Metasploit-framework: owa_login scanner broken if AUTH_TIME is set to false

The owa_login scanner provides an option to check the response timing of the target. Based on the response time the scanner can determine whether a given username exists on the target.

Response times < 1 second are interpreted as "username exists" (fast hit in target database).

Reponse times > 1 second are interpreted as "username does not exist" (and consequently the lookup in the database takes longer).

By default the script performs this timing check (AUTH_TIME is set to "true").
If AUTH_TIME is set to "false" the script stops with an exception.

Steps to reproduce

1. set AUTH_TIME to "false"
2. run

Leads to the following error
_[-] Auxiliary failed: NoMethodError undefined method <=' for nil:NilClass [-] Call stack: [-] /usr/share/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:256:intry_user_pass'
[-] /usr/share/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:139:in block in run' [-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/auth_brute.rb:211:inblock in each_user_pass'
[-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/auth_brute.rb:179:in each' [-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/auth_brute.rb:179:ineach_user_pass'
[-] /usr/share/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:136:in `run'_

Problem is that variable "elapsed_time" is used in all print messages (successful login, failed login, etc.) but only defined if AUTH_TIME is set to "true".

Potential fix:
Always define "elapsed_time", e.g. set it to zero.
This requires extending "if" checks ("elapsed_time <= 1") with e.g. "(elapsed_time > 0) && (elapsed_time <= 1)".

Attached diff with potential fix:
owa_login.diff.txt

Metasploit version

5.0.73-dev

I installed Metasploit with:

• [ ] Kali package via apt

OS

kali-rolling (updated 14.02.2020)