arachni 0.4.6 → 0.4.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (310) hide show
  1. checksums.yaml +8 -8
  2. data/CHANGELOG.md +21 -0
  3. data/Gemfile +1 -1
  4. data/README.md +1 -1
  5. data/lib/arachni/element/capabilities/auditable/taint.rb +1 -0
  6. data/lib/arachni/element/form.rb +4 -6
  7. data/lib/arachni/http.rb +1 -0
  8. data/lib/arachni/parser.rb +1 -1
  9. data/lib/arachni/spider.rb +14 -2
  10. data/lib/version +1 -1
  11. data/modules/audit/code_injection.rb +36 -10
  12. data/modules/audit/code_injection_php_input_wrapper.rb +38 -5
  13. data/modules/audit/code_injection_timing.rb +36 -13
  14. data/modules/audit/csrf.rb +41 -11
  15. data/modules/audit/file_inclusion.rb +36 -6
  16. data/modules/audit/ldapi.rb +31 -6
  17. data/modules/audit/os_cmd_injection.rb +28 -7
  18. data/modules/audit/os_cmd_injection_timing.rb +29 -15
  19. data/modules/audit/path_traversal.rb +42 -6
  20. data/modules/audit/response_splitting.rb +26 -9
  21. data/modules/audit/rfi.rb +37 -9
  22. data/modules/audit/session_fixation.rb +38 -7
  23. data/modules/audit/source_code_disclosure.rb +41 -5
  24. data/modules/audit/sqli.rb +57 -6
  25. data/modules/audit/sqli_blind_rdiff.rb +54 -9
  26. data/modules/audit/sqli_blind_timing.rb +58 -15
  27. data/modules/audit/unvalidated_redirect.rb +29 -9
  28. data/modules/audit/xpath.rb +35 -8
  29. data/modules/audit/xss.rb +54 -9
  30. data/modules/audit/xss_event.rb +54 -10
  31. data/modules/audit/xss_path.rb +56 -9
  32. data/modules/audit/xss_script_tag.rb +54 -8
  33. data/modules/audit/xss_tag.rb +53 -7
  34. data/modules/recon/allowed_methods.rb +24 -4
  35. data/modules/recon/backdoors.rb +29 -11
  36. data/modules/recon/backup_files.rb +30 -14
  37. data/modules/recon/common_directories.rb +27 -8
  38. data/modules/recon/common_files.rb +27 -7
  39. data/modules/recon/directory_listing.rb +30 -10
  40. data/modules/recon/grep/captcha.rb +26 -8
  41. data/modules/recon/grep/credit_card.rb +25 -6
  42. data/modules/recon/grep/cvs_svn_users.rb +23 -6
  43. data/modules/recon/grep/emails.rb +28 -8
  44. data/modules/recon/grep/form_upload.rb +31 -6
  45. data/modules/recon/grep/http_only_cookies.rb +33 -8
  46. data/modules/recon/grep/insecure_cookies.rb +36 -9
  47. data/modules/recon/grep/mixed_resource.rb +29 -9
  48. data/modules/recon/grep/password_autocomplete.rb +33 -6
  49. data/modules/recon/grep/private_ip.rb +21 -7
  50. data/modules/recon/grep/ssn.rb +17 -6
  51. data/modules/recon/grep/unencrypted_password_forms.rb +28 -9
  52. data/modules/recon/htaccess_limit.rb +23 -8
  53. data/modules/recon/http_put.rb +29 -7
  54. data/modules/recon/interesting_responses.rb +8 -10
  55. data/modules/recon/localstart_asp.rb +35 -5
  56. data/modules/recon/webdav.rb +23 -7
  57. data/modules/recon/x_forwarded_for_access_restriction_bypass.rb +27 -6
  58. data/modules/recon/xst.rb +26 -5
  59. data/plugins/autologin.rb +16 -5
