Browse code

use _ for unused variable to make vulture happy

Hanno Böck authored on21/03/2020 19:23:12
Showing1 changed files
... ...
@@ -109,7 +109,7 @@ if opts.xml:
109 109
 # start the search
110 110
 
111 111
 for fdir in opts.dirs:
112
-    for root, NULL, files in os.walk(fdir):
112
+    for root, _, files in os.walk(fdir):
113 113
         for filename in scanfiles.intersection(files):
114 114
             for item in jconfig:
115 115
                 if not opts.thirdparty and 'thirdparty' in item:
Browse code

noqa for dlint, the escape function should be safe without using defusedxml

Hanno Böck authored on21/03/2020 13:37:15
Showing1 changed files
... ...
@@ -30,7 +30,7 @@ import argparse
30 30
 import sys
31 31
 import json
32 32
 import pathlib
33
-from xml.sax.saxutils import escape
33
+from xml.sax.saxutils import escape  # noqa: DUO107
34 34
 
35 35
 
36 36
 def versioncompare(safe_version, find_version):
Browse code

add ~/.cache/freewvs/ dir option and enforce order of freewvsdb dirs

Hanno Böck authored on23/12/2019 12:39:03
Showing1 changed files
... ...
@@ -29,6 +29,7 @@ import re
29 29
 import argparse
30 30
 import sys
31 31
 import json
32
+import pathlib
32 33
 from xml.sax.saxutils import escape
33 34
 
34 35
 
... ...
@@ -80,9 +81,11 @@ for d in ["/usr/share/freewvs", "/usr/local/share/freewvs"]:
80 81
               file=sys.stderr)
81 82
 
82 83
 jdir = False
83
-for p in [os.path.dirname(sys.argv[0]) + '/freewvsdb', '/var/lib/freewvs']:
84
+for p in [os.path.dirname(sys.argv[0]) + '/freewvsdb', '/var/lib/freewvs',
85
+          str(pathlib.Path.home()) + "/.cache/freewvs/"]:
84 86
     if os.path.isdir(p):
85 87
         jdir = p
88
+        break
86 89
 if not jdir:
87 90
     print("Can't find freewvs json db")
88 91
     sys.exit(1)
Browse code

warn people who have old-style freewvsdb-dirs around

Hanno Böck authored on21/12/2019 18:01:40
Showing1 changed files
... ...
@@ -72,6 +72,13 @@ parser.add_argument("-3", "--thirdparty", action="store_true",
72 72
                     help="Scan for third-party components like jquery")
73 73
 opts = parser.parse_args()
74 74
 
75
+# Warn people with old-style freewvsdb dirs,
76
+# should be removed in a few months
77
+for d in ["/usr/share/freewvs", "/usr/local/share/freewvs"]:
78
+    if os.path.isdir(d):
79
+        print("WARNING: Obsolete freewvs data in %s, removal recommended" % d,
80
+              file=sys.stderr)
81
+
75 82
 jdir = False
76 83
 for p in [os.path.dirname(sys.argv[0]) + '/freewvsdb', '/var/lib/freewvs']:
77 84
     if os.path.isdir(p):
Browse code

update URL and remove version number from script

Hanno Böck authored on17/12/2019 15:10:18
Showing1 changed files
... ...
@@ -1,8 +1,8 @@
1 1
 #!/usr/bin/python3 -O
2 2
 
3
-# freewvs 0.1 - the free web vulnerability scanner
3
+# freewvs - a free web vulnerability scanner
4 4
 #
5
-# https://source.schokokeks.org/freewvs/
5
+# https://freewvs.schokokeks.org/
6 6
 #
7 7
 # Written by schokokeks.org Hosting, https://schokokeks.org
8 8
 #
Browse code

make pylint happier

Hanno Böck authored on13/12/2019 12:50:42
Showing1 changed files
... ...
@@ -109,17 +109,19 @@ for fdir in opts.dirs:
109 109
                         mfile = os.path.join(root, filename)
110 110
                         try:
111 111
                             file = open(mfile, errors='replace')
112
-                        except Exception:
112
+                        except IOError:
113 113
                             continue
114 114
                         filestr = file.read()
115 115
                         file.close()
116 116
 
117 117
                         if (('extra_match' in det
118
-                           and det['extra_match'] not in filestr)
119
-                           or ('extra_nomatch' in det
120
-                           and det['extra_nomatch'] in filestr)
121
-                           or ('path_match' in det
122
-                           and not root.endswith(det['path_match']))):
118
+                             and det['extra_match'] not in filestr)
119
+                                or ('extra_nomatch' in det
120
+                                    and det['extra_nomatch'] in filestr)):
121
+                            continue
122
+
123
+                        if ('path_match' in det
124
+                                and (not root.endswith(det['path_match']))):
123 125
                             continue
124 126
 
125 127
                         findversion = re.search(re.escape(det['variable'])
... ...
@@ -137,9 +139,10 @@ for fdir in opts.dirs:
137 139
                                                   + int(det['add_minor']))
138 140
                             findversion = '.'.join(findversion)
139 141
 
140
-                        if (not versioncompare(item['safe'], findversion)
141
-                           or ('old_safe' in item
142
-                           and findversion in item['old_safe'].split(','))):
142
+                        if ((not versioncompare(item['safe'], findversion))
143
+                                or ('old_safe' in item
144
+                                    and findversion in
145
+                                    item['old_safe'].split(','))):
143 146
                             if opts.all:
144 147
                                 vulnprint(item['name'], findversion, "ok", "",
145 148
                                           mfile, det['subdir'], opts.xml)
Browse code

fix add_minor

Hanno Böck authored on13/12/2019 10:50:50
Showing1 changed files
... ...
@@ -134,7 +134,7 @@ for fdir in opts.dirs:
134 134
                         if 'add_minor' in det:
135 135
                             findversion = findversion.split('.')
136 136
                             findversion[-1] = str(int(findversion[-1])
137
-                                                  + int(item['add_minor']))
137
+                                                  + int(det['add_minor']))
138 138
                             findversion = '.'.join(findversion)
139 139
 
140 140
                         if (not versioncompare(item['safe'], findversion)
Browse code

switch to json-based freewvsdb

Hanno Böck authored on11/12/2019 18:39:17
Showing1 changed files
... ...
@@ -23,13 +23,12 @@
23 23
 # return your changes to the public. We would be especially happy if you tell
24 24
 # us what you're going to do with this code.
25 25
 
26
-import configparser
27
-
28 26
 import os
29 27
 import glob
30 28
 import re
31 29
 import argparse
32 30
 import sys
31
+import json
33 32
 from xml.sax.saxutils import escape
34 33
 
35 34
 
... ...
@@ -73,60 +72,25 @@ parser.add_argument("-3", "--thirdparty", action="store_true",
73 72
                     help="Scan for third-party components like jquery")
74 73
 opts = parser.parse_args()
75 74
 
