2009/6/10 Andres Riancho <andres.rian...@gmail.com>: > Stefano, All, > > On Mon, Jun 8, 2009 at 12:36 PM, Stefano Di Paola<wi...@wisec.it> wrote: >> Guys, >> Sorry for getting into the middle of this thread without knocking... >> Inline since I hate bottom posting :) >> >> Il giorno lun, 08/06/2009 alle 12.05 -0300, Andres Riancho ha scritto: >>> Ryan, >>> >>> First of all, I would like to congratulate you for a job well >>> done. The wordpress_fingerprint plugin is now part of w3af. >>> >>> I just commited it [0] to the trunk with a couple of changes >>> (please review those changes, they are important). >>> >>> On the other hand, we still need to work a little more on this >>> plugin. One of the features that I think should be implemented is the >>> comparison between the fingerprinted version, and the version that's >>> retrieved with the regular expression, could you do that? >> >> I know is a bit out of scope with the actual implementation of the >> wordpress_fingerprint plugin, but I just finished reading this >> interesting post: >> >> Web App Version detection using fingerprinting >> http://sucuri.net/?page=docs&title=webapp-version-detection > > Also related, and from the same guys: > http://sucuri.net/index.php?page=docs&title=state-wordpress-security >
Here he says that the readme.html bears the wordpress version, however this is not always true. http://sucuri.net/?page=docs&title=wordpress-hardening Here is what I found: 2.7.1 shows 2.7 2.7 shows 2.7 2.6.5 shows 2.6.1 2.6.3 shows 2.6.1 2.6.2 shows 2.6.1 2.6.1 shows 2.6.1 2.6 shows 2.6 2.5.1 shows 2.5 2.5 shows 2.5 2.3.3 shows 2.3 2.3.2 shows 2.3 2.3.1 shows 2.3 2.3 shows 2.3 2.2.3 shows 2.2 As you can see it is not a reliable source for fingerprinting the wordpress version. >> in particular: >> 2- Wordpress Version Detection >> 3- Wordpress version fingerprinting - Comparing files >> >> which I think is on topic at least to some extent. >> It should not be too difficult to add a txt file and check for the >> existence of those files to get a double check confirmation of the WP >> version. >> >> >>> Also related, I just twitted about this [1] >>> >>> [0] >>> http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup >>> [1] http://twitter.com/w3af >>> >>> Cheers, >> >> Cheers, >> >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
