Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package snallygaster for openSUSE:Factory checked in at 2022-01-04 19:38:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/snallygaster (Old) and /work/SRC/openSUSE:Factory/.snallygaster.new.1896 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "snallygaster" Tue Jan 4 19:38:21 2022 rev:6 rq:943812 version:0.0.11 Changes: -------- --- /work/SRC/openSUSE:Factory/snallygaster/snallygaster.changes 2021-06-19 23:03:40.667730294 +0200 +++ /work/SRC/openSUSE:Factory/.snallygaster.new.1896/snallygaster.changes 2022-01-04 19:39:05.618055967 +0100 @@ -1,0 +2,15 @@ +Tue Dec 28 16:53:13 UTC 2021 - Sebastian Wagner <[email protected]> + +- update to version 0.0.11: + - disable python 3.11 tests for now due to pylint/wrapt incompatibility + - fix pylint warning use-implicit-booleaness-not-comparison + - add detection of symfony debugging mode on 404 pages + - support v3 php-cs-fixer format and rename test + - enable onlinetests in GH actions + - improve apache server info detection / avoid false positives by adding closing h1 tag + - remove apache perl status, add documentation for apache-info check + - update check for apache-info, check for perl-info still need improving + add check for apache server info and perl-status + - Readme: add openSUSE package + +------------------------------------------------------------------- Old: ---- snallygaster-0.0.10.tar.gz New: ---- snallygaster-0.0.11.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ snallygaster.spec ++++++ --- /var/tmp/diff_new_pack.LbdCCq/_old 2022-01-04 19:39:05.982056444 +0100 +++ /var/tmp/diff_new_pack.LbdCCq/_new 2022-01-04 19:39:05.986056448 +0100 @@ -17,7 +17,7 @@ Name: snallygaster -Version: 0.0.10 +Version: 0.0.11 Release: 0 Summary: Tool to scan for hidden files on HTTP servers License: CC0-1.0 ++++++ snallygaster-0.0.10.tar.gz -> snallygaster-0.0.11.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/.github/workflows/runtests.yml new/snallygaster-0.0.11/.github/workflows/runtests.yml --- old/snallygaster-0.0.10/.github/workflows/runtests.yml 2021-06-17 11:19:22.000000000 +0200 +++ new/snallygaster-0.0.11/.github/workflows/runtests.yml 2021-12-28 16:15:25.000000000 +0100 @@ -1,4 +1,4 @@ -name: snallygaster tests +name: run tests on: - pull_request - push @@ -8,7 +8,9 @@ runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8,3.9,3.10-dev] + # disable 3.11-dev for now, pylint fails due to + # https://github.com/GrahamDumpleton/wrapt/issues/196 + python-version: [3.8,3.x] steps: - uses: actions/checkout@v2 - name: Set up Python ${{ matrix.python-version }} @@ -21,5 +23,7 @@ pip install -r requirements.txt pip install pycodestyle pyflakes pylint dlint pyupgrade - name: Run tests + env: + RUN_ONLINETESTS: 1 run: | python3 -m unittest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/PKG-INFO new/snallygaster-0.0.11/PKG-INFO --- old/snallygaster-0.0.10/PKG-INFO 2021-06-17 11:43:27.413193200 +0200 +++ new/snallygaster-0.0.11/PKG-INFO 2021-12-28 16:42:41.409381400 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: snallygaster -Version: 0.0.10 +Version: 0.0.11 Summary: Tool to scan for secret files on HTTP servers Home-page: https://github.com/hannob/snallygaster Author: Hanno B??ck @@ -66,6 +66,7 @@ * [Gentoo](https://packages.gentoo.org/packages/net-analyzer/snallygaster) * [NetBSD](https://pkgsrc.se/security/snallygaster) * [Arch Linux (git version)](https://aur.archlinux.org/packages/snallygaster-git/) +* [openSUSE](https://software.opensuse.org/package/snallygaster) faq === diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/README.md new/snallygaster-0.0.11/README.md --- old/snallygaster-0.0.10/README.md 2021-06-17 11:19:22.000000000 +0200 +++ new/snallygaster-0.0.11/README.md 