local security scanner for vulnerable common opensource www
projects
Mel Flynn
mel.flynn+fbsd.questions at mailing.thruhere.net
Tue May 5 21:13:51 UTC 2009
On Tuesday 05 May 2009 22:04:27 Jeroen Hofstee wrote:
> Mel Flynn schreef:
> > On Saturday 02 May 2009 14:50:14 Jeroen Hofstee wrote:
> >> I tried to find a program which could scan the local filesystem and
> >> extract a lists of well known web projects (joomla, wordpress etc)
> >
> > Not that I'm aware of and it's hell to write and keep current.
>
> k, pitty. Although user can be jailed, it is still a bit unconfortable
> experience for users if their website looks
> somewhat different then they are used to; or their message board
> suddenly contains 20000 additional post,
> albeit due to their own lack of maintaining the scripts behind it. A
> reminder that their script has known
> vulnerabities would therefore be nice, even if it doesn't pose a direct
> risk to the system as a whole.
I understand the problem.
> Most of these open source projects are in the ports, so the portaudit db
> will contain vulnerability information
> for them. If I find time, I will have a look if it is possible to match
> against that db.
You can do that, the issue is plugins:
0) SuperCMS v 1.0 installed
1) CoolStuff via webinterface, by SuperCMSNr1Fan, version 0.1.0.1beta
2) SuperCMS v 1.0.1 security release, changes some issues with plugin handling
3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan
4) CoolStuff still works, because of backwards compatibility, but now is
insecure.
Stuff like this goes back to the phpNukeYourSite days.
--
Mel
More information about the freebsd-questions
mailing list