search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.64k stars 1.27k forks source link

JSON Export: Vulnerability gets listed in wrong category #1344

Closed J12934 closed 5 years ago

J12934 commented 5 years ago

Hi πŸ‘‹ first of all thank you for your hard work on this awesome tool. We really appreciate all the hard work you put into this!

We facing some confusion looking at the JSON output of one particular case and we are not quite sure, if it is a bug or if we miss understand the intended json structure. I posted the json anonymised below.

WpScan identified the Plugin Yoast SEO with version 9.1. It also found a vulnerability for that version. We expected the vulnerability to be listed under the plugins.[pluginname].version.vulnerabilities, as this is a vulnerability for the identified version. But it was listed under just under the plugins.[pluginname].vulnerabilities.

To our understanding the version.vulnerabilities should include the vulnerabilities for the currently running version while the vulnerability should include the vulnerabilities for any version.

Did we understand that wrong or is the json mallformed?

{
  "banner": {
    "description": "WordPress Security Scanner by the WPScan Team",
    "version": "3.5.3",
    "authors": [
      "@_WPScan_",
      "@ethicalhack3r",
      "@erwan_lr",
      "@_FireFart_"
    ],
    "sponsored_by": "Sucuri - https://sucuri.net"
  },
  "start_time": 1557330406,
  "start_memory": 37670912,
  "target_url": "https://foobar.com/",
  "effective_url": "https://foobar.com/",
  "interesting_findings": [
    "took it out seemed mostly irrelevant to the question"
  ],
  "version": {
    "number": "4.8.9",
    "release_date": "2019-03-13",
    "status": "latest",
    "found_by": "Query Parameter In Install Page (Aggressive Detection)",
    "confidence": 100,
    "interesting_entries": [
      "https://foobar.com/wp-includes/css/buttons.min.css?ver=4.8.9",
      "https://foobar.com/wp-admin/css/install.min.css?ver=4.8.9",
      "https://foobar.com/wp-includes/css/dashicons.min.css?ver=4.8.9"
    ],
    "confirmed_by": {
      "Query Parameter In Upgrade Page (Aggressive Detection)": {
        "confidence": 60,
        "interesting_entries": [
          "https://foobar.com/wp-includes/css/buttons.min.css?ver=4.8.9",
          "https://foobar.com/wp-admin/css/install.min.css?ver=4.8.9"
        ]
      }
    },
    "vulnerabilities": [

    ]
  },
  "main_theme": {
    "slug": "jupiter",
    "location": "https://foobar.com/wp-content/themes/jupiter/",
    "latest_version": null,
    "last_updated": null,
    "outdated": false,
    "readme_url": false,
    "directory_listing": false,
    "error_log_url": null,
    "style_url": "https://foobar.com/wp-content/themes/jupiter/style.css",
    "style_name": "Jupiter",
    "style_uri": "http://demos.artbees.net/jupiter5",
    "description": "A Beautiful, Professional and Ultimate Wordpress Theme Made by Artbees. Jupiter is a Clean, Flexible, fully responsive and retina ready Wordpress theme. Its smart and hand crafted environment allows you to Build outstanding websites easy and fast.",
    "author": "Artbees",
    "author_uri": "http://themeforest.net/user/artbees",
    "template": null,
    "license": "GNU General Public License v2.0",
    "license_uri": "http://www.gnu.org/licenses/gpl-2.0.html",
    "tags": null,
    "text_domain": "mk_framework",
    "found_by": "Urls In Homepage (Passive Detection)",
    "confidence": 12,
    "interesting_entries": [

    ],
    "confirmed_by": {

    },
    "vulnerabilities": [

    ],
    "version": {
      "number": "5.9.5",
      "confidence": 80,
      "found_by": "Style (Passive Detection)",
      "interesting_entries": [
        "https://foobar.com/wp-content/themes/jupiter/style.css, Match: 'Version: 5.9.5'"
      ],
      "confirmed_by": {