76
-# Parse vulnerability database
77
-config = configparser.ConfigParser()
78
-try:
79
-    config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
80
-    config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
81
-    config.read(glob.glob(os.path.dirname(sys.argv[0])
82
-                          + '/freewvsdb/*.freewvs'))
83
-except configparser.MissingSectionHeaderError as err:
84
-    print("Error parsing config files: %s" % err)
85
-
86
-vdb = []
75
+jdir = False
76
+for p in [os.path.dirname(sys.argv[0]) + '/freewvsdb', '/var/lib/freewvs']:
77
+    if os.path.isdir(p):
78
+        jdir = p
79
+if not jdir:
80
+    print("Can't find freewvs json db")
81
+    sys.exit(1)
82
+
83
+jconfig = []
84
+for cfile in glob.glob(jdir + '/*.json'):
85
+    with open(cfile) as json_file:
86
+        data = json.load(json_file)
87
+        jconfig += data
88
+
87 89
 scanfiles = set()
88
-for sect in config.sections():
89
-    item = {}
90
-
91
-    if (config.getboolean(sect, 'thirdparty', fallback=False)
92
-       and not opts.thirdparty):
93
-        continue
94
-
95
-    # base options
96
-    item['name'] = sect
97
-    item['safe'] = config.get(sect, 'safe')
98
-    item['file'] = config.get(sect, 'file')
99
-    item['vuln'] = config.get(sect, 'vuln')
100
-    item['subdir'] = int(config.get(sect, 'subdir'))
101
-    scanfiles.add(item['file'])
102
-
103
-    # match magic
104
-    item['variable'] = re.compile(re.escape(config.get(sect, 'variable'))
105
-                                  + r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]")
106
-
107
-    # optional options
108
-    if config.has_option(sect, 'extra_match'):
109
-        item['extra_match'] = config.get(sect, 'extra_match')
110
-    else:
111
-        item['extra_match'] = False
112
-    if config.has_option(sect, 'extra_nomatch'):
113
-        item['extra_nomatch'] = config.get(sect, 'extra_nomatch')
114
-    else:
115
-        item['extra_nomatch'] = False
116
-    if config.has_option(sect, 'path_match'):
117
-        item['path_match'] = config.get(sect, 'path_match')
118
-    else:
119
-        item['path_match'] = False
120
-    if config.has_option(sect, 'add_minor'):
121
-        item['add_minor'] = config.get(sect, 'add_minor')
122
-    else:
123
-        item['add_minor'] = False
124
-    if config.has_option(sect, 'old_safe'):
125
-        item['old_safe'] = config.get(sect, 'old_safe').split(",")
126
-    else:
127
-        item['old_safe'] = []
90
+for app in jconfig:
91
+    for det in app['detection']:
92
+        scanfiles.add(det['file'])
128 93
 
129
-    vdb.append(item)
130 94
 
131 95
 if opts.xml:
132 96
     print('<?xml version="1.0" ?>')
... ...
@@ -137,50 +101,58 @@ if opts.xml:
137 101
 for fdir in opts.dirs:
138 102
     for root, NULL, files in os.walk(fdir):
139 103
         for filename in scanfiles.intersection(files):
140
-            for item in vdb:
141
-                if filename == item['file']:
142
-                    mfile = os.path.join(root, filename)
143
-                    try:
144
-                        file = open(mfile, errors='replace')
145
-                    except Exception:
146
-                        continue
147
-                    filestr = file.read()
148
-                    file.close()
149
-
150
-                    if ((item['extra_match']
151
-                       and item['extra_match'] not in filestr)
152
-                       or (item['extra_nomatch']
153
-                       and item['extra_nomatch'] in filestr)
154
-                       or (item['path_match']
155
-                       and not root.endswith(item['path_match']))):
156
-                        continue
157
-
158
-                    findversion = item['variable'].search(filestr)
159
-                    if not findversion:
160
-                        continue
161
-                    findversion = findversion.group(1)
162
-
163
-                    # Very ugly phpbb workaround
164
-                    if item['add_minor']:
165
-                        findversion = findversion.split('.')
166
-                        findversion[-1] = str(int(findversion[-1])
167
-                                              + int(item['add_minor']))
168
-                        findversion = '.'.join(findversion)
169
-
170
-                    if (not versioncompare(item['safe'], findversion)
171
-                       or findversion in item['old_safe']):
172
-                        if opts.all:
173
-                            vulnprint(item['name'], findversion, "ok", "",
174
-                                      mfile, item['subdir'], opts.xml)
175
-                        continue
176
-
177
-                    safev = item['safe']
178
-                    for ver in item['old_safe']:
179
-                        if versioncompare(ver, findversion):
180
-                            safev = ver
181
-
182
-                    vulnprint(item['name'], findversion, safev, item['vuln'],
183
-                              mfile, item['subdir'], opts.xml)
104
+            for item in jconfig:
105
+                if not opts.thirdparty and 'thirdparty' in item:
106
+                    continue
107
+                for det in item['detection']:
108
+                    if filename == det['file']:
109
+                        mfile = os.path.join(root, filename)
110
+                        try:
111
+                            file = open(mfile, errors='replace')
112
+                        except Exception:
113
+                            continue
114
+                        filestr = file.read()
115
+                        file.close()
116
+
117
+                        if (('extra_match' in det
118
+                           and det['extra_match'] not in filestr)
119
+                           or ('extra_nomatch' in det
120
+                           and det['extra_nomatch'] in filestr)
121
+                           or ('path_match' in det
122
+                           and not root.endswith(det['path_match']))):
123
+                            continue
124
+
125
+                        findversion = re.search(re.escape(det['variable'])
126
+                                                + r"[^0-9\n\r]*[.]*"
127
+                                                "([0-9.]*[0-9])[^0-9.]",
128
+                                                filestr)
129
+                        if not findversion:
130
+                            continue
131
+                        findversion = findversion.group(1)
132
+
133
+                        # Very ugly phpbb workaround
134
+                        if 'add_minor' in det:
135
+                            findversion = findversion.split('.')
136
+                            findversion[-1] = str(int(findversion[-1])
137
+                                                  + int(item['add_minor']))
138
+                            findversion = '.'.join(findversion)
139
+
140
+                        if (not versioncompare(item['safe'], findversion)
141
+                           or ('old_safe' in item
142
+                           and findversion in item['old_safe'].split(','))):
143
+                            if opts.all:
144
+                                vulnprint(item['name'], findversion, "ok", "",
145
+                                          mfile, det['subdir'], opts.xml)
146
+                            continue
147
+
148
+                        safev = item['safe']
149
+                        if 'old_safe' in item:
150
+                            for ver in item['old_safe'].split(','):
151
+                                if versioncompare(ver, findversion):
152
+                                    safev = ver
153
+
154
+                        vulnprint(item['name'], findversion, safev,
155
+                                  item['vuln'], mfile, det['subdir'], opts.xml)
184 156
 
185 157
 if opts.xml:
186 158
     print('</freewvs>')
Browse code

fix detection with no safe version

Hanno Böck authored on10/12/2019 14:24:57
Showing1 changed files
... ...
@@ -34,6 +34,8 @@ from xml.sax.saxutils import escape
34 34
 
35 35
 
36 36
 def versioncompare(safe_version, find_version):
37
+    if safe_version == "":
38
+        return True
37 39
     safe_version_tup = [int(x) for x in safe_version.split(".")]
38 40
     find_version_tup = [int(x) for x in find_version.split(".")]
39 41
     return find_version_tup < safe_version_tup
Browse code

performance improvement by keeping list of all scanned for files

Hanno Böck authored on08/12/2019 18:43:47
Showing1 changed files
... ...
@@ -82,6 +82,7 @@ except configparser.MissingSectionHeaderError as err:
82 82
     print("Error parsing config files: %s" % err)
83 83
 
84 84
 vdb = []
85
+scanfiles = set()
85 86
 for sect in config.sections():
86 87
     item = {}
87 88
 
... ...
@@ -95,6 +96,7 @@ for sect in config.sections():
95 96
     item['file'] = config.get(sect, 'file')
96 97
     item['vuln'] = config.get(sect, 'vuln')
97 98
     item['subdir'] = int(config.get(sect, 'subdir'))
99
+    scanfiles.add(item['file'])
98 100
 
99 101
     # match magic
100 102
     item['variable'] = re.compile(re.escape(config.get(sect, 'variable'))
... ...
@@ -132,7 +134,7 @@ if opts.xml:
132 134
 
133 135
 for fdir in opts.dirs:
134 136
     for root, NULL, files in os.walk(fdir):
135
-        for filename in files:
137
+        for filename in scanfiles.intersection(files):
136 138
             for item in vdb:
137 139
                 if filename == item['file']:
138 140
                     mfile = os.path.join(root, filename)
Browse code

simplify versioncompare logic

Hanno Böck authored on08/12/2019 18:29:27
Showing1 changed files
... ...
@@ -34,14 +34,9 @@ from xml.sax.saxutils import escape
34 34
 
