Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
- Python 2.7
- Python modules PyYAML docopt
- GNU/Linux web server
Testing is done mainly with GNU/Linux Debian stable. Windows is not currently supported.
- Bugzilla
- CMSMS
- Claroline
- Collabtive
- Coppermine
- Cotonti
- Dolibarr
- Dotclear
- Drupal 6/7
- Foswiki
- Gallery
- Jamroom
- Joomla 1.5: 1.5 is end-of-life since 2012-04-30
- Joomla 1.6: 1.6 is end-of-life since 2011-08-19. 1.6.x should be upgraded to 1.6.6 before moving to 1.7.x
- Joomla 1.7: 1.7 is end-of-life since 2012-02-24
- Joomla 2.5
- Joomla 3
- Magnolia
- Mahara
- MantisBT
- MediaWiki
- Microweber
- MoinMoin
- MyBB
- Piwigo
- Roundcube
- SMF 1 and 2
- Serendipity
- TestLink
- TikiWiki
- TinyTinyRSS
- Trac
- WikkaWiki
- WordPress
- Zenphoto
- Zikula
- Zimbra
- e107
- osDate
- ownCloud 5 and 6
- phpBB3
- phpMyAdmin
git clone https://github.com/fgeek/pyfiscan.git && cd pyfiscan
pip install -r requirements.lst
- WordPress
- Joomla
- Upgrade should be done using "Extension manager -> Upgrade" in version 1.6.6 and later
- Release and support cycle
- Setup Security checklist
- Upgrading and migrating Joomla
- Joomla 2.x creates random SQL table prefix
- Joomla 3.x informs and shows user a button to remove installation-directory
- Creates ./configuration.php in installation
- Creates robots.txt, which contains word "Joomla"
- SMF
- End of life of SMF 1.0
- Installer requests users with button to delete install.php
- TikiWiki
- MediaWiki
- Gallery
- Not installed when config.php is missing.
- http://codex.galleryproject.org/Gallery2:Security
- Upgrade using: http://example.org/gallery3/index.php/upgrade php index.php upgrade
- phpBB (version unknown)
- Open installation is not a vulnerability since web-interface requests user to authenticate by inserting random data to file.
- Coppermine
- Not installed when include/config.inc.php is missing.
- Owncloud
- status.php outputs: {"installed":"true","version":"5.0.6","versionstring":"5.0.5","edition":""}
- Piwigo
- Not installed if local/config/database.inc.php is missing.
- Claroline
- Not installed when platform/conf/claro_main.conf.php is missing.
- Installation pages request user to remove claroline/install/ directory.
- DevNet Oy
- Kapsi Internet-käyttäjät ry