead (see relevant note for the background)
testDirList = make_list(
# git
# Bazaar
# Mercurial
# SSH homefolder
"webaccess", # e.g. Zarafa
"webapp", # e.g. Zarafa
# Phishing
# Lite-serve
# HyperWave
# Urchin
# CVE-2000-0237
# Locale / language related
# nb:
# - the alpha-2 / two-letter country codes have been taken from here:
# - Some entries might be duplicated like e.g. "gb" for "guest book", this is acceptable because
#   the list will be made "unique" later
# - "en" is a special case and not listed on the page above
# Sympa
# Opentaps and Apache OFBiz
"ecomseo", # nb: special case
# Icinga Web 2
# GVM / GSA related URLs
# Fortinet FortiOS SSL VPN Web Portal
# Collabora / LibreOffice Online
# e.g. Metasploitable2 VM
# ownCloud
"ocm-provider", #nb: OpenCloudMesh Endpoint
# Kibana
"app/kibana", #nb: "/app" is already included above
# Samsung Q60 series smart TV but might exist for other products / applications as well
# nb: Only api/v2 existed for the samsung device but those seems to be quite common endpoints
# like seen in some other VTs in the feed.
# Cisco UCS Director
"app/ui", #nb: "app" is already included above
# Same/similar product, different vendors / product lines
# - Juniper Pulse Connect SSL-VPN
# - Pulse Secure Pulse Connect Secure
# - Ivanti Connect Secure
# - Ivanti Policy Secure
# nb: The device had also "/api/v1" but this is already included above
# Citrix ADC / Gateway
# WordPress Core dirs
"wp-json", # Pretty links
"index.php/wp-json", # Non-Pretty links
# WordPress plugins / themes dirs
# Cloudflare, see e.g.
# Trend Micro Apex One (see info of the structure in e.g. CVE-2023-0587)
# Sophos XG Firewall
# Microsoft Exchange Outlook Web App (OWA)
# Laravel / Laravel Telescope
# Apache Solr
# e.g. SpinetiX Fusion
# Oracle BI Publisher
# RUCKUS IoT Controller
# Config dir of various apps / frameworks like Symfony
# Citrix Endpoint Management or XenMobile Server
# Cisco Security Manager, possible other products as well
# Cisco Webex Meetings Server
# Tomcat
"tomcat-docs", #nb: Will be ignored by default
# D-Link DSR devices
# Micro Focus (Novell) Filr
# AWStats
# WD My Cloud
# Various application servers like Apache Tomcat or Mort Bay/Eclipse Jetty. Normally these should
# prevent the direct access to the directory but we're checking it anyway if there are any
# misconfigurations in place.
# WildFly H2 Console
# Liferay Portal
# VMware Identity Manager / vRealize Automation / VMware Workspace ONE Access
"SAAS/t", # nb: Seen in CVE-2022-31656
# Novell Web Manager
# Unknown product related to Apache Cocoon
"v2/api/product/manager", # nb: The above endpoint might be a typo so both are used.
# Seen on multiple Apache Cocoon relevant systems
# VMware vSphere Client of vCenter Server
"ui/vropspluginui/rest/services/getstatus", # nb: This and the previous is an API endpoint which was unprotected before the patch from VMSA-2021-0002
# VMware vRealize Operations Manager
# API path taken from
# VMware vRealize Operations Tenant App API
# RedHat Stronghold
# Enterasys Dragon Enterprise Reporting
# HP Systems Insight Manager
# HP/HPE System Management Homepage (SMH)
# Inspur ClusterEngine
# AfterLogic Aurora/WebMail
# NetApp Cloud Manager
# Adobe ColdFusion
# Proxmox Virtual Environment (VE, PVE)
# SAP NetWeaver Portal
# SAP Solution Manager
"EemAdminService", # Seen in CVE-2020-6207
# Those have been also seen on such SAP Solution Manager installs:
# SAP NetWeaver Development Infrastructure
"tc.CBS.Appl", # Seen in CVE-2021-33690
# Apache Struts
# nb: The "config-browser" ones are from the Config Browser Plugin (
# Ivanti Avalanche
# VMware Workspace ONE UEM
# Used by an unknown scanner checking for Laravel ".env" files
# Oracle E-Business Suite
# Sun/Oracle Web Server
# Various SAP products
# SICF service on SAP AS ABAP
# SAP Internet Communication Framework (ICF)
# SAP Internet Communication Manager (ICM)
# SAP Web Dispatcher
# Additional unknown SAP URLs
# nb: sap/bc is already included in some other places
# Those have been seen on NetWeaver systems
# SAP XML Data Archiving Service on SAP AS Java
# Pega Infinity
# Cisco HyperFlex Connect
# Self Service Password [LDAP Tool Box (LTB)]
# SolarWinds Orion Platform (e.g. NPM)
# HP / H3C iMC
# Zend Framework config file location
# Apache Airflow
# ConcatServlet of Eclipse Jetty
# Unknown servlet of Eclipse Jetty
# Mentioned as a directory in
# Seen in various active checks for Eclipse Jetty
# Maipu Network devices
# Akkadian Provisioning Manager
# Lucee
# FanRuan FineReport
# VICIdial
# Acronis Cyber Protect
# FCKeditor / CKEditor
# Huawei Home Gateway
# Cisco ASA / ASDM
# W-Agora
# Online Grades
# Adobe Experience Manager (AEM)
"mnt", # All "mnt" ones have been seen in CVE-2019-16469
