|
Full Disclosure
mailing list archives
New Open Source Web Application Vulnerability Scanner Available
From: Dermot Blair <webvulscan () gmail com>
Date: Fri, 18 May 2012 15:14:38 +0100
Hi Laurent,
Thanks for the feedback. I will be making another release shortly and I
will fix those issues.
Regards,
Dermot Blair
On Thu, May 17, 2012 at 3:41 PM, laurent gaffie <laurent.gaffie () gmail com>wrote:
There's more ...
File : display_register_form.php :
$username = $_POST['regusername'];
$password = $_POST['regpassword'];
$email = $_POST['email'];
if(connectToDb($db))
{
$query = "SELECT * FROM users WHERE username =
'$username'";
$result = $db->query($query);
if($result)
.... more injection below this query, no vars are filtered.
2012/5/17 laurent gaffie <laurent.gaffie () gmail com>
Hi Dermot,
You have an injection SQL in the begin_crawl file;
isset($_POST['specifiedUrl']) ? $urlToScan = $_POST['specifiedUrl'] :
$urlToScan = '';
isset($_POST['testId']) ? $testId = $_POST['testId'] : $testId = 0;
if(empty($urlToScan))
{
echo 'urlToScan is empty';
$log->lfile('urlToScan is empty');
return;
}
$log->lwrite("URL to scan: $urlToScan");
$query = "UPDATE tests SET status = 'Preparing Crawl for $urlToScan'
WHERE id = $testId;";
$db->query($query);
Regards,
Laurent
2012/5/16 Dermot Blair <webvulscan () gmail com>
Hi All,
There is a new web application vulnerability scanner available. It is
called WebVulScan and it is open source. Here is the link for it if you
want to check it out: http://code.google.com/p/webvulscan/
Regards,
Dermot Blair
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
