local security scanner for vulnerable common opensource www projects

Mel Flynn mel.flynn+fbsd.questions at mailing.thruhere.net
Tue May 5 21:13:51 UTC 2009

On Tuesday 05 May 2009 22:04:27 Jeroen Hofstee wrote:
> Mel Flynn schreef:
> > On Saturday 02 May 2009 14:50:14 Jeroen Hofstee wrote:
> >> I tried to find a program which could scan the local filesystem and
> >> extract a lists of well known web projects (joomla, wordpress etc)
> >
> > Not that I'm aware of and it's hell to write and keep current.
> k, pitty. Although user can be jailed, it is still a bit unconfortable
> experience for users if their website looks
> somewhat different then they are used to; or their message board
> suddenly contains 20000 additional post,
> albeit due to their own lack of maintaining the scripts behind it. A
> reminder that their script has known
> vulnerabities would therefore be nice, even if it doesn't pose a direct
> risk to the system as a whole.

I understand the problem.

> Most of these open source projects are in the ports, so the portaudit db
> will contain vulnerability information
> for them. If I find time, I will have a look if it is possible to match
> against that db.

You can do that, the issue is plugins:
0) SuperCMS v 1.0 installed
1) CoolStuff via webinterface, by SuperCMSNr1Fan, version
2) SuperCMS v 1.0.1 security release, changes some issues with plugin handling
3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan
4) CoolStuff still works, because of backwards compatibility, but now is 

Stuff like this goes back to the phpNukeYourSite days.

More information about the freebsd-questions mailing list