[OWASP Joomla Vulnerability Scanner] [WEB SECURITY] OWASP Joomla! Vulnerability Scanner August 18, 2009 Update Release

YGN Ethical Hacker Group (http://yehg.net) lists at yehg.net
Fri Aug 21 13:09:07 EDT 2009


Hi Brandon

Thank you for the patch. I'll patch it soon. All you contribute is to
be the better scanner.
Let me know your current *nix so that I'll add it in tested platform
list . Please take part for future releases testing if your time
permits.
This scanner has a long list of future plans to improve. More features
are yet to be added.

>
> Index: joomscan.pl
> ===================================================================
> - --- joomscan.pl       (revision 13)
> +++ joomscan.pl (working copy)
>
> If you don't specify a proxy then it isn't defined.
>

I specify $proxy as use vars /..../.



> @@ -808,7 +780,7 @@
>  {
>     my $ua = LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
>     $ua->agent($uagent);
> - -    if($proxy ne '')
> +    if((defined $proxy) && ($proxy ne ''))
>     {

Does the usage of use vars /..../ even require to do additional if
defined check?
If so, all others inside use vars// will have to be checked with if defined.


>         if($proxy !~  /:\/\//){$proxy = 'http://'.$proxy;}
>         $ua->proxy(['http', 'ftp'],$proxy );
> @@ -845,7 +817,7 @@
>  {
>     my $ua = LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
>     $ua->agent($uagent);
> - -    if($proxy ne '')
> +    if((defined $proxy) && ($proxy ne ''))
>     {
>         if($proxy !~  /:\/\//){$proxy = 'http://'.$proxy;}
>         $ua->proxy(['http', 'ftp'],$proxy );
>
>
> If the version could not be determined then this routine could return
> undefined which would later cause junk warnings.  I cleaned up the loop
> but the Junk versions of 0 and 999 were my best guess at the right
> thing to do.  At least they made sure version was always defined.
>
>
> @@ -960,25 +932,25 @@
>  sub array_max
>  {
>     my @array = @_;
> - -    my $max = $array[0];
> - -     foreach (0..$#array) {
> - -       if ($max < $array[$_]) {
> - -         $max = $array[$_];
> - -       }
> - -     }
> - -     return $max;
> +    my $max = 999; # Junk value
> +    foreach my $val (@array) {
> +       if ($max < $val) {
> +           $max = $val;
> +       }
> +    }
> +    return $max;
>  }
>
>  sub array_min
>  {
>     my @array = @_;
> - -    my $min = $array[0];
> - -     foreach (0..$#array)  {
> - -       if ($min > $array[$_]) {
> - -         $min = $array[$_];
> - -       }
> - -     }
> - -     return $min;
> +    my $min = 0;
> +    foreach my $val (@array)  {
> +       if ($min > $val) {
> +           $min = $val;
> +       }
> +    }
> +    return $min;
>  }
>
>  sub get_url_content
>
>
>
> More no-proxy fix:
>
> @@ -987,7 +959,7 @@
>     my $resquest = GET "$u";
>     my $ua =
> LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
> $ua->agent($uagent);
> - -    if($proxy ne '')
> +    if((defined $proxy) && ($proxy ne ''))
>     {
>         if($proxy !~  /:\/\//){$proxy = 'http://'.$proxy;}
>         $ua->proxy(['http', 'ftp'],$proxy );
>
>
> Emacs didn't like the parsing of split without the ().
>
> @@ -1030,7 +1002,7 @@
>   if($t eq 3600) {return '1 hr';}
>   elsif($t > 3600){
>     my $x = $t/3600;
> - -    my @hm = split /\./, $x;
> +    my @hm = split(/\./, $x);
>     my $h = $hm[0];
>     my $mi = '0 min and 0 sec';
>     $mi = htime($t%3600);
>
>
> This looked broken to me.  I think split needs a space between the
> regex.  I went with ().
>
> @@ -1038,7 +1010,7 @@
>   }
>   elsif($t > 60) {
>     my $m = ($t/60);
> - -    my @rm = split/\./, $m;
> +    my @rm = split(/\./, $m);
>     my $rs = ($t%60);
>     return  $rm[0]." min and $rs sec";
>   }
>
>
> Many of our Joomla installs are inside of /Joomla/.  It seemed
> reasonable to add this.
>
> @@ -1086,6 +1058,8 @@
>         if ($req->status_line =~ /(200|301)/g){return
> '/administration/';} $req = $ua->head("$url/manage/");
>         if ($req->status_line =~ /(200|301)/g){return '/manage/';}
> +        $req = $ua->head("$url/Joomla/administrator/");
> +        if ($req->status_line =~ /(200|301)/g){return
> '/Joomla/administrator/';} else{return '/admin_dir_was_renamed/';}
>     }
>  }
>
>
>
> All lines of text files are supposed to end with \n, even the last one.
>
> @@ -2790,4 +2765,4 @@
>
>  }
>
> - -############# [/ROUTINES] ################
> \ No newline at end of file
> +############# [/ROUTINES] ################
>
>
>
>> -----Original Message-----
>> From: YGN Ethical Hacker Group (http://yehg.net)
>> [mailto:lists at yehg.net] Sent: Thursday, August 20, 2009 4:09 PM
>> To: websecurity at webappsec.org;
>> owasp-joomla-vulnerability-scanner at lists.owasp.org Subject: [WEB
>> SECURITY] OWASP Joomla! Vulnerability Scanner August 18, 2009 Update
>> Release
>>
>> Hi all
>>
>> Here it goes again:
>>
>>
>> Changes:
>>
>> - updated fingerprinting signatures up to current Joomla! version
>> 1.5.14
>> - updated vulnerability information up to August 18, 2009
>>
>> - Implemented 200 defense bypass
>>
>>   This is bypass web servers which respond with 200 for every 404,
>> which makes the scanner,
>>   produce very noisy reports about false positives. 200 defense can
>> render today's most scanners useless.
>>
>> - Added more Joomla!-based firewall detection
>> - Refined HTML reporting with extremely-easy-to-deploy excellent
>> cross-browser graphing functionality (Thanks, jscharts.com)
>> - Add a beep sound after finishing the scanning. It acts like an alarm
>> - "Scanning's over. Look the result!"
>>
>>
>> NOTE
>> ======
>> This release has an agreement to sign.
>> You will have to run it once and sign it. Or else this will break your
>> automatic scanning if you've been using.
>>
>>
>> HOW TO UPDATE
>> ===============
>> SVN checkout is always recommended more than checking from the
>> scanner which is good for new database updates and slight changes in
>> the scanner itself.
>>
>> svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan/trunk
>> joomscan
>>
>>
>>
>> WEB INTERFACE
>> ==============
>> You can get the web interface at
>> http://hackertarget.com/joomla-security-scan/.
>>
>> I don't have any affiliates with hackertarget.com.
>> I'm not responsible for any damages you get from using
>> hackertarget.com's.
>>
>>
>> =====================================================================
>>
>> Please do report any errors you may experience.
>> Thanks for using it.
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
>
> iEYEARECAAYFAkqN+IEACgkQqaGPzAsl94K4yACgoPVW91XFGMOOSDT4DFtetRm6
> otAAniEbBKaCz+Ol5cmVHh4fVHO0iWZ8
> =lCnC
> -----END PGP SIGNATURE-----
>


More information about the Owasp-joomla-vulnerability-scanner mailing list