# Prometheus
# Some known JavaServer Faces (JSF2) apps / endpoints
# Veeam Backup Enterprise Manager
# OpenAM, MITREid Connect and other OAuth related products
# Circontrol CirCarLife / OCPP
# WD My Book Live
# LISTSERV Maestro
# Appnitro MachForm
# IBM Maximo
# IceWarp Mail Server
# Kaseya VSA
# Dell Wyse Management Suite
# Seagate BlackArmor NAS
# osCommerce
# MagicFlow
# KevinLAB products (4st Solar, EMS, BEMS, HEMS) but also possible others
# <- Start entries from 2021/gb_generic_http_web_dirs_dir_trav.nasl
 # MERCUSYS Mercury X18G
# Gate One
# st module for Node.js
# Node.js and Spring MVC
# Spring MVC
# ZEIT Next.js
# LG SuperSign CMS
"node_modules", # node-srv node module
# Node RED Dashboard
# Elasticsearch
# Oracle GlassFish Server
# Rubedo
# Pallets Werkzeug
# Deltek Maconomy
# D-Link Routers
# Galera WebTemplate
# Ruby on Rails
# RaidenMAILD Mail Server
# -> End entries from 2021/gb_generic_http_web_dirs_dir_trav.nasl
# Sage X3
# IBM Web Content Manager
# Orbis CMS
# DynPage CMS
# BaconMap
# Node RED Dashboard
# qdPM
# SAP Manufacturing Integration and Intelligence (xMII) component
# Chamilo LMS
# SOGo Groupware Webmail
# EFI Fiery
# XEROX printers
# Fujifilm printers
# e.g. Microsoft Open Management Infrastructure (OMI)
# Microsoft Sharepoint
# Microsoft FronPage / IIS / Exchange related
# ManageEngine OpManager and / or Desktop Central.
# nb: a few might already exist in the list but where added here for easier maintenance
# Ciso Prime Infrastructure (PIS)
# Red Hat JBoss Operations Network (JON)
# Kentico CMS
# PHP MicroCMS
# VMware vRealize Orchestrator
# Tuleap
"soap/index.php", # nb: This is expected, the URL looks like /soap/index.php/
# Apache Druid
# ZenCart
# CM Scout
# Gallo
# eoCMS
# Symfony Security Configuration
# Site2Nite Boat
# Pentaho Business Analytics
# Sitecore CMS/XP
# PithCMS
# Metabase
# Wiki Web Help
# Amcrest Technologies IP Camera
# Q-See IP Camera
# AlstraSoft AskMe
# SIMM Management System
# phpBazar
# Papoo CMS
# Pecio CMS
# Grafana and various default plugins (see 2021/grafana/gb_grafana_dir_trav_vuln_dec21_active.nasl)
# nb: The default plugin list is only checked on the "/" root dir on purpose to keep the list little bit smaller.
# Apache JSPWiki
# MobileIron Core / Sentry / Endpoint Manager Mobile (EPMM)
# PhreeBooks
# dl_stats
# Snort Report
# Auerswald COMmander / COMpact
# Ubiquiti UniFi Network
# LittlePhpGallery
# SQLiteManager
# Apache James Web Admin (
# nb: While those are some kind of API / entpoints and not directories we're still keeping it
# for consistency reasons and because some of these might exist as dirs on other systems.
# Lexmark printers
# VMware Horizon
# AjaXplorer
# Abtp Portal Project
# SolarWinds Web Help Desk
# ClearSite
# Xoops Celepar
# Evaria ECMS
# 68kb
# JpGraph
# Moxa MXview
# XWiki
# MyBackup
# Jamf Pro
# SureMDM
# Siestta
# TCExam
# justVisual
# openstock / opentel
# phpThumb
# Event Horizon
# FlatPress
# Cobbler
# BMC Track-It!
# Zabbix
# nuBuilder
# Whizzy CMS
# PHP Traverser
# JAG (Just Another Guestbook)
# Direct News
# ccTiddly
# DNET Live-Status
# VoIPmonitor
# Dolphin
# Jasig / Apereo Central Authentication Service (CAS)
# REST API Endpoint URLs got taken from
# Yealink Device Management Platform
# Cisco Unified Communications Manager
# Cisco Unified Communications Self Care Portal
# Cisco Prime License Manager
# VMware Spring Cloud Gateway
# Mollify
# Nakid CMS
# Fretsweb
# Casdoor
# MantisBT
# Atlassian Jira Service Management
# Atlassian Fisheye Crucible
# HP/HPE/Micro Focus Universal CMDB
# Code42 Server
# RuubikCMS
# CompactCMS
# Kyocera printers
# Hastymail2
# Mitel Audio and Web Conferencing (AWC)
# Qianbo Enterprise Web Site Management System
# SAP Knowledge Warehouse, some from
"SAPIrExtHelp/random", # nb: As seen in CVE-2021-42063