35 35
 
36 36
 def versioncompare(safe_version, find_version):
37
-    if safe_version == [""]:
38
-        return True
39
-    for i in range(min(len(find_version), len(safe_version))):
40
-        if int(find_version[i]) < int(safe_version[i]):
41
-            return True
42
-        if int(find_version[i]) > int(safe_version[i]):
43
-            return False
44
-    return len(find_version) < len(safe_version)
37
+    safe_version_tup = [int(x) for x in safe_version.split(".")]
38
+    find_version_tup = [int(x) for x in find_version.split(".")]
39
+    return find_version_tup < safe_version_tup
45 40
 
46 41
 
47 42
 def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
... ...
@@ -168,27 +163,20 @@ for fdir in opts.dirs:
168 163
                                               + int(item['add_minor']))
169 164
                         findversion = '.'.join(findversion)
170 165
 
171
-                    if not (versioncompare(item['safe'].split('.'),
172
-                            findversion.split('.'))) or \
173
-                            item['old_safe'].count(findversion) > 0:
166
+                    if (not versioncompare(item['safe'], findversion)
167
+                       or findversion in item['old_safe']):
174 168
                         if opts.all:
175
-                            vulnprint(item['name'], findversion,
176
-                                      "ok", "", mfile, item['subdir'],
177
-                                      opts.xml)
178
-                    else:
179
-                        safev = "9999"
180
-                        for ver in item['old_safe']:
181
-                            if(versioncompare(ver.split('.'),
182
-                               findversion.split('.'))
183
-                               and not versioncompare(ver.split('.'),
184
-                               safev.split('.'))):
185
-                                safev = ver
186
-                        if safev == "9999":
187
-                            safev = item['safe']
188
-
189
-                        vulnprint(item['name'], findversion,
190
-                                  safev, item['vuln'],
191
-                                  mfile, item['subdir'], opts.xml)
169
+                            vulnprint(item['name'], findversion, "ok", "",
170
+                                      mfile, item['subdir'], opts.xml)
171
+                        continue
172
+
173
+                    safev = item['safe']
174
+                    for ver in item['old_safe']:
175
+                        if versioncompare(ver, findversion):
176
+                            safev = ver
177
+
178
+                    vulnprint(item['name'], findversion, safev, item['vuln'],
179
+                              mfile, item['subdir'], opts.xml)
192 180
 
193 181
 if opts.xml:
194 182
     print('</freewvs>')
Browse code

argparse instead of deprecated optparse

Hanno Böck authored on08/12/2019 17:54:06
Showing1 changed files
... ...
@@ -28,7 +28,7 @@ import configparser
28 28
 import os
29 29
 import glob
30 30
 import re
31
-import optparse
31
+import argparse
32 32
 import sys
33 33
 from xml.sax.saxutils import escape
34 34
 
... ...
@@ -45,12 +45,12 @@ def versioncompare(safe_version, find_version):
45 45
 
46 46
 
47 47
 def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
48
-              style=None):
48
+              xml):
49 49
     appdir = '/'.join(os.path.abspath(vfilename).split('/')[:-1 - subdir])
50
-    if not style:
50
+    if not xml:
51 51
         print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s "
52 52
               "%(appdir)s" % vars())
53
-    elif style == 'xml':
53
+    else:
54 54
         state = 'vulnerable'
55 55
         if safeversion == 'ok':
56 56
             state = 'ok'
... ...
@@ -65,15 +65,16 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
65 65
 
66 66
 
67 67
 # Command-line options
68
-parser = optparse.OptionParser(usage="usage: %prog [options] <path>"
69
-                               "[<path2> ...]")
70
-parser.add_option("-a", "--all", action="store_true", dest="ALL",
71
-                  help="Show all webapps found, not just vulnerable")
72
-parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT",
73
-                  const="xml", help="Output results as XML")
74
-parser.add_option("-3", "--thirdparty", action="store_true", dest="THIRDPARTY",
75
-                  help="Scan for third-party components like jquery")
76
-opts, args = parser.parse_args()
68
+parser = argparse.ArgumentParser()
69
+parser.add_argument("dirs", nargs="*",
70
+                    help="Directories to scan")
71
+parser.add_argument("-a", "--all", action="store_true",
72
+                    help="Show all webapps found, not just vulnerable")
73
+parser.add_argument("-x", "--xml", action="store_true",
74
+                    help="Output results as XML")
75
+parser.add_argument("-3", "--thirdparty", action="store_true",
76
+                    help="Scan for third-party components like jquery")
77
+opts = parser.parse_args()
77 78
 
78 79
 # Parse vulnerability database
79 80
 config = configparser.ConfigParser()
... ...
@@ -90,7 +91,7 @@ for sect in config.sections():
90 91
     item = {}
91 92
 
92 93
     if (config.getboolean(sect, 'thirdparty', fallback=False)
93
-       and not opts.THIRDPARTY):
94
+       and not opts.thirdparty):
94 95
         continue
95 96
 
96 97
     # base options
... ...
@@ -128,13 +129,13 @@ for sect in config.sections():
128 129
 
129 130
     vdb.append(item)
130 131
 
131
-if opts.OUTPUT == 'xml':
132
+if opts.xml:
132 133
     print('<?xml version="1.0" ?>')
133 134
     print('<freewvs>')
134 135
 
135 136
 # start the search
136 137
 
137
-for fdir in args:
138
+for fdir in opts.dirs:
138 139
     for root, NULL, files in os.walk(fdir):
139 140
         for filename in files:
140 141
             for item in vdb:
... ...
@@ -170,10 +171,10 @@ for fdir in args:
170 171
                     if not (versioncompare(item['safe'].split('.'),
171 172
                             findversion.split('.'))) or \
172 173
                             item['old_safe'].count(findversion) > 0:
173
-                        if opts.ALL:
174
+                        if opts.all:
174 175
                             vulnprint(item['name'], findversion,
175 176
                                       "ok", "", mfile, item['subdir'],
176
-                                      opts.OUTPUT)
177
+                                      opts.xml)
177 178
                     else:
178 179
                         safev = "9999"
179 180
                         for ver in item['old_safe']:
... ...
@@ -187,7 +188,7 @@ for fdir in args:
187 188
 
188 189
                         vulnprint(item['name'], findversion,
189 190
                                   safev, item['vuln'],
190
-                                  mfile, item['subdir'], opts.OUTPUT)
191
+                                  mfile, item['subdir'], opts.xml)
191 192
 
192
-if opts.OUTPUT == 'xml':
193
+if opts.xml:
193 194
     print('</freewvs>')
Browse code

simplify radically by removing fancy output, gettext and debug output

Hanno Böck authored on08/12/2019 17:44:09
Showing1 changed files
... ...
@@ -27,16 +27,11 @@ import configparser
27 27
 
28 28
 import os
29 29
 import glob
30
-import pprint
31 30
 import re
32 31
 import optparse
33 32
 import sys
34
-import gettext
35 33
 from xml.sax.saxutils import escape
36 34
 
37
-gettext.textdomain('freewvs')
38
-_ = gettext.gettext
39
-
40 35
 
41 36
 def versioncompare(safe_version, find_version):
42 37
     if safe_version == [""]:
... ...
@@ -55,23 +50,6 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
55 50
     if not style:
56 51
         print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s "
57 52
               "%(appdir)s" % vars())
58
-    elif style == 'fancy':
59
-        print(_("Directory: %(appdir)s") % vars())
60
-        if safeversion != "ok":
61
-            if safeversion != "":
62
-                print(_("Vulnerable %(appname)s %(version)s found, please "
63
-                        "update to %(safeversion)s or above.") % vars())
64
-            else:
65
-                print(_("Vulnerable %(appname)s %(version)s found, no fixed "
66
-                        "version available.") % vars())
67
-            if vuln[:3] == "CVE":
68
-                print(_("https://cve.mitre.org/cgi-bin/cvename.cgi?name="
69
-                        "%(vuln)s") % vars())
70
-            else:
71
-                print(vuln)
72
-        else:
73
-            print(_("%(appname)s %(version)s found.") % vars())
74
-        print("")
75 53
     elif style == 'xml':
76 54
         state = 'vulnerable'
77 55
         if safeversion == 'ok':
... ...
@@ -86,18 +64,11 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
86 64
         print('  </app>')
87 65
 