  60. data/plugins/proxy/server.rb +2 -9
  61. data/spec/external/wavsep/active/lfi_spec.rb +6 -6
  62. data/spec/external/wavsep/active/rfi_spec.rb +6 -6
  63. data/spec/external/wavsep/active/sqli_spec.rb +4 -4
  64. data/spec/external/wavsep/active/xss_spec.rb +1 -1
  65. data/spec/support/logs/Dispatcher - 1332-56847.log +9 -0
  66. data/spec/support/logs/Dispatcher - 1361-63434.log +21 -0
  67. data/spec/support/logs/Dispatcher - 1545-55308.log +9 -0
  68. data/spec/support/logs/Dispatcher - 1559-18938.log +19 -0
  69. data/spec/support/logs/Dispatcher - 1568-25013.log +17 -0
  70. data/spec/support/logs/Dispatcher - 1577-55689.log +13 -0
  71. data/spec/support/logs/Dispatcher - 1586-18577.log +9 -0
  72. data/spec/support/logs/Dispatcher - 1595-49353.log +9 -0
  73. data/spec/support/logs/Dispatcher - 1604-27831.log +11 -0
  74. data/spec/support/logs/Dispatcher - 1617-57444.log +11 -0
  75. data/spec/support/logs/Dispatcher - 1631-28737.log +11 -0
  76. data/spec/support/logs/Dispatcher - 1644-21815.log +33 -0
  77. data/spec/support/logs/Dispatcher - 1738-53470.log +21 -0
  78. data/spec/support/logs/Dispatcher - 1747-64173.log +21 -0
  79. data/spec/support/logs/Dispatcher - 1756-11866.log +23 -0
  80. data/spec/support/logs/Dispatcher - 1798-12175.log +19 -0
  81. data/spec/support/logs/Dispatcher - 1807-22790.log +17 -0
  82. data/spec/support/logs/Dispatcher - 1816-57823.log +15 -0
  83. data/spec/support/logs/Dispatcher - 1831-64825.log +11 -0
  84. data/spec/support/logs/Dispatcher - 1845-27623.log +9 -0
  85. data/spec/support/logs/Dispatcher - 1854-26066.log +9 -0
  86. data/spec/support/logs/Dispatcher - 1863-37486.log +9 -0
  87. data/spec/support/logs/Dispatcher - 1874-22463.log +9 -0
  88. data/spec/support/logs/Dispatcher - 1883-41263.log +11 -0
  89. data/spec/support/logs/Dispatcher - 1900-53660.log +9 -0
  90. data/spec/support/logs/Dispatcher - 1909-44423.log +9 -0
  91. data/spec/support/logs/Dispatcher - 1921-58931.log +9 -0
  92. data/spec/support/logs/Dispatcher - 1993-6448.log +63 -0
  93. data/spec/support/logs/Dispatcher - 2002-19206.log +43 -0
  94. data/spec/support/logs/Dispatcher - 2011-11852.log +39 -0
  95. data/spec/support/logs/Dispatcher - 2020-65055.log +34 -0
  96. data/spec/support/logs/Dispatcher - 2029-48445.log +28 -0
  97. data/spec/support/logs/Dispatcher - 2038-55271.log +21 -0
  98. data/spec/support/logs/Dispatcher - 2047-45722.log +13 -0
  99. data/spec/support/logs/Dispatcher - 2057-48194.log +9 -0
  100. data/spec/support/logs/Dispatcher - 2189-39843.log +19 -0
  101. data/spec/support/logs/Dispatcher - 2199-15985.log +21 -0
  102. data/spec/support/logs/Dispatcher - 2208-22080.log +15 -0
  103. data/spec/support/logs/Dispatcher - 2221-37690.log +19 -0
  104. data/spec/support/logs/Dispatcher - 2230-47867.log +21 -0
  105. data/spec/support/logs/Dispatcher - 2239-27060.log +15 -0
  106. data/spec/support/logs/Dispatcher - 2358-8967.log +17 -0
