search

SamJoan / droopescan

A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
GNU Affero General Public License v3.0
1.22k stars 246 forks source link

🐞 False positive detection due to incorrect error handling #52

Closed urbanadventurer closed 3 years ago

urbanadventurer commented 3 years ago

Problem

When HTTP connections fail droopescan reports the test as a positive result, e.g. it found a module.

5 GET requests to detect modules, such as the following, timed out without a response. These are displayed in the output as found.

GET /sites/default/modules/content_glider/content_glider.module HTTP/1.1

Recommendation

If the connection fails it should retry for a set number of times.

Environment

I'm using Kali with the latest version of droopescan that is current with master branch.

Usage

I used the following command. This connected to the Burp proxy.

python3 ./drupwn --target https://xxx --bauth asdfsadfsadfsadf== --version 8 --mode enum --proxy 127.0.0.1:8080 --log

Logs

The log is as follows. All Modules found were false positives.

============ Themes ============

[+] seven
[+] stark
[+] bartik
[+] classy

============ Custom Themes ============

============ Default files ============

[+] /web.config (403)
[+] /robots.txt (200)
[+] /update.php (403)
[+] /install.php (200)

============ Modules ============

[+] HWCTravel
[+] popups_reference
[+] imageslider
[+] content_glider
[+] active_tags

============ Custom Modules ============

============ Nodes ============

https://xxx/node/491
https://xxx/node/675

============ Users ============
SamJoan commented 3 years ago

Hi.

Thanks for creating this issue. Seems like a very annoying bug. I will look into this as soon as I can, but I can't provide an ETA because I'm very busy these days.

Does this issue occur only with the modules? If so that may be helpful in locating the bug.

Thanks! Pedro

El vie, 23 abr 2021 a las 16:30, Andrew Horton @.***>) escribió:

Problem

When HTTP connections fail droopescan reports the test as a positive result, e.g. it found a module.

5 GET requests to detect modules, such as the following, timed out without a response. These are displayed in the output as found.

GET /sites/default/modules/content_glider/content_glider.module HTTP/1.1 Recommendation

If the connection fails it should retry for a set number of times. Environment

I'm using Kali with the latest version of droopescan that is current with master branch. Usage

I used the following command. This connected to the Burp proxy.

python3 ./drupwn --target https://xxx --bauth asdfsadfsadfsadf== --version 8 --mode enum --proxy 127.0.0.1:8080 --log

Logs

The log is as follows. All Modules found were false positives.

============ Themes ============

[+] seven [+] stark [+] bartik [+] classy

============ Custom Themes ============

============ Default files ============

[+] /web.config (403) [+] /robots.txt (200) [+] /update.php (403) [+] /install.php (200)

============ Modules ============

[+] HWCTravel [+] popups_reference [+] imageslider [+] content_glider [+] active_tags

============ Custom Modules ============

============ Nodes ============ https://xxx/node/491https://xxx/node/675

============ Users ============

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/droope/droopescan/issues/52, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABFJURPSUXWITV7I6RQOITTKDZYDANCNFSM43N3WQ3Q .

urbanadventurer commented 3 years ago

I was affected by the issue with Modules but it could probably affects all types of scans.

SamJoan commented 3 years ago

Hi Andrew,

I am looking at your ticket again and I see that you are using a third-party tool. I have never used drupwn so I am not familiar with it nor do I maintain it.

Your suggestion to retry multiple times is already implemented by the underlying HTTP library, and specific exceptions are already handled, and a warning is placed to stdout. I would need more information in order to reproduce this bug, specifically:

Thanks, Pedro

urbanadventurer commented 3 years ago

Sorry @droope that was my mistake. I was testing two tools at the same time, droopscan and drupwn. I incorrectly submitted this bug to your page.