PHP Classes

Doesnt actually look for the vulnerabilities

Recommend this page to a friend!

      BAST PHP Security Test  >  All threads  >  Doesnt actually look for the...  >  (Un) Subscribe thread alerts  
Subject:Doesnt actually look for the...
Summary:Doesnt actually look for the vulnerabilities
Author:Joe Huss
Date:2012-10-08 16:29:37
Update:2012-10-08 20:59:06


  1. Doesnt actually look for the...   Reply   Report abuse  
Picture of Joe Huss Joe Huss - 2012-10-08 16:29:37
This class seems to assume everyone runs completely unpatched versions of PHP which rarely ever happens. The class doesn't actually test for any vulnerabilities just the version numbers that originally had vulnerabilities. Most distributions keep PHP pretty well patched up from security holes as they appear without forcing a new PHP version on the person. Because of this, this class will report tons of false positives. Unless you are running a stock unpatched PHP this class isn't for you.

  2. Re: Doesnt actually look for the...   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2012-10-08 20:59:06 - In reply to message 1 from Joe Huss

First of all, this is just a basic security test, not an advanced tool. Please keep in mind that in the current version I do not check the existance of suhosin module or SELinux mode. As far as I'm aware most of these vulnerabilities are NOT fixed by specific distros, but by suhosin module only.

I prefer the "better safe than sorry" approach and show some false positives (which can be manually filtered out by reading bug descriptions reported in links created by my class) rather than showing "you're secure".

Please. remember that this is not a tool like metasploit and I'm not trying to create one:) This application should be treated rather as a security lesson, that increases the security awareness among PHP developers and LAMP administrators.


For more information send a message to info at phpclasses dot org.