Open GoogleCodeExporter opened 8 years ago
Yes that should be relatively simple enough to implement. I will try fit it in
for the next release.
The test that checks for potentially insecure direct object references looks
for file names, or paths, in the URL query string but does not actually go the
step further and manipulate them to test for RFI/LFI.
Original comment by webvuls...@gmail.com
on 21 May 2012 at 12:11
Original comment by webvuls...@gmail.com
on 21 May 2012 at 12:12
Using dynamic methods for this is far better than using someone elses shell.
See code.google.com/p/fimap for ideas.
Adding RFI/LFI to this would be excellent - I think a good compromise would be
to have it test for LFI/RFI on all parameters, while also using the rfilist.dat
file floating around (I will link when I find it) to check paths, just in case.
Loving the project though!
Original comment by the.info...@gmail.com
on 9 Jun 2012 at 4:52
Great that you like the project! Yes I agree, I think the scanner should have
support for this vulnerability as it can be a high-risk one. I released another
version yesterday but, unfortunately, I only had a few days to spend on the
project and had a few issues to fix so I did not think I would fit this in. I
should definitely be able to fit it in for the next one though. Thanks for the
feedback and suggestions!
Original comment by webvuls...@gmail.com
on 10 Jun 2012 at 4:22
Original issue reported on code.google.com by
itspa...@gmail.com
on 17 May 2012 at 2:11