On Wednesday 06 May 2009 00:01:12 Jeroen Hofstee wrote: > Mel Flynn schreef: > > You can do that, the issue is plugins: > > 0) SuperCMS v 1.0 installed > > 1) CoolStuff via webinterface, by SuperCMSNr1Fan, version 0.1.0.1beta > > 2) SuperCMS v 1.0.1 security release, changes some issues with plugin > > handling 3) CoolStuff's maintainer is now known as CompetitorCMSNr1Fan > > 4) CoolStuff still works, because of backwards compatibility, but now is > > insecure. > > > > Stuff like this goes back to the phpNukeYourSite days. > > I understand that there are allot of caveats and that is quite some work > to create a full blown checker, especially with > plugins. But as far as I am corcerned, finding the easy to locate > vultnerable script is already better then doing nothing.
Agreed, as long as the client does not assume you are responsible. Portaudit will go a long way then. Which version of a plugin is installed is not always available in the file system, some store that in the database. To ease your work, you may want to replace custom installed software with the corresponding port if available. This will go for a lot of stuff, including joomla and the various nuke forks. -- Mel _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