2021-12-28 15:23:13.000000000 +0100 @@ -42,6 +42,7 @@ * [Gentoo](https://packages.gentoo.org/packages/net-analyzer/snallygaster) * [NetBSD](https://pkgsrc.se/security/snallygaster) * [Arch Linux (git version)](https://aur.archlinux.org/packages/snallygaster-git/) +* [openSUSE](https://software.opensuse.org/package/snallygaster) faq === diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/TESTS.md new/snallygaster-0.0.11/TESTS.md --- old/snallygaster-0.0.10/TESTS.md 2021-06-17 11:19:22.000000000 +0200 +++ new/snallygaster-0.0.11/TESTS.md 2021-12-28 15:23:13.000000000 +0100 @@ -65,6 +65,15 @@ * [Sucuri: Popular sites with Apache server-status enabled](https://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html) +apache_server_info +-------------------- + +Apache server-info pages. These can contain visitor URLs and IP addresses of visitors. + +* [apache.org: Apache Module mod_info](https://httpd.apache.org/docs/2.4/mod/mod_info.html) +* [Heise.de: Webserver-Sicherheitsl??cke: Heikle Konfigurations- und Statusdaten publiziert](https://www.heise.de/hintergrund/Webserver-Sicherheitsluecke-Heikle-Konfigurations-und-Statusdaten-publiziert-4971830.html?seite=3) + + coredump -------- @@ -109,11 +118,11 @@ * [Internetwache: Scanning the Alexa Top 1M for .DS_Store files](https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-store-files-12-03-2018/) * [ds_stope_exp (recursively download .DS_Store files)](https://github.com/lijiejie/ds_store_exp) -php_cs_cache +php_cs_fixer ------------ -Cache file from php-cs-checker, a codingstyle checker for PHP. This effectively leaks a directory -listing of PHP files. +Cache file from PHP-CS-Fixer, a codingstyle checker for PHP. This effectively leaks a directory +listing of PHP files. Supports both v2 and v3 formats. backupfiles @@ -366,6 +375,14 @@ * [Anonleaks: KennotFM / Details zu Hack und Defacement](https://anonleaks.net/2021/optinfoil/kennotfm-details-zu-hack-und-defacement/) +desktopini +---------- + +Finds Windows Explorer desktop.ini metadata files. These sometimes leak information +about possibly installed software on a developer machine or file names. +Impact is usually low, but it is very common. + + axfr ---- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/setup.py new/snallygaster-0.0.11/setup.py --- old/snallygaster-0.0.10/setup.py 2021-06-17 11:40:55.000000000 +0200 +++ new/snallygaster-0.0.11/setup.py 2021-12-28 16:42:33.000000000 +0100 @@ -11,7 +11,7 @@ setuptools.setup( name=package_name, - version="0.0.10", + version="0.0.11", description="Tool to scan for secret files on HTTP servers", long_description=readme, long_description_content_type='text/markdown', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/snallygaster new/snallygaster-0.0.11/snallygaster --- old/snallygaster-0.0.10/snallygaster 2021-06-17 11:20:30.000000000 +0200 +++ new/snallygaster-0.0.11/snallygaster 2021-12-28 15:24:38.000000000 +0100 @@ -170,6 +170,9 @@ what404['sql'] = False if 'you have <code>DEBUG = True</code>' in what404['content']: pout("django_debug", rndurl) + if '<title>No route found' in what404['content'] and \ + 'Symfony Exception' in what404['content']: + pout("symfony_debug", rndurl) global_what404[url] = what404 return what404 @@ -279,6 +282,13 @@ @DEFAULT +def test_apache_server_info(url): + r = fetcher(url + '/server-info') + if 'Apache Server Information</h1>' in r: + pout("apache_server_info", url + "/server-info") + + +@DEFAULT def test_coredump(url): r = fetchpartial(url + "/core", 20, binary=True) if r and r[0:4] == b'\x7fELF': @@ -324,10 +334,13 @@ @DEFAULT -def test_php_cs_cache(url): +def test_php_cs_fixer(url): r = fetcher(url + '/.php_cs.cache') if r[0:8] == '{"php":"': pout("php_cs_cache", url + "/.php_cs.cache") + r = fetcher(url + '/.php-cs-fixer.cache') + if r[0:8] == '{"php":"': + pout("php_cs_cache", url + "/.php-cs-fixer.cache") @DEFAULT @@ -758,6 +771,16 @@ @DEFAULT +def test_desktopini(url): + r = fetcher(url + "/desktop.ini") + if '[\x00.