88 66
 
89
-pp = pprint.PrettyPrinter(indent=4)
90
-
91 67
 # Command-line options
92 68
 parser = optparse.OptionParser(usage="usage: %prog [options] <path>"
93 69
                                "[<path2> ...]")
94 70
 parser.add_option("-a", "--all", action="store_true", dest="ALL",
95 71
                   help="Show all webapps found, not just vulnerable")
96
-parser.add_option("-d", "--debug", action="store_true", dest="DEBUG",
97
-                  help="Show lots of debugging output, mainly useful"
98
-                  "for development")
99
-parser.add_option("-f", "--fancy", action="store_const", dest="OUTPUT",
100
-                  const="fancy", help="Show more fancy output")
101 72
 parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT",
102 73
                   const="xml", help="Output results as XML")
103 74
 parser.add_option("-3", "--thirdparty", action="store_true", dest="THIRDPARTY",
... ...
@@ -156,8 +127,6 @@ for sect in config.sections():
156 127
         item['old_safe'] = []
157 128
 
158 129
     vdb.append(item)
159
-if opts.DEBUG:
160
-    pp.pprint(vdb)
161 130
 
162 131
 if opts.OUTPUT == 'xml':
163 132
     print('<?xml version="1.0" ?>')
... ...
@@ -202,14 +171,10 @@ for fdir in args:
202 171
                             findversion.split('.'))) or \
203 172
                             item['old_safe'].count(findversion) > 0:
204 173
                         if opts.ALL:
205
-                            if opts.DEBUG:
206
-                                print("File " + mfile)
207 174
                             vulnprint(item['name'], findversion,
208 175
                                       "ok", "", mfile, item['subdir'],
209 176
                                       opts.OUTPUT)
210 177
                     else:
211
-                        if opts.DEBUG:
212
-                            print("File " + mfile)
213 178
                         safev = "9999"
214 179
                         for ver in item['old_safe']:
215 180
                             if(versioncompare(ver.split('.'),
Browse code

fix nomatch logic

Hanno Böck authored on08/12/2019 17:16:52
Showing1 changed files
... ...
@@ -181,7 +181,7 @@ for fdir in args:
181 181
                     if ((item['extra_match']
182 182
                        and item['extra_match'] not in filestr)
183 183
                        or (item['extra_nomatch']
184
-                       and item['extra_nomatch'] not in filestr)
184
+                       and item['extra_nomatch'] in filestr)
185 185
                        or (item['path_match']
186 186
                        and not root.endswith(item['path_match']))):
187 187
                         continue
Browse code

codingstyle

Hanno Böck authored on08/12/2019 15:07:47
Showing1 changed files
... ...
@@ -131,7 +131,7 @@ for sect in config.sections():
131 131
 
132 132
     # match magic
133 133
     item['variable'] = re.compile(re.escape(config.get(sect, 'variable'))
134
-                                + r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]")
134
+                                  + r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]")
135 135
 
136 136
     # optional options
137 137
     if config.has_option(sect, 'extra_match'):
... ...
@@ -189,7 +189,7 @@ for fdir in args:
189 189
                     findversion = item['variable'].search(filestr)
190 190
                     if not findversion:
191 191
                         continue
192
-                    findversion=findversion.group(1)
192
+                    findversion = findversion.group(1)
193 193
 
194 194
                     # Very ugly phpbb workaround
195 195
                     if item['add_minor']:
Browse code

remove year so we don't have to update it

Hanno Böck authored on08/12/2019 15:06:44
Showing1 changed files
... ...
@@ -4,7 +4,7 @@
4 4
 #
5 5
 # https://source.schokokeks.org/freewvs/
6 6
 #
7
-# Written 2007-2012 by schokokeks.org Hosting, https://schokokeks.org
7
+# Written by schokokeks.org Hosting, https://schokokeks.org
8 8
 #
9 9
 # Contributions by
10 10
 # Hanno Boeck, https://hboeck.de/
Browse code

simplify loop logic by using early continue

Hanno Böck authored on07/12/2019 18:43:52
Showing1 changed files
... ...
@@ -130,10 +130,8 @@ for sect in config.sections():
130 130
     item['subdir'] = int(config.get(sect, 'subdir'))
131 131
 
132 132
     # match magic
133
-    item['variable'] = []
134
-    for var in config.get(sect, 'variable').split(","):
135
-        item['variable'].append(re.compile(re.escape(var)
136
-                                + r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))
133
+    item['variable'] = re.compile(re.escape(config.get(sect, 'variable'))
134
+                                + r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]")
137 135
 
138 136
     # optional options
139 137
     if config.has_option(sect, 'extra_match'):
... ...
@@ -180,66 +178,51 @@ for fdir in args:
180 178
                     filestr = file.read()
181 179
                     file.close()
182 180
 
183
-                    if item['extra_match']:
184
-                        ematch = filestr.find(item['extra_match']) != -1
185
-                    elif item['extra_nomatch']:
186
-                        ematch = not filestr.find(item['extra_nomatch']) != -1
187
-                    else:
188
-                        ematch = True
189
-
190
-                    if (item['path_match']
191
-                       and not root.endswith(item['path_match'])):
181
+                    if ((item['extra_match']
182
+                       and item['extra_match'] not in filestr)
183
+                       or (item['extra_nomatch']
184
+                       and item['extra_nomatch'] not in filestr)
185
+                       or (item['path_match']
186
+                       and not root.endswith(item['path_match']))):
192 187
                         continue
193 188
 
194
-                    findversion = []
195
-                    for var in item['variable']:
196
-                        var = var.search(filestr)
197
-                        if not var:
198
-                            findversion = False
199
-                            break
200
-                        else:
201
-                            findversion.append(var.group(1))
189
+                    findversion = item['variable'].search(filestr)
190
+                    if not findversion:
191
+                        continue
192
+                    findversion=findversion.group(1)
202 193
 
203
-                    if findversion and ematch:
194
+                    # Very ugly phpbb workaround
195
+                    if item['add_minor']:
196
+                        findversion = findversion.split('.')
197
+                        findversion[-1] = str(int(findversion[-1])
198
+                                              + int(item['add_minor']))
204 199
                         findversion = '.'.join(findversion)
205 200
 
206
-                        # Very ugly phpbb workaround
207
-                        if item['add_minor']:
208
-                            findversion = findversion.split('.')
209
-                            findversion[-1] = str(int(findversion[-1])
210
-                                                  + int(item['add_minor']))
211
-                            findversion = '.'.join(findversion)
212
-
213
-                        if not (versioncompare(item['safe'].split('.'),
214
-                                findversion.split('.'))) or \
215
-                                item['old_safe'].count(findversion) > 0:
216
-                            if opts.ALL:
217
-                                if opts.DEBUG:
218
-                                    print("File " + mfile)
219
-                                vulnprint(item['name'], findversion,
220
-                                          "ok", "", mfile, item['subdir'],
221
-                                          opts.OUTPUT)
222
-                        else:
201
+                    if not (versioncompare(item['safe'].split('.'),
202
+                            findversion.split('.'))) or \
203
+                            item['old_safe'].count(findversion) > 0:
204
+                        if opts.ALL:
223 205
                             if opts.DEBUG:
224 206
                                 print("File " + mfile)
225
-                            safev = "9999"
226
-                            for ver in item['old_safe']:
227
-                                if(versioncompare(ver.split('.'),
228
-                                   findversion.split('.'))
229
-                                   and not versioncompare(ver.split('.'),
230
-                                   safev.split('.'))):
231
-                                    safev = ver
232
-                            if safev == "9999":
233
-                                safev = item['safe']
234
-
235 207
                             vulnprint(item['name'], findversion,
236
-                                      safev, item['vuln'],
237
-                                      mfile, item['subdir'], opts.OUTPUT)
238
-
208
+                                      "ok", "", mfile, item['subdir'],
209
+                                      opts.OUTPUT)
239 210
                     else:
240 211
                         if opts.DEBUG:
241
-                            print("regexp failed for "
242
-                                  + item['name'] + " on " + mfile)
212
+                            print("File " + mfile)
213
+                        safev = "9999"
214
+                        for ver in item['old_safe']:
215
+                            if(versioncompare(ver.split('.'),
216
+                               findversion.split('.'))
217
+                               and not versioncompare(ver.split('.'),
218
+                               safev.split('.'))):
219
+                                safev = ver
220
+                        if safev == "9999":
221
+                            safev = item['safe']
222
+
223
+                        vulnprint(item['name'], findversion,
224
+                                  safev, item['vuln'],
225
+                                  mfile, item['subdir'], opts.OUTPUT)
243 226
 
