What plugins is that website running?

While having a look at nikito yesterday I stumbled accross cms-explorer. It’s an interesting little program that checks the themes/modules/plugins installed in common CMS systems (Drupal, WordPress, Joomla! and Mambo), with automatic exploration for Drupal and WordPress. It also has some nice bonus features like providing a list of known issues for plugins found by accessing the OSVDB.org database.

Example output:

Select All text
Plugin Installed:		wp-content/plugins/hello.php
	URL			http://www.dopefish.de/wp-content/plugins/hello.php
	SVN			http://svn.wp-plugins.org/wp-content/plugins/hello.phptrunk/
	http://osvdb.org/22654	WordPress wp-content/plugins/hello.php Direct Request Path Disclosure
	http://osvdb.org/62684	WordPress wp-content/plugins/hello.php add_action() Function Path Disclosure
Plugin Installed:		wp-content/plugins/devformatter/
	URL			http://www.dopefish.de/wp-content/plugins/devformatter/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/devformatter/trunk/

Running it against my own webspace revealed a possible SQL injection I was unaware of. *) Fixed that, will probably replace that plugin completely this week, anything that has stuff so obviously bad in it is generally not all too sane.

*) I normally look at plugins before I install them, must have missed this one. @ PHP programmers: anyone who passes on the content of a $_REQUEST directly to a SQL query without any sanity checking deserves to be flogged with his own code.


Trackback URL

Comments are closed.