\x00S\x00h\x00e\x00l\x00l\x00C\x00l\x00a\x00s\x00s' in r: + pout("desktopini", url + "/desktop.ini") + r = fetcher(url + "/Desktop.ini") + if '[\x00.\x00S\x00h\x00e\x00l\x00l\x00C\x00l\x00a\x00s\x00s' in r: + pout("desktopini", url + "/Desktop.ini") + + +@DEFAULT @HOSTNAME def test_axfr(qhost): try: @@ -855,7 +878,7 @@ try: p = bs4.BeautifulSoup(r, 'html.parser') g = p.findAll("meta", {"name": "generator"}) - if g != [] and g[0]['content'][:9] == "WordPress": + if g and g[0]['content'][:9] == "WordPress": version = g[0]['content'][10:] if not set(version).issubset("0123456789."): return diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/snallygaster.egg-info/PKG-INFO new/snallygaster-0.0.11/snallygaster.egg-info/PKG-INFO --- old/snallygaster-0.0.10/snallygaster.egg-info/PKG-INFO 2021-06-17 11:43:27.000000000 +0200 +++ new/snallygaster-0.0.11/snallygaster.egg-info/PKG-INFO 2021-12-28 16:42:41.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: snallygaster -Version: 0.0.10 +Version: 0.0.11 Summary: Tool to scan for secret files on HTTP servers Home-page: https://github.com/hannob/snallygaster Author: Hanno B??ck @@ -66,6 +66,7 @@ * [Gentoo](https://packages.gentoo.org/packages/net-analyzer/snallygaster) * [NetBSD](https://pkgsrc.se/security/snallygaster) * [Arch Linux (git version)](https://aur.archlinux.org/packages/snallygaster-git/) +* [openSUSE](https://software.opensuse.org/package/snallygaster) faq === diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/tests/test_codingstyle.py new/snallygaster-0.0.11/tests/test_codingstyle.py --- old/snallygaster-0.0.10/tests/test_codingstyle.py 2021-06-17 11:19:22.000000000 +0200 +++ new/snallygaster-0.0.11/tests/test_codingstyle.py 2021-12-28 15:23:13.000000000 +0100 @@ -12,7 +12,7 @@ subprocess.run(["pyflakes"] + pyfiles, check=True) subprocess.run(["pylint", "--disable=missing-docstring,invalid-name," "bad-continuation,consider-using-with," - "too-many-lines"] + "too-many-lines,consider-using-f-string"] + pyfiles, check=True) subprocess.run(["flake8", "--select=DUO"] + pyfiles, check=True) subprocess.run(["pyupgrade", "--keep-percent-format", "--py38-plus"] + pyfiles, check=True) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/tests/test_docs.py new/snallygaster-0.0.11/tests/test_docs.py --- old/snallygaster-0.0.10/tests/test_docs.py 2021-06-17 11:19:22.000000000 +0200 +++ new/snallygaster-0.0.11/tests/test_docs.py 2021-12-28 15:23:13.000000000 +0100 @@ -6,10 +6,10 @@ # checking if there is documentation for all snallygaster tests # in the TEST.md documentation def test_docs(self): - f = open("snallygaster") + f = open("snallygaster", encoding="utf-8") funcs = re.findall("def test_([a-z_]*)", f.read()) f.close() - fd = open("TESTS.md") + fd = open("TESTS.md", encoding="utf-8") docs = [] ol = "" for line in fd.readlines(): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.10/tests/test_scan_testdata.py new/snallygaster-0.0.11/tests/test_scan_testdata.py --- old/snallygaster-0.0.10/tests/test_scan_testdata.py 2021-06-17 11:19:22.000000000 +0200 +++ new/snallygaster-0.0.11/tests/test_scan_testdata.py 2021-12-28 15:23:13.000000000 +0100 @@ -15,6 +15,7 @@ "backupfiles": "[backupfiles] https://localhost:4443/index.php~";, "ds_store": "[ds_store] https://localhost:4443/.DS_Store";, "privatekey": "[privatekey_pkcs8] https://localhost:4443/server.key";, + "desktopini": "[desktopini] https://localhost:4443/desktop.ini";, } ++++++ testdata.tar.gz ++++++ Binary files old/snallygaster-testdata-master/desktop.ini and new/snallygaster-testdata-master/desktop.ini differ