  107. data/spec/support/logs/Dispatcher - 2367-27103.log +21 -0
  108. data/spec/support/logs/Dispatcher - 2376-16287.log +13 -0
  109. data/spec/support/logs/Dispatcher - 2389-9109.log +19 -0
  110. data/spec/support/logs/Dispatcher - 2398-62926.log +21 -0
  111. data/spec/support/logs/Dispatcher - 2407-48685.log +15 -0
  112. data/spec/support/logs/Dispatcher - 2459-62480.log +17 -0
  113. data/spec/support/logs/Dispatcher - 2470-57894.log +21 -0
  114. data/spec/support/logs/Dispatcher - 2479-51883.log +13 -0
  115. data/spec/support/logs/Dispatcher - 2493-36944.log +17 -0
  116. data/spec/support/logs/Dispatcher - 2503-59143.log +21 -0
  117. data/spec/support/logs/Dispatcher - 2513-33084.log +13 -0
  118. data/spec/support/logs/Dispatcher - 25430-46306.log +9 -0
  119. data/spec/support/logs/Dispatcher - 25457-10711.log +23 -0
  120. data/spec/support/logs/Dispatcher - 25603-48892.log +9 -0
  121. data/spec/support/logs/Dispatcher - 25613-24775.log +19 -0
  122. data/spec/support/logs/Dispatcher - 25622-59684.log +17 -0
  123. data/spec/support/logs/Dispatcher - 25631-23195.log +13 -0
  124. data/spec/support/logs/Dispatcher - 25640-9810.log +9 -0
  125. data/spec/support/logs/Dispatcher - 25649-52757.log +9 -0
  126. data/spec/support/logs/Dispatcher - 25658-58550.log +11 -0
  127. data/spec/support/logs/Dispatcher - 25671-30871.log +11 -0
  128. data/spec/support/logs/Dispatcher - 25684-48620.log +11 -0
  129. data/spec/support/logs/Dispatcher - 25697-18124.log +37 -0
  130. data/spec/support/logs/Dispatcher - 25762-35321.log +21 -0
  131. data/spec/support/logs/Dispatcher - 25771-64633.log +21 -0
  132. data/spec/support/logs/Dispatcher - 25780-43558.log +23 -0
  133. data/spec/support/logs/Dispatcher - 25821-43561.log +19 -0
  134. data/spec/support/logs/Dispatcher - 25830-39112.log +17 -0
  135. data/spec/support/logs/Dispatcher - 25839-44093.log +15 -0
  136. data/spec/support/logs/Dispatcher - 25852-12057.log +11 -0
  137. data/spec/support/logs/Dispatcher - 25866-49029.log +9 -0
  138. data/spec/support/logs/Dispatcher - 25875-32179.log +9 -0
  139. data/spec/support/logs/Dispatcher - 25884-62703.log +9 -0
  140. data/spec/support/logs/Dispatcher - 25894-4228.log +9 -0
  141. data/spec/support/logs/Dispatcher - 25903-6709.log +11 -0
  142. data/spec/support/logs/Dispatcher - 25917-29651.log +9 -0
  143. data/spec/support/logs/Dispatcher - 25926-12708.log +9 -0
  144. data/spec/support/logs/Dispatcher - 25935-54092.log +9 -0
  145. data/spec/support/logs/Dispatcher - 25990-26756.log +63 -0
  146. data/spec/support/logs/Dispatcher - 25999-4016.log +43 -0
  147. data/spec/support/logs/Dispatcher - 26008-52076.log +39 -0
  148. data/spec/support/logs/Dispatcher - 26017-48497.log +34 -0
  149. data/spec/support/logs/Dispatcher - 26026-28839.log +28 -0
  150. data/spec/support/logs/Dispatcher - 26035-54215.log +21 -0
  151. data/spec/support/logs/Dispatcher - 26044-27216.log +13 -0
