local security scanner for vulnerable common opensource www
projects
Mel Flynn
mel.flynn+fbsd.questions at mailing.thruhere.net
Wed May 6 05:30:15 UTC 2009
On Wednesday 06 May 2009 00:01:12 Jeroen Hofstee wrote:
> Mel Flynn schreef:
> > You can do that, the issue is plugins:
> > 0) SuperCMS v 1.0 installed
> > 1) CoolStuff via webinterface, by SuperCMSNr1Fan, version 0.1.0.1beta
> > 2) SuperCMS v 1.0.1 security release, changes some issues with plugin
> > handling 3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan
> > 4) CoolStuff still works, because of backwards compatibility, but now is
> > insecure.
> >
> > Stuff like this goes back to the phpNukeYourSite days.
>
> I understand that there are allot of caveats and that is quite some work
> to create a full blown checker, especially with
> plugins. But as far as I am corcerned, finding the easy to locate
> vultnerable script is already better then doing nothing.
Agreed, as long as the client does not assume you are responsible. Portaudit
will go a long way then. Which version of a plugin is installed is not always
available in the file system, some store that in the database.
To ease your work, you may want to replace custom installed software with the
corresponding port if available. This will go for a lot of stuff, including
joomla and the various nuke forks.
--
Mel
More information about the freebsd-questions
mailing list