# Atlassian Crowd
# nb:
# - No "crowd" in front of these are expected
# - The "plugins/servlet" seems to be also valid for at least Jira
# Siemens SICAM A8000 and possible other devices
# BeyondTrust Remote Support
# BeyondTrust Secure Remote Access
# webEdition CMS
# Gitea
# AlquistManager
# Clustering
# nb: There might be more, this only adds the known ones from a few existing VTs.
# WSO2 Carbon Products
# osTicket
# Web File Browser
# Zyxel USG and ATP
# QNAP NAS and additionl software for it
# SonicWall SMA/SRA
# SonicWall Firewalls
# osCSS
# MyNews
# LoveCMS
# ezCourses
# phpWebSite
# Oracle Access Manager (OAM)
# CultBooking
# ActivDesk
# Xenon
# Xiaomi Routers
# Support Incident Tracker
# awiki
# i-Gallery
# Citrix ADM
# HP 3Com Switch
# OpenEMR
# Xerox DocuShare
# elFinder
# VMware Site Recovery Manager
# Intramaps
# Free Hosting Manager
# PhotoPost
# Cisco Nexus Dashboard
# CAREL pCOWeb based devices
# FileWave Management Suite
# Ignition
# Escortservice
# DLGuard
# GoAnywhere MFT
#Veritas OpsCenter
# Various from 2014/gb_bash_shellshock_rce_vuln_http_active.nasl
# Veritas NetBackup Appliance
# OpenNMS
# 1024 CMS
# allocPSA
# Course MS
# Progress WS_FTP Server
# PHPAuctions
# Lasernet CMS
# ea-gBook
# Zimbra
# Hikvision IP Cameras
"doc/script/lib/seajs/seajs", # nb: Duplicated folder name is expected
# VMware HCX
# IBSng
# SysAid Help Desk
# Digital College
# LotusCMS
# Tosiba printers
# Tableau server
# Apache APISIX and Apache APISIX Dashboard
# F-Secure Policy Manager (Server and Proxy)
# dotProject
# Accruent Analytics
# Alertus Console
# PHP Coupon Script
# phpGraphy
# Avaya Contact Center Select
# RStudio Connect
# Axis Commerce
# RhinOS CMS
# Dell EMC RecoveryPoint
# Cynet 360
# ExtremeCloud IQ
# IBM Cognos Analytics
# Fortinet Fortiportal
# Community Server
# web@all
# CMS Lokomedia
# Podcast Generator
# DmxReady Secure Document Library
# SyndeoCMS
# Betsy
# JetBrains Hub
# SAP BusinessObjects Business Intelligence Platform
# todoyu
# phpBugTracker
# Progress DataDirect Hybrid Data Pipeline
# netjukebox
# Ajax File and Image Manager / PHP File Manager
# Silex
# Ruckus (Virtual) SmartZone
"wsg", # nb: Also seen on Ruckus SmartCell Gateway
# VMware Workspace ONE Assist
# Ax Developer CMS
# Room Juice
# TimeLive
# BigBlueButton (BBB)
"b", # nb: On the Docker image
# Wowza Streaming Engine
# Batavi
# PHPShop
# Portix-CMS
# WebCalendar
# Synology DSM/SRM
# phpWebThings
# gCards
# Open-Xchange (OX) App Suite
# Barracuda CloudGen Firewall
# Cisco Wireless LAN Controller (WLC)
# Cisco SD-WAN vManage
# Fork CMS
# BackupPC
# Zenphoto
# Trombinoscope
# Micro Focus ZENworks
# GeoServer
# Narcissus
# appRain CMF
# Sophos Cyberoam UTM/NGFW
# Sophos Cyberoam Central Console (CCC)
# Pandora FMS
# PHP Booking Calendar
# Harmonic NSG 9000 Devices
# SilerStripe CMS
# Cisco Collaboration Server
# ManageEngine Key Manager Plus
# Annuaire PHP
# WAGO I/O System 758 series
# WAGO Ethernet Web-based Management / PLC
# Sourcefabric Newscoop
# Cartweaver
# SnipSnap Wiki
# Alpha Networks Router (e.g. ASL-26555)
# Micro Focus / NetIQ / Novell iManager
# Micro Focus / Novell GroupWise
# SAP XI / PI but maybe also other products as well
"webdynpro/dispatcher/", # Utilities Page of the SRM-MDM Catalog
# Mattermost Server
# HPE OfficeConnect Switches
# TerraMaster NAS devices
# Axis devices
# Fortinet FortiADC
# Fortinet FortiNAC
# Bluadmin
# SonicWall ViewPoint, GMS
# OSClass
# Ektron CMS
# Amcrest / Dahua IP cameras
# Apache NiFi
# Alcatel-Lucent OmniSwitch
# Riello NetMan 204
# TeamPass
# Trend Micro Smart Protection Server
# Various apps using ZK Framework
# Apache OpenMeetings
# Enterprise Resource Planning
# Zend Framework
# Liferay Portal / DXP
# From CVE-2021-33990 of Liferay Portal
# Sybase EAServer
# SolarWinds Database Performance Analyzer (DPA)
# e.g. Checkmk (core and appliance)
# Apache Superset
# Kerio WinRoute Firewall
# netOffice Dwins
# Unknown Huawei devices
# op5 / OP5 Monitor
# MailEnable
# Oracle OPERA
# Dolibarr
# cPanel
# Moxa MiiNePort
# TVersity
# Andromeda Streaming Server
# Semantic Enterprise Wiki
# ProWiki
# ArticleSetup
# Mitel MiCollab / MiVoice Business Express
# phpVideoPro
# w-CMS
# Possible location of AWS credentials / profile files
# Open Business Management (OBM)
# JamWiki
# EditWrxLite CMS
# Omni-Secure
# pfile
# Palo Alto PAN-OS / GlobalProtect
# Schneider Electric Wonderware / AVEVA InTouch Access Anywhere (Secure Gateway)
# AVEVA Plant SCADA Access Anywhere
# Odoo
# Caucho Resin
# Progress MOVEit Transfer
"moveitisapi", # nb: Seen on