244 227
 if opts.OUTPUT == 'xml':
245 228
     print('</freewvs>')
Browse code

add path_match feature, allows us to make joomla detection much simpler

Hanno Böck authored on07/12/2019 18:16:49
Showing1 changed files
... ...
@@ -144,6 +144,10 @@ for sect in config.sections():
144 144
         item['extra_nomatch'] = config.get(sect, 'extra_nomatch')
145 145
     else:
146 146
         item['extra_nomatch'] = False
147
+    if config.has_option(sect, 'path_match'):
148
+        item['path_match'] = config.get(sect, 'path_match')
149
+    else:
150
+        item['path_match'] = False
147 151
     if config.has_option(sect, 'add_minor'):
148 152
         item['add_minor'] = config.get(sect, 'add_minor')
149 153
     else:
... ...
@@ -183,6 +187,10 @@ for fdir in args:
183 187
                     else:
184 188
                         ematch = True
185 189
 
190
+                    if (item['path_match']
191
+                       and not root.endswith(item['path_match'])):
192
+                        continue
193
+
186 194
                     findversion = []
187 195
                     for var in item['variable']:
188 196
                         var = var.search(filestr)
Browse code

codingstyle: avoid long lines and put operators in next line

Hanno Böck authored on03/12/2019 14:29:48
Showing1 changed files
... ...
@@ -109,7 +109,8 @@ config = configparser.ConfigParser()
109 109
 try:
110 110
     config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
111 111
     config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
112
-    config.read(glob.glob(os.path.dirname(sys.argv[0]) + '/freewvsdb/*.freewvs'))
112
+    config.read(glob.glob(os.path.dirname(sys.argv[0])
113
+                          + '/freewvsdb/*.freewvs'))
113 114
 except configparser.MissingSectionHeaderError as err:
114 115
     print("Error parsing config files: %s" % err)
115 116
 
... ...
@@ -117,7 +118,8 @@ vdb = []
117 118
 for sect in config.sections():
118 119
     item = {}
119 120
 
120
-    if config.getboolean(sect, 'thirdparty', fallback=False) and not opts.THIRDPARTY:
121
+    if (config.getboolean(sect, 'thirdparty', fallback=False)
122
+       and not opts.THIRDPARTY):
121 123
         continue
122 124
 
123 125
     # base options
... ...
@@ -130,8 +132,8 @@ for sect in config.sections():
130 132
     # match magic
131 133
     item['variable'] = []
132 134
     for var in config.get(sect, 'variable').split(","):
133
-        item['variable'].append(re.compile(re.escape(var) +
134
-                                r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))
135
+        item['variable'].append(re.compile(re.escape(var)
136
+                                + r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))
135 137
 
136 138
     # optional options
137 139
     if config.has_option(sect, 'extra_match'):
... ...
@@ -196,8 +198,8 @@ for fdir in args:
196 198
                         # Very ugly phpbb workaround
197 199
                         if item['add_minor']:
198 200
                             findversion = findversion.split('.')
199
-                            findversion[-1] = str(int(findversion[-1]) +
200
-                                                  int(item['add_minor']))
201
+                            findversion[-1] = str(int(findversion[-1])
202
+                                                  + int(item['add_minor']))
201 203
                             findversion = '.'.join(findversion)
202 204
 
203 205
                         if not (versioncompare(item['safe'].split('.'),
... ...
@@ -215,8 +217,8 @@ for fdir in args:
215 217
                             safev = "9999"
216 218
                             for ver in item['old_safe']:
217 219
                                 if(versioncompare(ver.split('.'),
218
-                                   findversion.split('.')) and
219
-                                   not versioncompare(ver.split('.'),
220
+                                   findversion.split('.'))
221
+                                   and not versioncompare(ver.split('.'),
220 222
                                    safev.split('.'))):
221 223
                                     safev = ver
222 224
                             if safev == "9999":
... ...
@@ -228,8 +230,8 @@ for fdir in args:
228 230
 
229 231
                     else:
230 232
                         if opts.DEBUG:
231
-                            print("regexp failed for " +
232
-                                  item['name'] + " on " + mfile)
233
+                            print("regexp failed for "
234
+                                  + item['name'] + " on " + mfile)
233 235
 
234 236
 if opts.OUTPUT == 'xml':
235 237
     print('</freewvs>')
Browse code

Enforce python 3, remove python 2 workarounds

Hanno Böck authored on25/11/2019 09:26:52
Showing1 changed files
... ...
@@ -1,4 +1,4 @@
1
-#!/usr/bin/python -tO
1
+#!/usr/bin/python3 -O
2 2
 
3 3
 # freewvs 0.1 - the free web vulnerability scanner
4 4
 #
... ...
@@ -23,13 +23,7 @@
23 23
 # return your changes to the public. We would be especially happy if you tell
24 24
 # us what you're going to do with this code.
25 25
 
26
-try:					# python3
27
-    import configparser
28
-except ImportError:			# python2
29
-    import ConfigParser as configparser
30
-    # overwrite default open() function
31
-    # this one supports encoding='...'
32
-    from codecs import open
26
+import configparser
33 27
 
34 28
 import os
35 29
 import glob
Browse code

Don't stop on decoding errors

Hanno Böck authored on25/11/2019 09:22:47
Showing1 changed files
... ...
@@ -174,7 +174,7 @@ for fdir in args:
174 174
                 if filename == item['file']:
175 175
                     mfile = os.path.join(root, filename)
176 176
                     try:
177
-                        file = open(mfile)
177
+                        file = open(mfile, errors='replace')
178 178
                     except Exception:
179 179
                         continue
180 180
                     filestr = file.read()
Browse code

Add possibility to scan for thirdparty components that are disabled by default

Hanno Böck authored on25/11/2019 08:46:35
Showing1 changed files
... ...
@@ -106,6 +106,8 @@ parser.add_option("-f", "--fancy", action="store_const", dest="OUTPUT",
106 106
                   const="fancy", help="Show more fancy output")
107 107
 parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT",
108 108
                   const="xml", help="Output results as XML")
109
+parser.add_option("-3", "--thirdparty", action="store_true", dest="THIRDPARTY",
110
+                  help="Scan for third-party components like jquery")
109 111
 opts, args = parser.parse_args()
110 112
 
111 113
 # Parse vulnerability database
... ...
@@ -121,6 +123,9 @@ vdb = []
121 123
 for sect in config.sections():
122 124
     item = {}
123 125
 
126
+    if config.getboolean(sect, 'thirdparty', fallback=False) and not opts.THIRDPARTY:
127
+        continue
128
+
124 129
     # base options
125 130
     item['name'] = sect
126 131
     item['safe'] = config.get(sect, 'safe')
Browse code

implement some recommendations from pylint

Hanno authored on05/08/2018 00:29:10
Showing1 changed files
... ...
@@ -52,7 +52,7 @@ def versioncompare(safe_version, find_version):
52 52
             return True
53 53
         if int(find_version[i]) > int(safe_version[i]):
54 54
             return False
55
-    return (len(find_version) < len(safe_version))
55
+    return len(find_version) < len(safe_version)
56 56
 
