Login   Register  
PHP Classes
elePHPant
Icontem

Doesnt actually look for the vulnerabilities

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      BAST PHP Security Test  >  All threads  >  Doesnt actually look for the vulnerabilities  >  (Un) Subscribe thread alerts  
Subject:Doesnt actually look for the vulnerabilities
Summary:Doesnt actually look for the vulnerabilities
Messages:2
Author:Joe Huss
Date:2012-10-08 16:29:37
Update:2012-10-08 20:59:06
 

  1. Doesnt actually look for the vulnerabilities   Reply   Report abuse  
Picture of Joe Huss
Joe Huss
2012-10-08 16:29:37
This class seems to assume everyone runs completely unpatched versions of PHP which rarely ever happens. The class doesn't actually test for any vulnerabilities just the version numbers that originally had vulnerabilities. Most distributions keep PHP pretty well patched up from security holes as they appear without forcing a new PHP version on the person. Because of this, this class will report tons of false positives. Unless you are running a stock unpatched PHP this class isn't for you.

  2. Re: Doesnt actually look for the vulnerabilities   Reply   Report abuse  
Picture of Artur Graniszewski
Artur Graniszewski
2012-10-08 20:59:06 - In reply to message 1 from Joe Huss
Hi:)

First of all, this is just a basic security test, not an advanced tool. Please keep in mind that in the current version I do not check the existance of suhosin module or SELinux mode. As far as I'm aware most of these vulnerabilities are NOT fixed by specific distros, but by suhosin module only.

I prefer the "better safe than sorry" approach and show some false positives (which can be manually filtered out by reading bug descriptions reported in links created by my class) rather than showing "you're secure".

Please. remember that this is not a tool like metasploit and I'm not trying to create one:) This application should be treated rather as a security lesson, that increases the security awareness among PHP developers and LAMP administrators.

Cheers,
Artur