Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

New Open Source Web Application Vulnerability Scanner Available
From: Dermot Blair <webvulscan () gmail com>
Date: Fri, 18 May 2012 15:14:38 +0100

Hi Laurent,

Thanks for the feedback. I will be making another release shortly and I
will fix those issues.

Regards,

Dermot Blair


On Thu, May 17, 2012 at 3:41 PM, laurent gaffie <laurent.gaffie () gmail com>wrote:

There's more ...

File : display_register_form.php :

            $username = $_POST['regusername'];
            $password = $_POST['regpassword'];
            $email = $_POST['email'];

            if(connectToDb($db))
            {
                $query = "SELECT * FROM users WHERE username =
'$username'";
                $result = $db->query($query);
                if($result)
                .... more injection below this query, no vars are filtered.



2012/5/17 laurent gaffie <laurent.gaffie () gmail com>

Hi Dermot,

You have an injection SQL in the begin_crawl file;

isset($_POST['specifiedUrl']) ? $urlToScan = $_POST['specifiedUrl'] :
$urlToScan = '';
isset($_POST['testId']) ? $testId = $_POST['testId'] : $testId = 0;

if(empty($urlToScan))
{
    echo 'urlToScan is empty';
    $log->lfile('urlToScan is empty');
    return;
}

$log->lwrite("URL to scan: $urlToScan");

$query = "UPDATE tests SET status = 'Preparing Crawl for $urlToScan'
WHERE id = $testId;";
$db->query($query);

Regards,
Laurent

2012/5/16 Dermot Blair <webvulscan () gmail com>

Hi All,



There is a new web application vulnerability scanner available. It is
called WebVulScan and it is open source. Here is the link for it if you
want to check it out: http://code.google.com/p/webvulscan/



Regards,



Dermot Blair

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]