57 57
 
58 58
 def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
... ...
@@ -176,9 +176,9 @@ for fdir in args:
176 176
                     file.close()
177 177
 
178 178
                     if item['extra_match']:
179
-                        ematch = (filestr.find(item['extra_match']) != -1)
179
+                        ematch = filestr.find(item['extra_match']) != -1
180 180
                     elif item['extra_nomatch']:
181
-                        ematch = not (filestr.find(item['extra_nomatch']) != -1)
181
+                        ematch = not filestr.find(item['extra_nomatch']) != -1
182 182
                     else:
183 183
                         ematch = True
184 184
 
Browse code

pycodestyle fixes

Hanno Böck authored on17/11/2017 20:55:19
Showing1 changed files
... ...
@@ -57,7 +57,7 @@ def versioncompare(safe_version, find_version):
57 57
 
58 58
 def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
59 59
               style=None):
60
-    appdir = '/'.join(os.path.abspath(vfilename).split('/')[:-1-subdir])
60
+    appdir = '/'.join(os.path.abspath(vfilename).split('/')[:-1 - subdir])
61 61
     if not style:
62 62
         print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s "
63 63
               "%(appdir)s" % vars())
... ...
@@ -113,7 +113,7 @@ config = configparser.ConfigParser()
113 113
 try:
114 114
     config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
115 115
     config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
116
-    config.read(glob.glob(os.path.dirname(sys.argv[0])+'/freewvsdb/*.freewvs'))
116
+    config.read(glob.glob(os.path.dirname(sys.argv[0]) + '/freewvsdb/*.freewvs'))
117 117
 except configparser.MissingSectionHeaderError as err:
118 118
     print("Error parsing config files: %s" % err)
119 119
 
... ...
@@ -170,7 +170,7 @@ for fdir in args:
170 170
                     mfile = os.path.join(root, filename)
171 171
                     try:
172 172
                         file = open(mfile)
173
-                    except:
173
+                    except Exception:
174 174
                         continue
175 175
                     filestr = file.read()
176 176
                     file.close()
... ...
@@ -206,7 +206,7 @@ for fdir in args:
206 206
                                 item['old_safe'].count(findversion) > 0:
207 207
                             if opts.ALL:
208 208
                                 if opts.DEBUG:
209
-                                    print("File "+mfile)
209
+                                    print("File " + mfile)
210 210
                                 vulnprint(item['name'], findversion,
211 211
                                           "ok", "", mfile, item['subdir'],
212 212
                                           opts.OUTPUT)
Browse code

fix regexp somewhat, this should be reviewed again

Hanno Böck authored on17/11/2017 20:04:57
Showing1 changed files
... ...
@@ -132,7 +132,7 @@ for sect in config.sections():
132 132
     item['variable'] = []
133 133
     for var in config.get(sect, 'variable').split(","):
134 134
         item['variable'].append(re.compile(re.escape(var) +
135
-                                r"[^0-9.\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))
135
+                                r"[^0-9\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))
136 136
 
137 137
     # optional options
138 138
     if config.has_option(sect, 'extra_match'):
Browse code

convert all http URLs to https

Hanno Böck authored on25/09/2017 15:00:33
Showing1 changed files
... ...
@@ -2,14 +2,14 @@
2 2
 
3 3
 # freewvs 0.1 - the free web vulnerability scanner
4 4
 #
5
-# http://source.schokokeks.org/freewvs/
5
+# https://source.schokokeks.org/freewvs/
6 6
 #
7
-# Written 2007-2012 by schokokeks.org Hosting, http://www.schokokeks.org
7
+# Written 2007-2012 by schokokeks.org Hosting, https://schokokeks.org
8 8
 #
9 9
 # Contributions by
10
-# Hanno Boeck, http://hboeck.de/
11
-# Fabian Fingerle, http://www.fabian-fingerle.de/
12
-# Bernd Wurst, http://bwurst.org/
10
+# Hanno Boeck, https://hboeck.de/
11
+# Fabian Fingerle, https://fabian-fingerle.de/
12
+# Bernd Wurst, https://bwurst.org/
13 13
 #
14 14
 # To the extent possible under law, the author(s) have dedicated all copyright
15 15
 # and related and neighboring rights to this software to the public domain
... ...
@@ -17,7 +17,7 @@
17 17
 #
18 18
 # You should have received a copy of the CC0 Public Domain Dedication along
19 19
 # with this software. If not, see
20
-# http://creativecommons.org/publicdomain/zero/1.0/
20
+# https://creativecommons.org/publicdomain/zero/1.0/
21 21
 # Nevertheless, in case you use a significant part of this code, we ask (but
22 22
 # not require, see the license) that you keep the authors' names in place and
23 23
 # return your changes to the public. We would be especially happy if you tell
... ...
@@ -71,7 +71,7 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
71 71
                 print(_("Vulnerable %(appname)s %(version)s found, no fixed "
72 72
                         "version available.") % vars())
73 73
             if vuln[:3] == "CVE":
74
-                print(_("http://cve.mitre.org/cgi-bin/cvename.cgi?name="
74
+                print(_("https://cve.mitre.org/cgi-bin/cvename.cgi?name="
75 75
                         "%(vuln)s") % vars())
76 76
             else:
77 77
                 print(vuln)
Browse code

missing space

Hanno Böck authored on10/02/2017 10:42:16
Showing1 changed files
... ...
@@ -59,7 +59,7 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
59 59
               style=None):
60 60
     appdir = '/'.join(os.path.abspath(vfilename).split('/')[:-1-subdir])
61 61
     if not style:
62
-        print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s"
62
+        print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s "
63 63
               "%(appdir)s" % vars())
64 64
     elif style == 'fancy':
65 65
         print(_("Directory: %(appdir)s") % vars())
Browse code

a bit better detection for own/nextcloud, still not working for some older nextcloud versions

Hanno Böck authored on08/02/2017 00:01:21
Showing1 changed files
... ...
@@ -139,6 +139,10 @@ for sect in config.sections():
139 139
         item['extra_match'] = config.get(sect, 'extra_match')
140 140
     else:
141 141
         item['extra_match'] = False
142
+    if config.has_option(sect, 'extra_nomatch'):
143
+        item['extra_nomatch'] = config.get(sect, 'extra_nomatch')
144
+    else:
145
+        item['extra_nomatch'] = False
142 146
     if config.has_option(sect, 'add_minor'):
143 147
         item['add_minor'] = config.get(sect, 'add_minor')
144 148
     else:
... ...
@@ -173,6 +177,8 @@ for fdir in args:
173 177
 
174 178
                     if item['extra_match']:
175 179
                         ematch = (filestr.find(item['extra_match']) != -1)
180
+                    elif item['extra_nomatch']:
181
+                        ematch = not (filestr.find(item['extra_nomatch']) != -1)
176 182
                     else:
177 183
                         ematch = True
178 184
 
Browse code

format syntax according to pep8

Hanno Böck authored on09/01/2017 18:08:20
Showing1 changed files
... ...
@@ -16,86 +16,96 @@
16 16
 # worldwide. This software is distributed without any warranty.
17 17
 #
18 18
 # You should have received a copy of the CC0 Public Domain Dedication along
19
-# with this software. If not, see 
19
+# with this software. If not, see
20 20
 # http://creativecommons.org/publicdomain/zero/1.0/
21 21
 # Nevertheless, in case you use a significant part of this code, we ask (but
22 22
 # not require, see the license) that you keep the authors' names in place and
23 23
 # return your changes to the public. We would be especially happy if you tell
24 24
 # us what you're going to do with this code.
25 25
 