      },
      "vulnerabilities": [

      ]
    },
    "parents": [

    ]
  },
  "plugins": {
    "wordpress-seo": {
      "slug": "wordpress-seo",
      "location": "https://foobar.com/wp-content/plugins/wordpress-seo/",
      "latest_version": "11.1.1",
      "last_updated": "2019-05-06T09:23:00.000Z",
      "outdated": true,
      "readme_url": null,
      "directory_listing": null,
      "error_log_url": null,
      "found_by": "Comment (Passive Detection)",
      "confidence": 30,
      "interesting_entries": [

      ],
      "confirmed_by": {

      },
      "vulnerabilities": [
        {
          "title": "Yoast SEO <= 9.1 - Authenticated Race Condition",
          "fixed_in": "9.2",
          "references": {
            "cve": [
              "2018-19370"
            ],
            "url": [
              "https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo",
              "https://www.youtube.com/watch?v=nL141dcDGCY",
              "http://packetstormsecurity.com/files/150497/",
              "https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa"
            ],
            "wpvulndb": [
              "9150"
            ]
          }
        }
      ],
      "version": {
        "number": "9.1",
        "confidence": 100,
        "found_by": "Comment (Passive Detection)",
        "interesting_entries": [
          "https://foobar.com/, Match: 'optimized with the Yoast SEO plugin v9.1 -'"
        ],
        "confirmed_by": {
          "Readme - Stable Tag (Aggressive Detection)": {
            "confidence": 80,
            "interesting_entries": [
              "https://foobar.com/wp-content/plugins/wordpress-seo/readme.txt"
            ]
          },
          "Readme - ChangeLog Section (Aggressive Detection)": {
            "confidence": 50,
            "interesting_entries": [
              "https://foobar.com/wp-content/plugins/wordpress-seo/readme.txt"
            ]
          }
        },
        "vulnerabilities": [

        ]
      }
    }
  },
  "config_backups": {

  },
  "stop_time": 1557330469,
  "elapsed": 63,
  "requests_done": 96,
  "cached_requests": 6,
  "data_sent": 21050,
  "data_sent_humanised": "20.557 KB",
  "data_received": 793237,
  "data_received_humanised": "774.646 KB",
  "used_memory": 201469952,
  "used_memory_humanised": "192.137 MB"
}

Your environment

MacOS Mojave

Steps to reproduce

Soory, can't disclose the url :(

wpscan was started using the following command:

wpscan --url https://****.***/ -f json > /tmp/foo.json

Expected behavior

The vulnerability should appear in the array of the plugins.[pluginname].version.vulnerabilities as this affects the active version.

Actual behavior

The vulnerability appears in plugins.[pluginname].vulnerabilities.

Sidenote

Using the cli this looks as expected:

[+] wordpress-seo
 | Location: https://foobar.com/wp-content/plugins/wordpress-seo/
 | Last Updated: 2019-05-06T09:23:00.000Z
 | [!] The version is out of date, the latest version is 11.1.1
 |
 | Detected By: Comment (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Yoast SEO <= 9.1 - Authenticated Race Condition
 |     Fixed in: 9.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9150
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19370
 |      - https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo
 |      - https://www.youtube.com/watch?v=nL141dcDGCY
 |      - http://packetstormsecurity.com/files/150497/
 |      - https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa
 |
 | Version: 9.1 (100% confidence)
 | Detected By: Comment (Passive Detection)
 |  - https://foobar.com/, Match: 'optimized with the Yoast SEO plugin v9.1 -'
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - https://foobar.com/wp-content/plugins/wordpress-seo/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - https://foobar.com/wp-content/plugins/wordpress-seo/readme.txt
erwanlr commented 5 years ago

Items' vulnerabilities are always under <item>.vulnerabilities, so for a plugin: plugins.<slug>.vulnerabilities and are the ones reported for the detected version (if the version could not be detected, all the vulnerabilities will be listed)

I will remove the unnecessary vulnerabilities key under plugin/theme's version.

J12934 commented 5 years ago

Ah ok, got it.

Thank you for the fast reply! πŸ‘

erwanlr commented 5 years ago

Changes are live in docker in case you are using it. Otherwise they will be in the next version of WPScan