[WEB SECURITY] OWASP Joomla! Vulnerability Scanner August 18, 2009 Update Release

Brandon Enright bmenrigh at ucsd.edu
Thu Aug 20 21:29:29 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey guys, somebody pointed me to this post/scanner so I decided to give
it a try.  Running against one of our Joomla! installs produced quite a
few warnings from perl.  Attached is a patch against SVN.  What follows
is my reasoning for the changes.

Brandon


Index: joomscan.pl
===================================================================
- --- joomscan.pl	(revision 13)
+++ joomscan.pl	(working copy)

If you don't specify a proxy then it isn't defined.

@@ -808,7 +780,7 @@
 {
     my $ua = LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
     $ua->agent($uagent);
- -    if($proxy ne '')
+    if((defined $proxy) && ($proxy ne ''))
     {
         if($proxy !~  /:\/\//){$proxy = 'http://'.$proxy;}
         $ua->proxy(['http', 'ftp'],$proxy );                
@@ -845,7 +817,7 @@
 {
     my $ua = LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
     $ua->agent($uagent);
- -    if($proxy ne '')
+    if((defined $proxy) && ($proxy ne ''))
     {
         if($proxy !~  /:\/\//){$proxy = 'http://'.$proxy;}
         $ua->proxy(['http', 'ftp'],$proxy );    


If the version could not be determined then this routine could return
undefined which would later cause junk warnings.  I cleaned up the loop
but the Junk versions of 0 and 999 were my best guess at the right
thing to do.  At least they made sure version was always defined.

 
@@ -960,25 +932,25 @@
 sub array_max
 {
     my @array = @_;    
- -    my $max = $array[0];    
- -     foreach (0..$#array) { 
- -       if ($max < $array[$_]) {
- -         $max = $array[$_];
- -       }
- -     }
- -     return $max;
+    my $max = 999; # Junk value
+    foreach my $val (@array) { 
+	if ($max < $val) {
+	    $max = $val;
+	}
+    }
+    return $max;
 }
 
 sub array_min
 {
     my @array = @_;
- -    my $min = $array[0];    
- -     foreach (0..$#array)  {        
- -       if ($min > $array[$_]) {         
- -         $min = $array[$_];
- -       }
- -     }     
- -     return $min;
+    my $min = 0;
+    foreach my $val (@array)  {        
+	if ($min > $val) {         
+	    $min = $val;
+	}
+    }     
+    return $min;
 }
 
 sub get_url_content



More no-proxy fix:

@@ -987,7 +959,7 @@
     my $resquest = GET "$u";
     my $ua =
LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
$ua->agent($uagent);
- -    if($proxy ne '')
+    if((defined $proxy) && ($proxy ne ''))
     {
         if($proxy !~  /:\/\//){$proxy = 'http://'.$proxy;}
         $ua->proxy(['http', 'ftp'],$proxy );   


Emacs didn't like the parsing of split without the ().
             
@@ -1030,7 +1002,7 @@
   if($t eq 3600) {return '1 hr';}
   elsif($t > 3600){
     my $x = $t/3600;
- -    my @hm = split /\./, $x;
+    my @hm = split(/\./, $x);
     my $h = $hm[0];	
     my $mi = '0 min and 0 sec';
     $mi = htime($t%3600);    


This looked broken to me.  I think split needs a space between the
regex.  I went with ().

@@ -1038,7 +1010,7 @@
   }
   elsif($t > 60) {
     my $m = ($t/60);
- -    my @rm = split/\./, $m;
+    my @rm = split(/\./, $m);
     my $rs = ($t%60);
     return  $rm[0]." min and $rs sec";
   }    


Many of our Joomla installs are inside of /Joomla/.  It seemed
reasonable to add this.

@@ -1086,6 +1058,8 @@
         if ($req->status_line =~ /(200|301)/g){return
'/administration/';} $req = $ua->head("$url/manage/");
         if ($req->status_line =~ /(200|301)/g){return '/manage/';}
+        $req = $ua->head("$url/Joomla/administrator/");
+        if ($req->status_line =~ /(200|301)/g){return
'/Joomla/administrator/';} else{return '/admin_dir_was_renamed/';}
     }   
 }



All lines of text files are supposed to end with \n, even the last one.

@@ -2790,4 +2765,4 @@
 
 }
 
- -############# [/ROUTINES] ################
\ No newline at end of file
+############# [/ROUTINES] ################



> -----Original Message-----
> From: YGN Ethical Hacker Group (http://yehg.net)
> [mailto:lists at yehg.net] Sent: Thursday, August 20, 2009 4:09 PM
> To: websecurity at webappsec.org;
> owasp-joomla-vulnerability-scanner at lists.owasp.org Subject: [WEB
> SECURITY] OWASP Joomla! Vulnerability Scanner August 18, 2009 Update
> Release
> 
> Hi all
> 
> Here it goes again:
> 
> 
> Changes:
> 
> - updated fingerprinting signatures up to current Joomla! version
> 1.5.14
> - updated vulnerability information up to August 18, 2009
> 
> - Implemented 200 defense bypass
> 
>   This is bypass web servers which respond with 200 for every 404,
> which makes the scanner,
>   produce very noisy reports about false positives. 200 defense can
> render today's most scanners useless.
> 
> - Added more Joomla!-based firewall detection
> - Refined HTML reporting with extremely-easy-to-deploy excellent
> cross-browser graphing functionality (Thanks, jscharts.com)
> - Add a beep sound after finishing the scanning. It acts like an alarm
> - "Scanning's over. Look the result!"
> 
> 
> NOTE
> ======
> This release has an agreement to sign.
> You will have to run it once and sign it. Or else this will break your
> automatic scanning if you've been using.
> 
> 
> HOW TO UPDATE
> ===============
> SVN checkout is always recommended more than checking from the
> scanner which is good for new database updates and slight changes in
> the scanner itself.
> 
> svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan/trunk
> joomscan
> 
> 
> 
> WEB INTERFACE
> ==============
> You can get the web interface at
> http://hackertarget.com/joomla-security-scan/.
> 
> I don't have any affiliates with hackertarget.com.
> I'm not responsible for any damages you get from using
> hackertarget.com's.
> 
> 
> =====================================================================
> 
> Please do report any errors you may experience.
> Thanks for using it.
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkqN+IEACgkQqaGPzAsl94K4yACgoPVW91XFGMOOSDT4DFtetRm6
otAAniEbBKaCz+Ol5cmVHh4fVHO0iWZ8
=lCnC
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: warnfix.txt
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090821/73ffa29b/attachment.txt>
-------------- next part --------------
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


More information about the websecurity mailing list