26
-try: # python3
27
-	import configparser
28
-except ImportError: # python2
29
-	import ConfigParser as configparser
30
-	# overwrite default open() function
31
-	# this one supports encoding='...'
32
-	from codecs import open
33
-
34
-import os, glob, pprint, re, optparse, sys, gettext
26
+try:					# python3
27
+    import configparser
28
+except ImportError:			# python2
29
+    import ConfigParser as configparser
30
+    # overwrite default open() function
31
+    # this one supports encoding='...'
32
+    from codecs import open
33
+
34
+import os
35
+import glob
36
+import pprint
37
+import re
38
+import optparse
39
+import sys
40
+import gettext
35 41
 from xml.sax.saxutils import escape
36 42
 
37 43
 gettext.textdomain('freewvs')
38 44
 _ = gettext.gettext
39 45
 
46
+
40 47
 def versioncompare(safe_version, find_version):
41 48
     if safe_version == [""]:
42 49
         return True
43 50
     for i in range(min(len(find_version), len(safe_version))):
44
-        if int(find_version[i])<int(safe_version[i]):
51
+        if int(find_version[i]) < int(safe_version[i]):
45 52
             return True
46
-        if int(find_version[i])>int(safe_version[i]):
53
+        if int(find_version[i]) > int(safe_version[i]):
47 54
             return False
48
-    return (len(find_version)<len(safe_version))
55
+    return (len(find_version) < len(safe_version))
56
+
49 57
 
50
-def vulnprint(appname, version, safeversion, vuln, vfilename, subdir, style = None):
58
+def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
59
+              style=None):
51 60
     appdir = '/'.join(os.path.abspath(vfilename).split('/')[:-1-subdir])
52 61
     if not style:
53
-        print ("%(appname)s %(version)s (%(safeversion)s) %(vuln)s %(appdir)s" \
54
-              % vars())
55
-    elif style=='fancy':
56
-        print (_("Directory: %(appdir)s") % vars())
57
-        if safeversion!="ok":
58
-            if safeversion!="":
59
-                print (_("Vulnerable %(appname)s %(version)s found, please update to " \
60
-                        "%(safeversion)s or above.") % vars())
62
+        print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s"
63
+              "%(appdir)s" % vars())
64
+    elif style == 'fancy':
65
+        print(_("Directory: %(appdir)s") % vars())
66
+        if safeversion != "ok":
67
+            if safeversion != "":
68
+                print(_("Vulnerable %(appname)s %(version)s found, please "
69
+                        "update to %(safeversion)s or above.") % vars())
61 70
             else:
62
-                print (_("Vulnerable %(appname)s %(version)s found, no fixed version available." \
63
-                        ) % vars())
71
+                print(_("Vulnerable %(appname)s %(version)s found, no fixed "
72
+                        "version available.") % vars())
64 73
             if vuln[:3] == "CVE":
65
-                print (_("http://cve.mitre.org/cgi-bin/cvename.cgi?name=%(vuln)s") \
66
-                        % vars())
74
+                print(_("http://cve.mitre.org/cgi-bin/cvename.cgi?name="
75
+                        "%(vuln)s") % vars())
67 76
             else:
68
-                print (vuln)
77
+                print(vuln)
69 78
         else:
70
-            print (_("%(appname)s %(version)s found." ) % vars())
71
-        print ("")
72
-    elif style=='xml':
79
+            print(_("%(appname)s %(version)s found.") % vars())
80
+        print("")
81
+    elif style == 'xml':
73 82
         state = 'vulnerable'
74 83
         if safeversion == 'ok':
75 84
             state = 'ok'
76
-        print ('  <app state="%s">' % state)
77
-        print ('    <appname>%s</appname>' % escape(appname))
78
-        print ('    <version>%s</version>' % escape(version))
79
-        print ('    <directory>%s</directory>' % escape(appdir))
85
+        print('  <app state="%s">' % state)
86
+        print('    <appname>%s</appname>' % escape(appname))
87
+        print('    <version>%s</version>' % escape(version))
88
+        print('    <directory>%s</directory>' % escape(appdir))
80 89
         if state == 'vulnerable':
81
-            print ('    <safeversion>%s</safeversion>' % escape(safeversion))
82
-            print ('    <vulninfo>%s</vulninfo>' % escape(vuln))
83
-        print ('  </app>')
90
+            print('    <safeversion>%s</safeversion>' % escape(safeversion))
91
+            print('    <vulninfo>%s</vulninfo>' % escape(vuln))
92
+        print('  </app>')
84 93
 
85 94
 
86 95
 pp = pprint.PrettyPrinter(indent=4)
87 96
 
88 97
 # Command-line options
89
-parser = optparse.OptionParser(usage="usage: %prog [options] <path> [<path2> ...]")
98
+parser = optparse.OptionParser(usage="usage: %prog [options] <path>"
99
+                               "[<path2> ...]")
90 100
 parser.add_option("-a", "--all", action="store_true", dest="ALL",
91 101
                   help="Show all webapps found, not just vulnerable")
92 102
 parser.add_option("-d", "--debug", action="store_true", dest="DEBUG",
93
-                  help="Show lots of debugging output, mainly useful"+ \
103
+                  help="Show lots of debugging output, mainly useful"
94 104
                   "for development")
95
-parser.add_option("-f", "--fancy", action="store_const", dest="OUTPUT", const="fancy",
96
-                  help="Show more fancy output")
97
-parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT", const="xml",
98
-                  help="Output results as XML")
105
+parser.add_option("-f", "--fancy", action="store_const", dest="OUTPUT",
106
+                  const="fancy", help="Show more fancy output")
107
+parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT",
108
+                  const="xml", help="Output results as XML")
99 109
 opts, args = parser.parse_args()
100 110
 
101 111
 # Parse vulnerability database
... ...
@@ -105,7 +115,7 @@ try:
105 115
     config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
106 116
     config.read(glob.glob(os.path.dirname(sys.argv[0])+'/freewvsdb/*.freewvs'))
107 117
 except configparser.MissingSectionHeaderError as err:
108
-    print("Error parsing config files: %s" % err);
118
+    print("Error parsing config files: %s" % err)
109 119
 
110 120
 vdb = []
111 121
 for sect in config.sections():
... ...
@@ -120,21 +130,21 @@ for sect in config.sections():
120 130
 
121 131
     # match magic
122 132
     item['variable'] = []
123
-    for var in config.get(sect,'variable').split(","):
124
-        item['variable'].append(re.compile(re.escape(var)+
133
+    for var in config.get(sect, 'variable').split(","):
134
+        item['variable'].append(re.compile(re.escape(var) +
125 135
                                 r"[^0-9.\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))
126 136
 
127 137
     # optional options
128
-    if config.has_option(sect,'extra_match'):
129
-        item['extra_match'] = config.get(sect,'extra_match')
138
+    if config.has_option(sect, 'extra_match'):
139
+        item['extra_match'] = config.get(sect, 'extra_match')
130 140
     else:
131 141
         item['extra_match'] = False
132
-    if config.has_option(sect,'add_minor'):
133
-        item['add_minor'] = config.get(sect,'add_minor')
142
+    if config.has_option(sect, 'add_minor'):
143
+        item['add_minor'] = config.get(sect, 'add_minor')
134 144
     else:
135 145
         item['add_minor'] = False
136
-    if config.has_option(sect,'old_safe'):
137
-        item['old_safe'] = config.get(sect,'old_safe').split(",")
146
+    if config.has_option(sect, 'old_safe'):
147
+        item['old_safe'] = config.get(sect, 'old_safe').split(",")
138 148
     else:
139 149
         item['old_safe'] = []
140 150
 
... ...
@@ -143,8 +153,8 @@ if opts.DEBUG:
143 153
     pp.pprint(vdb)
144 154
 
145 155
 if opts.OUTPUT == 'xml':
146
-  print ('<?xml version="1.0" ?>')
147
-  print ('<freewvs>')
156
+    print('<?xml version="1.0" ?>')
157
+    print('<freewvs>')
148 158
 