# Home Assistant OS and Home Assistant Supervised installations (Docker images don't have these)
# Inductive Automation Ignition
# Allaire/Macromedia/Adobe JRun Sample Files, see e.g. pre2008/DDI_JRun_Sample_Files.nasl
# VMware vRealize Network Insight / Aria Operations for Networks
# EZsite Forum
# Basilic
# asaanCart
# Arcserve Unified Data Protection (UDP)
# Clearswift MIMEsweeper
# Adminer
# Adobe RoboHelp Server, from e.g.:
# Apache Axis / Axis2
## SAP Business Objects 12 and/or 3com IMC (See CVE-2010-2103)
## Computer Associates ARCserve D2D r15 Web Service (See CVE-2010-0219 /
## SAP BusinessObjects Enterprise XI 3.2 (See CVE-2010-0219)
## SAP BusinessObjects
## VMware Smarts NCM
## Oracle Communications Billing and Revenue Management Web Services Manager
## Unknown
## Microstrategy Web 10.4 (See CVE-2020-11450)
## Axis integration
## Tomcat, seen "in the wild"
## Both for JBuilder Apache Axis
# Apache Hadoop
# Cisco Application Policy Infrastructure Controller (APIC)
# Cisco Network Analysis Module (NAM)
# Cisco Prime Collaboration Provisioning Web Interface
# Cisco Prime Infrastructure (PIS) Web Interface
# Docker HTTP REST API (API versions might need to be re-checked in the future...)
"containers", # nb: Both not seen so far but might be related...
# ExpressionEngine CMS
# Eyes Of Network (EON)
# Froxlor Server Management Panel
# Junos Space Web-UI
# ZOHO / ManageEngine products
# Pacific Timesheet
# phpPgAdmin
# Sensiolabs Symfony
# vtiger CRM
# Zenoss Server
# Mailman
# Apache Tiles
# Mahara
# RainLoop Webmail
# nb:
# - Windows Server Update Services (WSUS)
# - IIS/Windows is usually case insensitive
# 3CX Phone System Management Console
# Those are from CVE-2022-48482/CVE-2022-48483 of the same product
# Skype for Business Server
# IPP / CUPS systems
"printer", # nb: From RFC3510
# Konica Minolta printers
# Brother HL printers
# SATO printers
# HP / Hewlett Packard printers
# Epson printers
# RICOH printers
# PHPMoAdmin
# Trend Micro Control Manager (TMCM) / Apex Central
# Redfish API
# nb: Those are the default ones defined in / by:
# From the RackHD API Reference Guide
# From the SuperMicro API Reference Guide
# A few seen in the scope of CVE-2021-29203
# Atlassian Bitbucket
# Kubernetes API Server
# Adiscon Loganalyzer
# Adobe BlazeDS
# Dell Foundation Services
# eTouch SamePage
# FIT2CLOUD JumpServer
# Buffalo NAS
# PHPRecipeBook
# ISPWorker
# WPEngine
# Sangfor Next Generation Application Firewall (NGAF)
# Honeywell Printers
# nForum
# ComicShout
# BlindBlog
# Comparison Engine Power
# A4Desk Event Calendar
# Citrix / NetScaler Gateway / ADC
# Kopano Konnect, various examples taken from:
# EZ-Blog
# Seen on Viessmann Vitogate CVE-2023-5702
# SalesCart
# phpCommunity2
# FacilCMS
# RevSense
# Nagios / Nagios XI
# PHP Petition Signing Script
# Qlik Sense
# OneOrZero Helpdesk
# 2532|Gigs
# Ray Framework from
# RitsBlog
# DNS Tools
# Golabi CMS
# ClearBudget
# JobHunt
# EZ Hotscripts
# Beerwin's PhpLinkAdmin
# Microsoft Graph PHP SDK
# Fortinet FortiSIEM
# Forcepoint Email Security
# Websense Triton
# Wedge Networks wedgeOS Management Console
# Qwerty CMS
# Dell Printers
# TurnkeyForms Local Classifieds
# CS Whois Lookup
# LogRover
# Yap Blog
# GhostScripter Amazon Shop
# AnswerBook2
# Ecava IntegraXor
# Cybozu products
# PHP Rocket Add-in
# Various from 2018/phpunit/gb_phpunit_rce.nasl
# Magento
# Amasty Product Feed for Magento
# Magmi (Magento Mass Importer)
# Woltlab Burning Board
# Tecomat Foxtrot
# Trackplus Allegra
# PHPFootball
# Digital Scribe
# e-Vision CMS
# PassWiki
# Butterfly Organizer
# Taifajobs
# TinX
# Advantech iView
# MCshoutbox
"box"); # nb: Don't add more dirs here and add them in the second testDirList2 below instead (see relevant note for the background)

