From owner-freebsd-questions@FreeBSD.ORG Tue May 5 21:13:51 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 751821065675 for ; Tue, 5 May 2009 21:13:51 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 406C78FC18 for ; Tue, 5 May 2009 21:13:50 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from sarevok.dnr.servegame.org (mailhub.rachie.is-a-geek.net [192.168.2.11]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 2AA337E837; Tue, 5 May 2009 13:13:49 -0800 (AKDT) From: Mel Flynn To: freebsd-questions@freebsd.org Date: Tue, 5 May 2009 23:13:47 +0200 User-Agent: KMail/1.11.2 (FreeBSD/8.0-CURRENT; KDE/4.2.2; i386; ; ) References: <49FC4186.80608@virtualhost.nl> <200905052010.26393.mel.flynn+fbsd.questions@mailing.thruhere.net> <4A009BCB.9070700@virtualhost.nl> In-Reply-To: <4A009BCB.9070700@virtualhost.nl> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200905052313.47805.mel.flynn+fbsd.questions@mailing.thruhere.net> Cc: Jeroen Hofstee Subject: Re: local security scanner for vulnerable common opensource www projects X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2009 21:13:51 -0000 On Tuesday 05 May 2009 22:04:27 Jeroen Hofstee wrote: > Mel Flynn schreef: > > On Saturday 02 May 2009 14:50:14 Jeroen Hofstee wrote: > >> I tried to find a program which could scan the local filesystem and > >> extract a lists of well known web projects (joomla, wordpress etc) > > > > Not that I'm aware of and it's hell to write and keep current. > > k, pitty. Although user can be jailed, it is still a bit unconfortable > experience for users if their website looks > somewhat different then they are used to; or their message board > suddenly contains 20000 additional post, > albeit due to their own lack of maintaining the scripts behind it. A > reminder that their script has known > vulnerabities would therefore be nice, even if it doesn't pose a direct > risk to the system as a whole. I understand the problem. > Most of these open source projects are in the ports, so the portaudit db > will contain vulnerability information > for them. If I find time, I will have a look if it is possible to match > against that db. You can do that, the issue is plugins: 0) SuperCMS v 1.0 installed 1) CoolStuff via webinterface, by SuperCMSNr1Fan, version 0.1.0.1beta 2) SuperCMS v 1.0.1 security release, changes some issues with plugin handling 3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan 4) CoolStuff still works, because of backwards compatibility, but now is insecure. Stuff like this goes back to the phpNukeYourSite days. -- Mel