  152. data/spec/support/logs/Dispatcher - 26054-53464.log +9 -0
  153. data/spec/support/logs/Dispatcher - 26163-65271.log +19 -0
  154. data/spec/support/logs/Dispatcher - 26173-58105.log +21 -0
  155. data/spec/support/logs/Dispatcher - 26182-40848.log +15 -0
  156. data/spec/support/logs/Dispatcher - 26195-2855.log +19 -0
  157. data/spec/support/logs/Dispatcher - 26204-35297.log +21 -0
  158. data/spec/support/logs/Dispatcher - 26213-59588.log +15 -0
  159. data/spec/support/logs/Dispatcher - 26333-40774.log +17 -0
  160. data/spec/support/logs/Dispatcher - 26342-45541.log +21 -0
  161. data/spec/support/logs/Dispatcher - 26351-3349.log +13 -0
  162. data/spec/support/logs/Dispatcher - 26364-37456.log +19 -0
  163. data/spec/support/logs/Dispatcher - 26373-37340.log +21 -0
  164. data/spec/support/logs/Dispatcher - 26382-54864.log +15 -0
  165. data/spec/support/logs/Dispatcher - 26434-3070.log +17 -0
  166. data/spec/support/logs/Dispatcher - 26448-14295.log +21 -0
  167. data/spec/support/logs/Dispatcher - 26474-30587.log +13 -0
  168. data/spec/support/logs/Dispatcher - 26500-32529.log +17 -0
  169. data/spec/support/logs/Dispatcher - 26509-16952.log +21 -0
  170. data/spec/support/logs/Dispatcher - 26519-43332.log +13 -0
  171. data/spec/support/logs/Dispatcher - 26750-61867.log +19 -0
  172. data/spec/support/logs/Dispatcher - 26759-22532.log +21 -0
  173. data/spec/support/logs/Dispatcher - 26768-18231.log +15 -0
  174. data/spec/support/logs/Dispatcher - 26792-41661.log +21 -0
  175. data/spec/support/logs/Dispatcher - 26801-14384.log +25 -0
  176. data/spec/support/logs/Dispatcher - 26810-2591.log +15 -0
  177. data/spec/support/logs/Dispatcher - 26846-14591.log +17 -0
  178. data/spec/support/logs/Dispatcher - 26855-15708.log +21 -0
  179. data/spec/support/logs/Dispatcher - 26864-2062.log +13 -0
  180. data/spec/support/logs/Dispatcher - 26877-14471.log +21 -0
  181. data/spec/support/logs/Dispatcher - 26886-49795.log +25 -0
  182. data/spec/support/logs/Dispatcher - 26895-21093.log +15 -0
  183. data/spec/support/logs/Dispatcher - 26931-30049.log +17 -0
  184. data/spec/support/logs/Dispatcher - 26940-34273.log +21 -0
  185. data/spec/support/logs/Dispatcher - 26949-30040.log +13 -0
  186. data/spec/support/logs/Dispatcher - 26962-8152.log +17 -0
  187. data/spec/support/logs/Dispatcher - 26971-53062.log +21 -0
  188. data/spec/support/logs/Dispatcher - 26980-7548.log +13 -0
  189. data/spec/support/logs/Dispatcher - 2737-20989.log +19 -0
  190. data/spec/support/logs/Dispatcher - 2746-5423.log +21 -0
  191. data/spec/support/logs/Dispatcher - 2755-53393.log +15 -0
  192. data/spec/support/logs/Dispatcher - 27615-41812.log +19 -0
  193. data/spec/support/logs/Dispatcher - 27624-43683.log +21 -0
  194. data/spec/support/logs/Dispatcher - 27633-11593.log +15 -0
  195. data/spec/support/logs/Dispatcher - 27658-12186.log +21 -0
  196. data/spec/support/logs/Dispatcher - 27667-15575.log +25 -0