# nb: Making it "unique" for the first time to avoid an overlong initial list
testDirList = make_list_unique( testDirList );

# nb: Unfortunately the list above has reached some kind of internal memory limit and at least
# openvas-nasl-lint on 21.04 is "crashing" with a:
# > memory exhausted
# so we're creating a second list here and making both "unique" before continuing later.
testDirList2 = make_list(
# Apache Subversion 'mod_dav_svn'
# Atlassian Confluence
"template/aui", # nb: From CVE-2023-22527
# DM FileManager
# Dagger
# Simply Classified
# Rspamd
# IBM Aspera Faspex / Aspera Console / Aspera Orchestrator
# IBM Operational Decision Manager
"res", # nb: "Rule Execution Server"
# Kemp LoadMaster / ECS Connection Manager
# Artica Proxy
# Aruba ClearPass Policy Manager
# Devolutions Server
# Fortinet FortiWLM
# LDAP Account Manager (LAM)
# Ivanti Neurons for ITSM
# Claris FileMaker (Pro or Server)
# Jenkins
# Progress Telerik Report Server
# Progress Telerik Reporting
# Progress Flowmon
# ForgeRock Access Management
# Fortra FileCatalyst Workflow
# pgAdmin
# HP Poly IP Phones
# CrushFTP
# Dell OpenManage Enterprise
# ReCrystallize Server
# F5 BIG-IP Next Central Manager (CM)
# HSC Mailinspector
# Veeam Service Provider Console
# OpenText Dimensions RM
# Elprolog Monitor WebAccess
# WikkaWiki
# OrangeHRM
# php-Charts
# Check Point Firewall / Gaia (Admin login and SSL Network Extender)
# Dell Data Protection Advisor (DPA)
# FreePBX
# FtpLocate
# Oracle Portal
# Seen on ZyXEL NSA devices
# Zoom Telephonics Devices

