fgeek/pyfiscan: Free web-application vulnerability and version scanner

Name	Latest commit message	Commit time
Failed to load latest commit information.
.github	Add Patreon user name	May 26, 2019
templates	handle changed path	Jul 16, 2016
testfiles	Added encoding detection in case reading a file fails with UnicodeDec…	Aug 24, 2018
yamls	SA-CORE-2019-005, SA-CORE-2019-006, SA-CORE-2019-007, SA-CORE-2019-008	Jul 18, 2019
.gitignore	add .gitignore for .csv, .swp, .pyc and .log	Oct 17, 2012
.travis.yml	Fix travis	Oct 31, 2018
LICENSE	Copyright year bump	Jan 2, 2017
README.md	Added support for Shopware	Jun 23, 2019
database.py	Ported to python3 and added test cases.	Aug 20, 2018
detect.py	Added encoding detection to detect_withoutnewlines with test cases.	Oct 2, 2018
file_helpers.py	Minor cleaning	Apr 28, 2014
issuereport.py	Ported to python3 and added test cases.	Aug 20, 2018
mailer.py	Copyright year bump	Jan 1, 2019
pyfiscan.py	Copyright year bump	Jan 1, 2019
requirements.lst	docopt	Nov 1, 2018
roadmap.txt	Roadmap containing feature requests etc	Nov 18, 2016
tests.py	Added encoding detection to detect_withoutnewlines with test cases.	Oct 2, 2018

About

Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.

Requirements

Python 3
Python modules PyYAML docopt chardet
GNU/Linux web server

Testing is done mainly with GNU/Linux Debian stable. Windows is not currently supported.

Detects following software

Abantecart
ATutor
b2evolution
BigTree CMS
Bugzilla
Centreon
Claroline
ClipperCMS
CMSimple
CMSMS
Collabtive
Concrete5
Coppermine
Cotonti
Croogo
CubeCart
Dolibarr
Dotclear
Drupal
e107
Elefant CMS
EspoCRM
Etherpad
FluxBB
Foswiki
Gallery
Gollum
HelpDEZk
HumHub
ImpressCMS
ImpressPages
Jamroom
Joomla
Kanboard
KCFinder
LiteCart
Magnolia
Mahara
MantisBT
MediaWiki
Microweber
MiniBB
MODX Revolution
MoinMoin
MyBB
Nibbleblog
Open Source Social Network
OpenCart
osDate
ownCloud
Oxwall
PBBoard
phpBB3
PhpGedView
phpMyAdmin
Piwigo
Piwik
PmWiki
Postfix Admin
Redaxo
Roundcube
SaurusCMS
Serendipity
Shaarli
Shopware
SMF
Spina CMS
SPIP
SquirrelMail
TestLink
TikiWiki
Trac
Vanilla Forums
WikkaWiki
WordPress
X-Cart
Zenphoto
Zikula

Detects following end-of-life software:

Bugzilla 4.2 is end-of-life since 2015-11-30
Drupal 6 is end-of-life since 2016-02-24
Gallery 1
Joomla 1.5 is end-of-life since 2012-04-30
Joomla 1.6 is end-of-life since 2011-08-19. 1.6.x should be upgraded to 1.6.6 before moving to 1.7.x
Joomla 1.7 is end-of-life since 2012-02-24
Joomla 2.5
MediaWiki 1.18
MediaWiki 1.19 is end-of-life since 2015-04-25
MediaWiki 1.20
MediaWiki 1.21 is end-of-life since 2014-06-25
MediaWiki 1.22
MediaWiki 1.23 is end-of-life since 2017-05-31
MediaWiki 1.24
MediaWiki 1.25
MediaWiki 1.26 is end-of-life since 2016-11-20
MediaWiki 1.27 is end-of-life since 2019-06-06
MediaWiki 1.28 is end-of-life since 2017-11-01
MediaWiki 1.29 is end-of-life since 2018-06
MediaWiki 1.30 is end-of-life since 2019-06-06
ownCloud 4
ownCloud 5
ownCloud 6
ownCloud 7
ownCloud 8.0
ownCloud 8.1
ownCloud 8.2
SaurusCMS

Installation

apt install python3 python3-pip python3-yaml python3-docopt git
git clone https://github.com/fgeek/pyfiscan.git && cd pyfiscan
pip3 install -r requirements.lst

or you can use BlackArch Linux.

Notes

WordPress
- Announcing a secure SWFUpload fork
Joomla
- Upgrade should be done using "Extension manager -> Upgrade" in version 1.6.6 and later
- Release and support cycle
- Setup Security checklist
- Upgrading and migrating Joomla
- Joomla 2.x creates random SQL table prefix
- Joomla 3.x informs and shows user a button to remove installation-directory
- Creates ./configuration.php in installation
- Creates robots.txt, which contains word "Joomla"
SMF
- End of life of SMF 1.0
- Installer requests users with button to delete install.php
TikiWiki
MediaWiki
- End of Life of 1.18.x
Gallery
- Not installed when config.php is missing.
- http://codex.galleryproject.org/Gallery2:Security
- Upgrade using: http://example.org/gallery3/index.php/upgrade php index.php upgrade
phpBB (version unknown)
- Open installation is not a vulnerability since web-interface requests user to authenticate by inserting random data to file.
Coppermine
- Not installed when include/config.inc.php is missing.
Owncloud
- status.php outputs: {"installed":"true","version":"5.0.6","versionstring":"5.0.5","edition":""}
Piwigo
- Not installed if local/config/database.inc.php is missing.
Claroline
- Not installed when platform/conf/claro_main.conf.php is missing.
- Installation pages request user to remove claroline/install/ directory.

Happy users

DevNet Oy
Kapsi Internet-käyttäjät ry
Shellit.org
Loopia.se

Contributors

aapa
Ari-Martti Hopiavuori
Atte H. "guaqua"
Janne Cederberg
Joonas Kuorilehto
Juhamatti Niemelä
Linus Fogelholk
Olli Pekkola
Paul Grant
Tuomo Komulainen

Join GitHub today