  197. data/spec/support/logs/Dispatcher - 27676-17207.log +15 -0
  198. data/spec/support/logs/Dispatcher - 27712-2233.log +17 -0
  199. data/spec/support/logs/Dispatcher - 27721-3842.log +21 -0
  200. data/spec/support/logs/Dispatcher - 27730-22695.log +13 -0
  201. data/spec/support/logs/Dispatcher - 27743-8364.log +21 -0
  202. data/spec/support/logs/Dispatcher - 27752-6140.log +25 -0
  203. data/spec/support/logs/Dispatcher - 27761-25015.log +15 -0
  204. data/spec/support/logs/Dispatcher - 27797-9270.log +17 -0
  205. data/spec/support/logs/Dispatcher - 2780-58168.log +21 -0
  206. data/spec/support/logs/Dispatcher - 27806-48623.log +21 -0
  207. data/spec/support/logs/Dispatcher - 27815-58778.log +13 -0
  208. data/spec/support/logs/Dispatcher - 27828-29742.log +17 -0
  209. data/spec/support/logs/Dispatcher - 27837-46211.log +21 -0
  210. data/spec/support/logs/Dispatcher - 27846-16143.log +13 -0
  211. data/spec/support/logs/Dispatcher - 2789-29375.log +25 -0
  212. data/spec/support/logs/Dispatcher - 2798-10983.log +15 -0
  213. data/spec/support/logs/Dispatcher - 2836-2354.log +17 -0
  214. data/spec/support/logs/Dispatcher - 2845-65341.log +21 -0
  215. data/spec/support/logs/Dispatcher - 2854-18936.log +13 -0
  216. data/spec/support/logs/Dispatcher - 2867-51979.log +21 -0
  217. data/spec/support/logs/Dispatcher - 2876-21086.log +25 -0
  218. data/spec/support/logs/Dispatcher - 2887-17393.log +15 -0
  219. data/spec/support/logs/Dispatcher - 2930-37394.log +17 -0
  220. data/spec/support/logs/Dispatcher - 2943-46737.log +21 -0
  221. data/spec/support/logs/Dispatcher - 2956-37866.log +13 -0
  222. data/spec/support/logs/Dispatcher - 2976-21012.log +17 -0
  223. data/spec/support/logs/Dispatcher - 2990-48082.log +21 -0
  224. data/spec/support/logs/Dispatcher - 2999-16391.log +13 -0
  225. data/spec/support/logs/{Instance - 10762-33696.error.log → Instance - 2204-45164.error.log } +59 -40
  226. data/spec/support/logs/{Instance - 11038-18065.error.log → Instance - 2475-49789.error.log } +61 -42
  227. data/spec/support/logs/{Instance - 11069-34848.error.log → Instance - 2509-39450.error.log } +158 -139
  228. data/spec/support/logs/{Instance - 11229-38634.error.log → Instance - 2533-5785.error.log } +56 -37
  229. data/spec/support/logs/Instance - 2539-42941.error.log +356 -0
  230. data/spec/support/logs/Instance - 26178-57631.error.log +324 -0
  231. data/spec/support/logs/Instance - 26458-60253.error.log +326 -0
  232. data/spec/support/logs/Instance - 26514-44685.error.log +423 -0
  233. data/spec/support/logs/Instance - 26538-43093.error.log +322 -0
  234. data/spec/support/logs/Instance - 26544-52217.error.log +328 -0
  235. data/spec/support/logs/{Instance - 11097-33191.error.log → Instance - 26682-37056.error.log } +65 -57
  236. data/spec/support/logs/{Instance - 11091-33954.error.log → Instance - 2669-56818.error.log } +56 -37