# nb: Before adding some host name parts and other dynamic things below making it "unique" again so
# that we have a smaller list here after the possible duplicates from above.
testDirList = make_list_unique( testDirList, testDirList2 );

# Add domain name parts, create_hostname_parts_list() always returns a list, even an empty one
hnlist = create_hostname_parts_list();

# nb:
# - No need to check for an empty "hnlist" string here (create_hostname_parts_list() could return
#   an empty list) as make_list() seems to be able to handle this
# - There is a final "make_list_unique()" call at the bottom after adding all other dynamic data so
#   we don't need to do this here
testDirList = make_list( testDirList, hnlist );

if( debug ) display( "::[ DDI Directory Scanner running in debug mode ]::" );

fake404 = string("");
Check200 = TRUE;
Check401 = TRUE;
Check403 = TRUE;
CheckRedirect = TRUE;

port = http_get_port( default:80 );

host = http_host_name( dont_add_port:TRUE );
if( debug ) display( ":: Checking directories on Hostname/IP:port " + host + ":" + port + "..." );

if( http_get_is_marked_broken( port:port, host:host ) )
  exit( 0 );

# counter for current failed requests
failedReqs = 0;
# counter for the current amount of done requests
currReqs = 0;
# counter for max failed requests
# The VT will exit if this is reached
# TBD: Make this configurable?
maxFailedReqs = 3;

# pull the robots.txt file
if( debug ) display( ":: Checking for robots.txt..." );
res = http_get_cache( item:"/robots.txt", port:port );
if( ! res )

if( res =~ "^HTTP/1\.[01] 200" && res =~ "Content-Type\s*:\s*text/plain" ) {

  body = http_extract_body_from_response( data:res );
  body = chomp( body );
  if( body ) {

    strings = split( body );

    foreach string( strings ) {

      if( egrep( pattern:"^\s*(dis)?allow\s*:.*/", string:string, icase:TRUE ) &&
          ! egrep( pattern:"^\s*(dis)?allow\s*:.*\.", string:string, icase:TRUE ) ) {