149 159
 # start the search
150 160
 
... ...
@@ -155,9 +165,9 @@ for fdir in args:
155 165
                 if filename == item['file']:
156 166
                     mfile = os.path.join(root, filename)
157 167
                     try:
158
-                      file = open(mfile)
168
+                        file = open(mfile)
159 169
                     except:
160
-                      continue
170
+                        continue
161 171
                     filestr = file.read()
162 172
                     file.close()
163 173
 
... ...
@@ -181,40 +191,40 @@ for fdir in args:
181 191
                         # Very ugly phpbb workaround
182 192
                         if item['add_minor']:
183 193
                             findversion = findversion.split('.')
184
-                            findversion[-1] = str(int(findversion[-1])+
185
-                                            int(item['add_minor']))
194
+                            findversion[-1] = str(int(findversion[-1]) +
195
+                                                  int(item['add_minor']))
186 196
                             findversion = '.'.join(findversion)
187 197
 
188
-                        if not (versioncompare(item['safe'].split('.'), \
198
+                        if not (versioncompare(item['safe'].split('.'),
189 199
                                 findversion.split('.'))) or \
190
-                                item['old_safe'].count(findversion)>0:
200
+                                item['old_safe'].count(findversion) > 0:
191 201
                             if opts.ALL:
192 202
                                 if opts.DEBUG:
193
-                                    print ("File "+mfile)
194
-                                vulnprint(item['name'], findversion, \
195
-                                          "ok", "", mfile, item['subdir'], \
203
+                                    print("File "+mfile)
204
+                                vulnprint(item['name'], findversion,
205
+                                          "ok", "", mfile, item['subdir'],
196 206
                                           opts.OUTPUT)
197 207
                         else:
198 208
                             if opts.DEBUG:
199
-                                print ("File "+mfile)
200
-                            safev="9999"
209
+                                print("File " + mfile)
210
+                            safev = "9999"
201 211
                             for ver in item['old_safe']:
202
-                                if (versioncompare(ver.split('.'), \
203
-                                    findversion.split('.') ) and \
204
-                                    not versioncompare(ver.split('.'), \
205
-                                    safev.split('.')) ):
206
-                                    safev=ver
207
-                            if safev=="9999":
208
-                                safev=item['safe']
209
-
210
-                            vulnprint (item['name'], findversion, \
211
-                                       safev, item['vuln'], \
212
-                                       mfile, item['subdir'], opts.OUTPUT)
212
+                                if(versioncompare(ver.split('.'),
213
+                                   findversion.split('.')) and
214
+                                   not versioncompare(ver.split('.'),
215
+                                   safev.split('.'))):
216
+                                    safev = ver
217
+                            if safev == "9999":
218
+                                safev = item['safe']
219
+
220
+                            vulnprint(item['name'], findversion,
221
+                                      safev, item['vuln'],
222
+                                      mfile, item['subdir'], opts.OUTPUT)
213 223
 
214 224
                     else:
215 225
                         if opts.DEBUG:
216
-                            print ("regexp failed for " + \
226
+                            print("regexp failed for " +
217 227
                                   item['name'] + " on " + mfile)
218 228
 
219 229
 if opts.OUTPUT == 'xml':
220
-  print ('</freewvs>')
230
+    print('</freewvs>')
Browse code

catch error message on parsing ini files

Hanno Böck authored on09/01/2017 17:51:56
Showing1 changed files
... ...
@@ -100,9 +100,12 @@ opts, args = parser.parse_args()
100 100
 
101 101
 # Parse vulnerability database
102 102
 config = configparser.ConfigParser()
103
-config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
104
-config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
105
-config.read(glob.glob(os.path.dirname(sys.argv[0])+'/freewvsdb/*.freewvs'))
103
+try:
104
+    config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
105
+    config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
106
+    config.read(glob.glob(os.path.dirname(sys.argv[0])+'/freewvsdb/*.freewvs'))
107
+except configparser.MissingSectionHeaderError as err:
108
+    print("Error parsing config files: %s" % err);
106 109
 
107 110
 vdb = []
108 111
 for sect in config.sections():
Browse code

don't enforce encoding on file open

Hanno Böck authored on09/01/2017 17:45:10
Showing1 changed files
... ...
@@ -152,7 +152,7 @@ for fdir in args:
152 152
                 if filename == item['file']:
153 153
                     mfile = os.path.join(root, filename)
154 154
                     try:
155
-                      file = open(mfile,encoding="iso-8859-15")
155
+                      file = open(mfile)
156 156
                     except:
157 157
                       continue
158 158
                     filestr = file.read()
Browse code

support python-2.6 again, whose open() function does not have encoding-parameter by default

Bernd Wurst authored on24/02/2014 17:29:23
Showing1 changed files
... ...
@@ -27,6 +27,9 @@ try: # python3
27 27
 	import configparser
28 28
 except ImportError: # python2
29 29
 	import ConfigParser as configparser
30
+	# overwrite default open() function
31
+	# this one supports encoding='...'
32
+	from codecs import open
30 33
 
31 34
 import os, glob, pprint, re, optparse, sys, gettext
32 35
 from xml.sax.saxutils import escape
Browse code

make code compatible with python 3

Hanno Böck authored on24/02/2014 17:14:27
Showing1 changed files
... ...
@@ -1,4 +1,4 @@
1
-#!/usr/bin/python2 -tO
1
+#!/usr/bin/python -tO
2 2
 
3 3
 # freewvs 0.1 - the free web vulnerability scanner
4 4
 #
... ...
@@ -23,7 +23,12 @@
23 23
 # return your changes to the public. We would be especially happy if you tell
24 24
 # us what you're going to do with this code.
25 25
 
26
-import ConfigParser, os, glob, pprint, re, optparse, sys, gettext
26
+try: # python3
27
+	import configparser
28
+except ImportError: # python2
29
+	import ConfigParser as configparser
30
+
31
+import os, glob, pprint, re, optparse, sys, gettext
27 32
 from xml.sax.saxutils import escape
28 33
 
29 34
 gettext.textdomain('freewvs')
... ...
@@ -60,7 +65,7 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir, style = No
60 65
                 print (vuln)
61 66
         else:
62 67
             print (_("%(appname)s %(version)s found." ) % vars())
63
-        print
68
+        print ("")
64 69
     elif style=='xml':
65 70
         state = 'vulnerable'
66 71
         if safeversion == 'ok':
... ...
@@ -91,7 +96,7 @@ parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT", const="xml
91 96
 opts, args = parser.parse_args()
92 97
 
93 98
 # Parse vulnerability database
94
-config = ConfigParser.ConfigParser()
99
+config = configparser.ConfigParser()
95 100
 config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
96 101
 config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
97 102
 config.read(glob.glob(os.path.dirname(sys.argv[0])+'/freewvsdb/*.freewvs'))
... ...
@@ -144,7 +149,7 @@ for fdir in args:
144 149
                 if filename == item['file']:
145 150
                     mfile = os.path.join(root, filename)
146 151
                     try:
147
-                      file = open(mfile)
152
+                      file = open(mfile,encoding="iso-8859-15")
148 153
                     except:
149 154
                       continue
150 155
                     filestr = file.read()
Browse code

add correct usage notice

Bernd Wurst authored on24/02/2014 16:53:21
Showing1 changed files
... ...
@@ -78,7 +78,7 @@ def vulnprint(appname, version, safeversion, vuln, vfilename, subdir, style = No
78 78
 pp = pprint.PrettyPrinter(indent=4)
79 79
 
80 80
 # Command-line options
81
-parser = optparse.OptionParser()
81
+parser = optparse.OptionParser(usage="usage: %prog [options] <path> [<path2> ...]")
82 82
 parser.add_option("-a", "--all", action="store_true", dest="ALL",
83 83
                   help="Show all webapps found, not just vulnerable")
84 84
 parser.add_option("-d", "--debug", action="store_true", dest="DEBUG",
Browse code

contao update