CVE-2016-2107 icon indicating copy to clipboard operation
CVE-2016-2107 copied to clipboard

Published 20 hours ago verified publisher icon FiloSottile

Lowered the timeout from one minute to a default of 20 seconds

Open Gijutsu opened this issue 8 years ago • 3 comments

which in my tests proved to be around 10 times the required time to get a response from a patched or vulnerable server - but it of course depends on your network latency.

Gijutsu avatar May 10 '16 07:05 Gijutsu

Cool, Could you squash? It may be a good idea to add this as a flag, since 2 seconds is in the realms of a TCP connection missing something, and in some cases you really want to avoid a false positive, and other times you are less caring :)

benjojo avatar May 13 '16 15:05 benjojo

I'm unlikely to put in a default lower than 20 seconds. Some of us have crappy connections :) Please make this a flag if you want to be able to configure something lower.

FiloSottile avatar May 13 '16 19:05 FiloSottile

Thanks for the feedback. I can see the benefit of making this a flag, so I have converted the PR to use flags while keeping backwards compability by making the usage of the flags optional.

Example usage: ./CVE-2016-2107 --help Usage of ./CVE-2016-2107: -address string Server to test (default "127.0.0.1") -timeout int Connection timeout in seconds (default 20)

time ./CVE-2016-2107 8.8.8.8 2016/05/13 23:19:55 dial tcp 8.8.8.8:443: i/o timeout

real 0m20.002s user 0m0.000s sys 0m0.000s

./CVE-2016-2107 -address filippo.io -timeout 2 2016/05/13 23:22:06 Vulnerable: false

Gijutsu avatar May 13 '16 21:05 Gijutsu