        # yes, i suck at regex's in nasl. I want my \s+!
        robot_dir = ereg_replace( pattern:"(dis)?allow\s*:\W*/(.*)$", string:string, replace:"\2", icase:TRUE );
        robot_dir = ereg_replace( pattern:"\W*$", string:robot_dir, replace:"", icase:TRUE );
        robot_dir = ereg_replace( pattern:"/$|\?$", string:robot_dir, replace:"", icase:TRUE );

        if( robot_dir != '' ) {
          testDirList = make_list( testDirList, robot_dir );
          if( debug ) display(":: Directory '", robot_dir, "' added to test list");

# pull the CVS/Entries file
if( debug ) display( ":: Checking for /CVS/Entries..." );
res = http_get_cache( item:"/CVS/Entries", port:port );
if( ! res )

if( res =~ "^HTTP/1\.[01] 200" ) {

  body = http_extract_body_from_response( data:res );
  body = chomp( body );
  if( body ) {

    strings = split( body, string( "\n" ) );

    foreach string( strings ) {

      if( egrep( pattern:"^D/(.+)/.*/.*/.*/.*", string:string, icase:FALSE ) ) {

        cvs_dir = ereg_replace( pattern:"^D/(.+)/.*/.*/.*/.*", string:string, replace:"\1", icase:FALSE );
        if( cvs_dir != '' ) {
          testDirList = make_list( testDirList, cvs_dir );
          if( debug ) display( ":: Directory '", cvs_dir, "' added to test list" );

# test for servers which return 200/403/401 for everything
req = http_get( item:"/non-existent" + rand() + "/", port:port );
res = http_keepalive_send_recv( port:port, data:req );
if( ! res )

if( res =~ "^HTTP/1\.[01] 200" ) {

  fake404 = 0;

  if( debug ) display( ":: This server returns 200 for non-existent directories" );

  foreach errmsg( errmessages_404 ) {
    if( egrep( pattern:errmsg, string:res, icase:TRUE ) && ! fake404 ) {
      fake404 = errmsg;
      if( debug ) display( ":: Using '", fake404, "' as an indication of a 404 error" );

  if( ! fake404 ) {
    if( debug ) display( ":: Could not find an error string to match against for the fake 404 response" );
    if( debug ) display( ":: Checks which rely on 200 responses are being disabled" );
    Check200 = FALSE;
} else {
  fake404 = string( "BadString0987654321*DDI*" );

if( res =~ "^HTTP/1\.[01] 401" ) {
  if( debug ) display( ":: This server requires authentication for non-existent directories, disabling 401 checks" );
  Check401 = FALSE;

if( res =~ "^HTTP/1\.[01] 403" ) {
  if( debug ) display( ":: This server returns a 403 for non-existent directories, disabling 403 checks" );
  Check403 = FALSE;

if( res =~ "^HTTP/1\.[01] 30[0-8]" ) {
  if( debug ) display( ":: This server returns a redirect for non-existent directories, disabling redirect checks" );
  CheckRedirect = FALSE;

# start the actual directory scan
ScanRootDir = "/";

start = unixtime();
if( debug ) display( ":: Starting the directory scan..." );

# We make the list unique at the end again to avoid having doubled entries from e.g. the robots.txt
# or dynamically added data (like the host name list) and for easier maintenance of the initial list
# which could contain multiple entries.
testDirList = make_list_unique( testDirList );

foreach cdir( testDirList ) {

  url = ScanRootDir + cdir;
  res = http_get_cache( item:url + "/", port:port );
  if( ! res ) {
    if( failedReqs >= maxFailedReqs ) {
      if( debug ) display( ":: Max number of failed requests (" + maxFailedReqs + ") reached (Amount of requests done: " + currReqs + ") + exiting..." );
      exit( 0 );

  if( cgi_dirs_exclude_servermanual ) {

    # Ignore Apache2 manual if it exists. This is just huge static content
    # and slows down the scanning without any real benefit.
    if( url =~ "^/manual" ) {
      man_res = http_get_cache( item:"/manual/en/index.html", port:port );
      if( man_res && "Documentation - Apache HTTP Server" >< man_res ) {
        set_kb_item( name:"www/" + host + "/" + port + "/content/servermanual_directories", value:http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ", Content: Apache HTTP Server Manual" );

