From owner-freebsd-questions@FreeBSD.ORG  Tue May  5 22:15:10 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AA08D1065690
	for <freebsd-questions@freebsd.org>;
	Tue,  5 May 2009 22:15:10 +0000 (UTC)
	(envelope-from freebsd.questions@virtualhost.nl)
Received: from mail.virtualhost.nl (mail.virtualhost.nl [89.200.201.133])
	by mx1.freebsd.org (Postfix) with ESMTP id F3A978FC13
	for <freebsd-questions@freebsd.org>;
	Tue,  5 May 2009 22:15:09 +0000 (UTC)
	(envelope-from freebsd.questions@virtualhost.nl)
Received: (qmail 46132 invoked from network); 6 May 2009 00:15:08 +0200
Received: from ip120-12-208-87.adsl2.static.versatel.nl (HELO ?192.168.1.7?)
	(87.208.12.120)
	by mail.virtualhost.nl with SMTP; 6 May 2009 00:15:08 +0200
Message-ID: <4A00BA6C.2070307@virtualhost.nl>
Date: Wed, 06 May 2009 00:15:08 +0200
From: Jeroen Hofstee <freebsd.questions@virtualhost.nl>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <49FC4186.80608@virtualhost.nl>	<200905052010.26393.mel.flynn+fbsd.questions@mailing.thruhere.net>	<4A009BCB.9070700@virtualhost.nl>
	<200905052313.47805.mel.flynn+fbsd.questions@mailing.thruhere.net>
In-Reply-To: <200905052313.47805.mel.flynn+fbsd.questions@mailing.thruhere.net>
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: local security scanner for vulnerable common opensource
	www	projects
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2009 22:15:11 -0000

Mel Flynn schreef:
> You can do that, the issue is plugins:
> 0) SuperCMS v 1.0 installed
> 1) CoolStuff via webinterface, by SuperCMSNr1Fan, version 0.1.0.1beta
> 2) SuperCMS v 1.0.1 security release, changes some issues with plugin 
> handling
> 3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan
> 4) CoolStuff still works, because of backwards compatibility, but now 
> is insecure.
>
> Stuff like this goes back to the phpNukeYourSite days.
>   
I understand that there are allot of caveats and that is quite some work 
to create a full blown checker, especially with
plugins. But as far as I am corcerned, finding the easy to locate 
vultnerable script is already better then doing nothing.

Jeroen