local security scanner for vulnerable common opensource www projects

Mel Flynn mel.flynn+fbsd.questions at mailing.thruhere.net
Wed May 6 05:30:15 UTC 2009

On Wednesday 06 May 2009 00:01:12 Jeroen Hofstee wrote:
> Mel Flynn schreef:
> > You can do that, the issue is plugins:
> > 0) SuperCMS v 1.0 installed
> > 1) CoolStuff via webinterface, by SuperCMSNr1Fan, version
> > 2) SuperCMS v 1.0.1 security release, changes some issues with plugin
> > handling 3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan
> > 4) CoolStuff still works, because of backwards compatibility, but now is
> > insecure.
> >
> > Stuff like this goes back to the phpNukeYourSite days.
> I understand that there are allot of caveats and that is quite some work
> to create a full blown checker, especially with
> plugins. But as far as I am corcerned, finding the easy to locate
> vultnerable script is already better then doing nothing.

Agreed, as long as the client does not assume you are responsible. Portaudit 
will go a long way then. Which version of a plugin is installed is not always 
available in the file system, some store that in the database.
To ease your work, you may want to replace custom installed software with the 
corresponding port if available. This will go for a lot of stuff, including 
joomla and the various nuke forks. 

More information about the freebsd-questions mailing list