    # Similar to the above for Tomcat
    if( url =~ "^/tomcat-docs" ) {
      man_res = http_get_cache( item:"/tomcat-docs/", port:port );
      if( man_res && "Apache Tomcat" >< man_res && "Documentation Index" >< man_res ) {
        set_kb_item( name:"www/" + host + "/" + port + "/content/servermanual_directories", value:http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ", Content: Apache Tomcat Documentation" );

    # And the same for Caucho Resin
    if( url =~ "^/resin-doc" ) {
      man_res = http_get_cache( item:"/resin-doc/", port:port );
      if( man_res && ">Resin Documentation<" >< man_res ) {
        set_kb_item( name:"www/" + host + "/" + port + "/content/servermanual_directories", value:http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ", Content: Caucho Resin Documentation" );

  http_code = int( substr( res, 9, 11 ) );
  if( ! res )
    res = "BogusBogusBogus";

  if( Check200 && http_code == 200 && ! ( egrep( pattern:fake404, string:res, icase:TRUE ) ) ) {

    if( debug ) display( ":: Discovered: " , ScanRootDir, cdir );

    add_discovered_list( dir:ScanRootDir + cdir, port:port, host:host );

  # Pass any redirects we're getting to webmirror.nasl for further processing
  if( CheckRedirect && http_code =~ "^30[0-8]$" ) {

    if( debug )
      display( ":: Got a '", http_code, "' redirect for ", ScanRootDir, cdir, ", trying to extract the location..." );

    redirect = http_extract_location_from_redirect( port:port, data:res, debug:debug, current_dir:cdir );

    if( redirect ) {
      if( debug ) display( ":: Passing extracted redirect ", redirect ," to webmirror.nasl..." );
      set_kb_item( name:"DDI_Directory_Scanner/" + port + "/received_redirects", value:redirect );
      set_kb_item( name:"DDI_Directory_Scanner/" + host + "/" + port + "/received_redirects", value:redirect );

  if( Check403 && http_code == 403 ) {

    if( debug ) display( ":: Got a 403 for ", ScanRootDir, cdir, ", checking for file in the directory..." );

    req = http_get( item:ScanRootDir + cdir + "/NonExistent.html", port:port );
    res = http_keepalive_send_recv( data:req, port:port, bodyonly:FALSE );
    if( ! res )

    if( res =~ "^HTTP/1\.[01] 403" ) {
      # the whole directory appears to be protected
      if( debug ) display( ":: 403 applies to the entire directory" );
    } else {
      if( debug ) display( ":: 403 applies to just directory indexes" );

      # the directory just has indexes turned off
      if( debug ) display( ":: Discovered: " , ScanRootDir, cdir );
      add_discovered_list( dir:ScanRootDir + cdir, port:port, host:host );

  if( Check401 && http_code == 401 ) {

    if( header = egrep( pattern:"^WWW-Authenticate\s*:", string:res, icase:TRUE ) ) {
      if( debug ) display( ":: Got a 401 for ", ScanRootDir + cdir, " containing a WWW-Authenticate header, adding to the dirs requiring auth..." );
      basic_auth = http_extract_basic_auth( data:res );
      add_auth_dir_list( dir:ScanRootDir + cdir, port:port, host:host, basic:basic_auth["basic_auth"], realm:basic_auth["realm"] );
    } else {
      if( debug ) display( ":: Got a 401 for ", ScanRootDir + cdir, " WITHOUT a WWW-Authenticate header, NOT adding to the dirs requiring auth..." );

if( debug ) display( ":: Finished scan (Done requests: ", currReqs, "), exiting..." );

exit( 0 );


9.9 High


Attack Vector


Attack Complexity


Privileges Required


User Interaction




Confidentiality Impact


Integrity Impact


Availability Impact



8.1 High

AI Score



10 High


Access Vector

Access Complexity



Confidentiality Impact


Integrity Impact


Availability Impact



0.975 High


