Closed mikeddeeson closed 7 years ago
For the first implementation of this, I think that this should just report on the Javascript library versions.
Finding out if each Javascript library has security updates or is even out of date could be interesting as I don't know of any central system that stores this or even if Javascript frameworks report on security issues.
These are things (don't know if they are useful things!)
Also this - https://www.exploit-db.com/
That exploit database tool lets you do this
$> ./searchsploit -j jquery
{
"SEARCH": "jquery",
"RESULTS": [
{"Exploit":"jQuery - jui_filter_rules PHP Code Execution"","Path":"./platforms/php/remote/36124.txt","EDB-ID":36124},
{"Exploit":"jQuery Uploadify 2.1.0 - Arbitrary File Upload"","Path":"./platforms/multiple/webapps/11218.txt","EDB-ID":11218},
{"Exploit":"WordPress Plugin jQuery Mega Menu 1.0 - Local File Inclusion"","Path":"./platforms/php/webapps/16250.txt","EDB-ID":16250},
{"Exploit":"JQuery-Real-Person plugin - Bypass captcha"","Path":"./platforms/php/webapps/18167.zip","EDB-ID":18167},
{"Exploit":"WordPress Plugin 1-jquery-photo-gallery-Slideshow-flash 1.01 - Cross-Site Scripting"","Path":"./platforms/php/webapps/36382.txt","EDB-ID":36382},
{"Exploit":"WordPress Plugin NextGEN Gallery - 'jqueryFileTree.php' Directory Traversal"","Path":"./platforms/php/webapps/39100.txt","EDB-ID":39100},
{"Exploit":"BK Mobile jQuery CMS 2.4 - Multiple Vulnerabilities"","Path":"./platforms/php/webapps/39339.txt","EDB-ID":39339}
]
}
The initial release of the Drupal module patch (https://www.drupal.org/node/2826110#comment-11963722) provides the Javascript data for Drupal 8 sites.
This is being used by the Warden server to list of these versions.
As well as being able to provide details of what Drupal core and module version are being used by a site, it could be helpful to know what Javascript framework versions (e.g. JQuery/ Backbone/ Chosen etc.) are being used.
This would need some work doing with the Drupal module as well to be able to provide these details.