Default account found for '"Bandmin"' (not enough info?)

This is an output from db_realms. The way nikto works is that if it gets an HTTP auth request it'll try all passwords that it knows against the auth request and then report if it finds one that works.

In this case it finds that username "operator" with a blank password will authenticate. Which has been seen with the Magicolor 3100 software, but may not be that specifically.

I take your point that it would be helpful if it returned the URL, so I'll look at adding this to Nikto 2.10.

In terms of finding which URL with 2.03, I'm afraid the easiest way would be to switch on verbose mode (-D V), pipe the output to a file and then search the file to see what the preceding check is.

While checking for another bug; I found the code where this is reported and we see:

add_vulnerability($CURRENT_HOST_ID, $CURRENT_PORT,"Default account found for '$realm' at $request{'uri'} (ID '$REALMS{$REALM}{id}', PW '$REALMS{$REALM}{pw}'). $REALMS{$REALM}{msg}",$REALMS{$REALM}{tid},0,\%result);

The important bit here is in that the string should report "at /wibble" (or whatever URI you're using. But it isn't, showing that the request hash has a blank URI, which is definately dodgy.

I think it may be useful to see the output of the "-D d" flag.

D'oh I see the problem!

It should be $request{'whisker'}->{'uri'} not $request{uri}. It should also pass the uri to add_vulnerability separately so it'll be included in the XML/HTML report.

Expect a fix soon.

Fixed in revision #142