[WEB SECURITY] OWASP Joomla! Vulnerability Scanner August 18, 2009 Update Release

Brandon Enright bmenrigh at ucsd.edu
Fri Aug 21 15:22:30 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I haven't been on the websecurity list for even 24 hours so somebody
please let me know if this sort of chatter is better kept off-list.

Comments inline.


On Fri, 21 Aug 2009 23:39:07 +0630
"YGN Ethical Hacker Group (http://yehg.net)" <lists at yehg.net> wrote:

> Hi Brandon
> 
> Thank you for the patch. I'll patch it soon. All you contribute is to
> be the better scanner.

Sure thing.  I'm glad something like this exists.

> Let me know your current *nix so that I'll add it in tested platform
> list .

$ perl --version

This is perl, v5.8.8 built for x86_64-linux-thread-multi

$ uname -a
Linux gamma 2.6.29-gentoo-r1 #3 SMP PREEMPT Sun May 10 18:04:35 UTC 2009 x86_64 Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz GenuineIntel GNU/Linux


> Please take part for future releases testing if your time
> permits.

I need to get on owasp-joomla-vulnerability-scanner at lists.owasp.org but
I didn't see an obvious way to do that.

> This scanner has a long list of future plans to improve. More features
> are yet to be added.

Cool.

> >
> > If you don't specify a proxy then it isn't defined.
> >
> 
> I specify $proxy as use vars /..../.

Yes.  The problem isn't that $proxy doesn't exist, it just hasn't been
assigned a value yet.

> 
> > @@ -808,7 +780,7 @@
> >  {
> >     my $ua =
> > LWP::UserAgent->new('requests_redirectable'=>['GET','POST']);
> > $ua->agent($uagent);
> > - -    if($proxy ne '')
> > +    if((defined $proxy) && ($proxy ne ''))
> >     {
> 
> Does the usage of use vars /..../ even require to do additional if
> defined check?

Yes but so does 'my', 'local', and 'our'.  These keywords (or the
vars qw// pragma) create a name (and sometimes space) in the symbol
table (declare the variable) but they don't define an actual value for
it.

> If so, all others inside use vars// will have to be checked with if
> defined.

Yes.  You use the strict pragma (which is great) so it will prevent you
from trying to use a variable that hasn't yet been declared.

the defined keyword checks to see if a value has been assigned.

You can't safely do:

my $var1;

if ($var1 eq '') {}


But you can safely do:

my $var1;

if ((defined $var1) && ($var1 eq '')) {}


Regarding your use of vars /.../; that pragma is old and deprecated.
It has the same meaning as the our keyword.  our is essentially a way
to get around strict and declare global variables for the package.
Since you aren't using a package I think you should actually replace
vars /.../; with my (..., ..., ...);

Hope that helps,

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkqO9A8ACgkQqaGPzAsl94KavACdFKzrxoIgHFvQNDXbKmvIrot0
7U0AoICpL2lvJE9fCkDF6ZK01jjJU6r1
=yFev
-----END PGP SIGNATURE-----


More information about the websecurity mailing list