  237. data/spec/support/logs/Instance - 27547-3928.error.log +309 -0
  238. data/spec/support/servers/plugins/autologin.rb +13 -1
  239. metadata +974 -782
  240. data/spec/support/logs/Dispatcher - 10129-46995.log +0 -9
  241. data/spec/support/logs/Dispatcher - 10139-63648.log +0 -19
  242. data/spec/support/logs/Dispatcher - 10149-5551.log +0 -17
  243. data/spec/support/logs/Dispatcher - 10158-34385.log +0 -13
  244. data/spec/support/logs/Dispatcher - 10167-55701.log +0 -9
  245. data/spec/support/logs/Dispatcher - 10176-8922.log +0 -9
  246. data/spec/support/logs/Dispatcher - 10185-53716.log +0 -11
  247. data/spec/support/logs/Dispatcher - 10198-44724.log +0 -11
  248. data/spec/support/logs/Dispatcher - 10211-7697.log +0 -11
  249. data/spec/support/logs/Dispatcher - 10224-3751.log +0 -35
  250. data/spec/support/logs/Dispatcher - 10285-7404.log +0 -21
  251. data/spec/support/logs/Dispatcher - 10294-56221.log +0 -21
  252. data/spec/support/logs/Dispatcher - 10303-2483.log +0 -23
  253. data/spec/support/logs/Dispatcher - 10344-60543.log +0 -19
  254. data/spec/support/logs/Dispatcher - 10355-31708.log +0 -17
  255. data/spec/support/logs/Dispatcher - 10364-63170.log +0 -15
  256. data/spec/support/logs/Dispatcher - 10377-37936.log +0 -11
  257. data/spec/support/logs/Dispatcher - 10390-37511.log +0 -9
  258. data/spec/support/logs/Dispatcher - 10400-29603.log +0 -9
  259. data/spec/support/logs/Dispatcher - 10409-57042.log +0 -9
  260. data/spec/support/logs/Dispatcher - 10418-17812.log +0 -9
  261. data/spec/support/logs/Dispatcher - 10427-59862.log +0 -11
  262. data/spec/support/logs/Dispatcher - 10440-48351.log +0 -9
  263. data/spec/support/logs/Dispatcher - 10449-24218.log +0 -9
  264. data/spec/support/logs/Dispatcher - 10458-54646.log +0 -9
  265. data/spec/support/logs/Dispatcher - 10511-3333.log +0 -63
  266. data/spec/support/logs/Dispatcher - 10520-50009.log +0 -43
  267. data/spec/support/logs/Dispatcher - 10529-44870.log +0 -39
  268. data/spec/support/logs/Dispatcher - 10538-49556.log +0 -34
  269. data/spec/support/logs/Dispatcher - 10547-61887.log +0 -28
  270. data/spec/support/logs/Dispatcher - 10556-31163.log +0 -21
  271. data/spec/support/logs/Dispatcher - 10565-40008.log +0 -13
  272. data/spec/support/logs/Dispatcher - 10575-18836.log +0 -9
  273. data/spec/support/logs/Dispatcher - 10747-32268.log +0 -19
  274. data/spec/support/logs/Dispatcher - 10757-4081.log +0 -21
  275. data/spec/support/logs/Dispatcher - 10766-49190.log +0 -15
  276. data/spec/support/logs/Dispatcher - 10780-46610.log +0 -19
  277. data/spec/support/logs/Dispatcher - 10789-5332.log +0 -21
  278. data/spec/support/logs/Dispatcher - 10798-56243.log +0 -15
  279. data/spec/support/logs/Dispatcher - 10920-32037.log +0 -17
  280. data/spec/support/logs/Dispatcher - 10929-35662.log +0 -21
  281. data/spec/support/logs/Dispatcher - 10938-64010.log +0 -13
  282. data/spec/support/logs/Dispatcher - 10951-44746.log +0 -19
