search

ajinabraham / CMSScan

CMS Scanner: Scan Wordpress, Drupal, Joomla, vBulletin websites for Security issues
https://opensecurity.in
GNU General Public License v3.0
941 stars 147 forks source link

False Positive 2 #16

Closed kp-emagine closed 5 years ago

kp-emagine commented 5 years ago

I have tested against a specific site, the results are a bit strange and I am pretty confused by it.

Per the results, the site I scanned contains a Wordpress Plugin called Tweet Blender, and is on a vulnerable version of it.

I can confirm, that, that plugin does not exist on their site, nor has it ever existed on their site. On top of this the host would not allow it

"plugins": { "tweet-blender": { "slug": "tweet-blender", "location": "https://www.mysite.com/wp-content/plugins/tweet-blender/", "latest_version": "4.0.2", "last_updated": "2013-11-13T08:18:00.000Z", "outdated": false, "readme_url": null, "changelog_url": null, "directory_listing": false, "error_log_url": null, "found_by": "Known Locations (Aggressive Detection)", "confidence": 80, "interesting_entries": [

  ],
  "confirmed_by": {

  },
  "vulnerabilities": [
    {
      "title": "Tweet Blender 4.0.1 - Unspecified XSS",
      "fixed_in": "4.0.2",
      "references": {
        "cve": [
          "2013-6342"
        ],
        "secunia": [
          "55780"
        ],
        "url": [
          "http://packetstormsecurity.com/files/124047/"
        ],
        "wpvulndb": [
          "6981"
        ]
      }
    }
  ],
  "version": null
}

},

Please advise

You closed my other Issue Request stating I need to check with another developer with a separate piece of software, however, this issue was not caused by using there's... it was caused by using this one, and yours

ajinabraham commented 5 years ago

CMSScan use wpscan for scanning Wordpress sites. If there is an issue in the scan result, you need to contact wpscan team.

kp-emagine commented 5 years ago

I have contacted them, because I have 0 issues using their tool scanning this site, they are pushing back on me to come back to you to re-open this issue

ajinabraham commented 5 years ago

This is exactly how we run the tool for WordPress. Try this manually.

wpscan --url <url> --no-banner -f json --force -e vp,vt --plugins-detection mixed --rua

ajinabraham commented 5 years ago

There is a change in latest master. You might want to pull that as well.

kp-emagine commented 5 years ago

latest master for? CMSScan? I get the same results running your last query

ajinabraham commented 5 years ago

Yes latest master of CMSScan.

And that's what I am saying. We are not changing or adding to the result from CMSScan, but just using wpscan to do the scan. The result generated is by wpscan. CMSScan just collects and store it.

kp-emagine commented 5 years ago

i mentioned it to them.