Dear all, A long time ago I asked for a vulnerability scanner for Joomla. I admin a Joomla site and I'll to keep an eye on security. Someone provided me this OWASP project: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project#tab=Project_Information which apparently has been abandoned. I recall an email from the author saying he didn't have time to continue support this. I also tried the tool and gave me a bunch of false positives. I asked the author and sent the info to review it, but I never got an answer. Anyway, what Joomla admins do to check security on their sites? Thanks, Miguel

Miguel, The Web Exploitation Framework will concentrate on picking up where other Joomla Scanners left off after we complete the next major release (roadmap). Until that point....... BlindElephant and Joomscan are the only two tools I've had any success with. Thanks, Ken 2011/9/27 Miguel González Castaños <miguel_3_gonzalez@yahoo.es> > Dear all, > > A long time ago I asked for a vulnerability scanner for Joomla. I admin a > Joomla site and I'll to keep an eye on security. > > Someone provided me this OWASP project: > > https://www.owasp.org/index.**php/Category:OWASP_Joomla_** > Vulnerability_Scanner_Project#**tab=Project_Information<https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project#tab=Project_Information> > > which apparently has been abandoned. I recall an email from the author > saying he didn't have time to continue support this. I also tried the tool > and gave me a bunch of false positives. I asked the author and sent the info > to review it, but I never got an answer. > > Anyway, what Joomla admins do to check security on their sites? > > Thanks, > > Miguel > > ______________________________**_________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/**websecurity.rss<http://www.webappsec.org/rss/websecurity.rss> > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/**83336/4B20E4374DBA<http://www.linkedin.com/e/gis/83336/4B20E4374DBA> > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.**org <websecurity@lists.webappsec.org> > http://lists.webappsec.org/**mailman/listinfo/websecurity_** > lists.webappsec.org<http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org> >

On 27/09/2011 18:16, ken Johnson wrote: > Miguel, > > The Web Exploitation Framework will concentrate on picking up where > other Joomla Scanners left off after we complete the next major > release (roadmap). Until that point....... BlindElephant and Joomscan > are the only two tools I've had any success with. But Joomscan is the OWASP scanner that I mention that seems to be abandoned and BlindElephant seems to do just fingerprinting while I'm looking for vulnerabilities in my Joomla installation Thanks anyway

On Tue, Sep 27, 2011 at 11:38:09AM +0200, Miguel González Castaños wrote: > Dear all, > > A long time ago I asked for a vulnerability scanner for Joomla. I > admin a Joomla site and I'll to keep an eye on security. > > Someone provided me this OWASP project: > > https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project#tab=Project_Information > > which apparently has been abandoned. I recall an email from the > author saying he didn't have time to continue support this. I also > tried the tool and gave me a bunch of false positives. I asked the > author and sent the info to review it, but I never got an answer. > > Anyway, what Joomla admins do to check security on their sites? > > Thanks, > > Miguel I have on-going project to create tool for local scanning. It can already detect out-dated Joomlas. Please note that this tool is still beta. I am more than happy to hear if you have development ideas. http://code.google.com/p/pyfiscan/ Best regards, Henri Salo

A long time ago I asked for a vulnerability scanner for Joomla. I

Someone provided me this OWASP project:

which apparently has been abandoned. I recall an email from the

Anyway, what Joomla admins do to check security on their sites?

Thanks,

Miguel

Op 1-10-2011 13:18, Henri Salo schreef: > On Tue, Sep 27, 2011 at 11:38:09AM +0200, Miguel González Castaños wrote: >> Dear all, >> >> A long time ago I asked for a vulnerability scanner for Joomla. I >> admin a Joomla site and I'll to keep an eye on security. >> >> Someone provided me this OWASP project: >> >> https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project#tab=Project_Information >> >> which apparently has been abandoned. I recall an email from the >> author saying he didn't have time to continue support this. I also >> tried the tool and gave me a bunch of false positives. I asked the >> author and sent the info to review it, but I never got an answer. >> >> Anyway, what Joomla admins do to check security on their sites? >> >> Thanks, >> >> Miguel > I have on-going project to create tool for local scanning. It can already detect out-dated Joomlas. Please note that this tool is still beta. I am more than happy to hear if you have development ideas. > > http://code.google.com/p/pyfiscan/ > > Best regards, > Henri Salo > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > I found a joomla extension list with possible vurlns. http://docs.joomla.org/Vulnerable_Extensions_List#New_format_Feed_Starts_Here they stated that it's updated to 01-2011 -Neusbeer