TahaKazi / webvulscan

Automatically exported from code.google.com/p/webvulscan
GNU General Public License v3.0
0 stars 1 forks source link

Suggestion: Add RFI/LFI Vulnerability Dectection #2

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Can you add a module for scanning for Local and Remote File Includes?

Original issue reported on code.google.com by itspa...@gmail.com on 17 May 2012 at 2:11

GoogleCodeExporter commented 9 years ago
Yes that should be relatively simple enough to implement. I will try fit it in 
for the next release.

The test that checks for potentially insecure direct object references looks 
for file names, or paths, in the URL query string but does not actually go the 
step further and manipulate them to test for RFI/LFI.

Original comment by webvuls...@gmail.com on 21 May 2012 at 12:11

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 21 May 2012 at 12:12

GoogleCodeExporter commented 9 years ago
Using dynamic methods for this is far better than using someone elses shell. 
See code.google.com/p/fimap for ideas. 
Adding RFI/LFI to this would be excellent - I think a good compromise would be 
to have it test for LFI/RFI on all parameters, while also using the rfilist.dat 
file floating around (I will link when I find it) to check paths, just in case.
Loving the project though!

Original comment by the.info...@gmail.com on 9 Jun 2012 at 4:52

GoogleCodeExporter commented 9 years ago
Great that you like the project! Yes I agree, I think the scanner should have 
support for this vulnerability as it can be a high-risk one. I released another 
version yesterday but, unfortunately, I only had a few days to spend on the 
project and had a few issues to fix so I did not think I would fit this in. I 
should definitely be able to fit it in for the next one though. Thanks for the 
feedback and suggestions!

Original comment by webvuls...@gmail.com on 10 Jun 2012 at 4:22