  283. data/spec/support/logs/Dispatcher - 10961-55791.log +0 -21
  284. data/spec/support/logs/Dispatcher - 10972-58913.log +0 -15
  285. data/spec/support/logs/Dispatcher - 11023-45004.log +0 -17
  286. data/spec/support/logs/Dispatcher - 11033-55505.log +0 -21
  287. data/spec/support/logs/Dispatcher - 11042-46123.log +0 -13
  288. data/spec/support/logs/Dispatcher - 11055-26836.log +0 -17
  289. data/spec/support/logs/Dispatcher - 11064-60361.log +0 -21
  290. data/spec/support/logs/Dispatcher - 11073-17507.log +0 -13
  291. data/spec/support/logs/Dispatcher - 11298-28357.log +0 -19
  292. data/spec/support/logs/Dispatcher - 11307-62669.log +0 -21
  293. data/spec/support/logs/Dispatcher - 11316-9391.log +0 -15
  294. data/spec/support/logs/Dispatcher - 11340-45921.log +0 -21
  295. data/spec/support/logs/Dispatcher - 11349-8693.log +0 -25
  296. data/spec/support/logs/Dispatcher - 11358-53753.log +0 -15
  297. data/spec/support/logs/Dispatcher - 11394-29437.log +0 -17
  298. data/spec/support/logs/Dispatcher - 11403-59953.log +0 -21
  299. data/spec/support/logs/Dispatcher - 11412-51134.log +0 -13
  300. data/spec/support/logs/Dispatcher - 11425-42569.log +0 -21
  301. data/spec/support/logs/Dispatcher - 11434-16150.log +0 -25
  302. data/spec/support/logs/Dispatcher - 11443-19072.log +0 -15
  303. data/spec/support/logs/Dispatcher - 11479-39149.log +0 -17
  304. data/spec/support/logs/Dispatcher - 11488-42169.log +0 -21
  305. data/spec/support/logs/Dispatcher - 11497-29822.log +0 -13
  306. data/spec/support/logs/Dispatcher - 11510-8273.log +0 -17
  307. data/spec/support/logs/Dispatcher - 11519-18206.log +0 -21
  308. data/spec/support/logs/Dispatcher - 11528-55825.log +0 -13
  309. data/spec/support/logs/Dispatcher - 9969-52890.log +0 -9
  310. data/spec/support/logs/Dispatcher - 9996-38451.log +0 -21
checksums.yaml CHANGED
@@ -1,15 +1,15 @@
1
1
  ---
2
2
  !binary "U0hBMQ==":
3
3
  metadata.gz: !binary |-
4
- MjQyMTU0MWMwYTcyZTVhMjk0NDM0YjZlMmZiMDllYmI4ZTNkZjM4Zg==
4
+ ZDliMzg1ZDM5Zjc3YjU2Njg5NmY0MDVmY2I5ZmYwYzNmNmIwMTRhZA==
5
5
  data.tar.gz: !binary |-
6
- MWI4ZjZmNzE5MzMxM2UyOTdkMzI4NjM0YTI0NWQwZDg4NmUxMzcwYw==
6
+ ZGExNDM4ZjUyMzhhOTY2MTEyODY4MThjMjQ0MDE0Njg2MTBkNTY1Yw==
7
7
  SHA512:
8
8
  metadata.gz: !binary |-
9
- N2NkYzk3M2Y1MzY3YWQ0ZmEwZTM0ODBiZGUwNmZhYmIxOWRlODAyZDFjOTgw
10
- YTIwMmQ0YjdhNDhjMWUzNWVkYzQ0MTM0ZjA5ZGQyYzM2MzQ2MDgyZWFiZmQw
11
- MDY5NDFiMWY0ZGY4YzNjMWZjNTliMmFlM2YyZGM2MzFlZjY4YTg=
9
+ MzMyMzU2Yjg3ZjY3ZmVhZmU4ODViN2NjMTE2NDRhZjdiNTBhN2VhYTdlMWEx
10
+ MjE5ZmFkNjIzNjNmYWVkOWZmMzI1ZDBhOWFlYjY4NmFjNmVmNmI2NmZhYzE3
11
+ MTAwZDhjMDFjYmE5YWJhYmE5YzZjOTA5ZGJmM2Q3MzEzZTYzMGQ=
12
12
  data.tar.gz: !binary |-
13
- M2JlNDdkN2MxODRhMThkYzQxNTBkZjcyMWQxNTg3ZWM2YzU5NTQyOTRhNmFm
14
- ZTVkNzA4MjJjNmI2NzQ0ZTE2ZjNkNzgzNmFlMGJkYWQwMGRhNjc0M2RiODM5
15
- YjY3MGM1MGRiNWFmYjI0MTg2YjVmNjZjYzhiOGZhNTk3NGM4YTE=
13
+ ZTA0ZWFhNDE2Mjk2ODcwNjk0MWEyNjMyZGI3NGRmMTQyOGMxYTJkMzUwZDFj
14
+ Y2NlMzlmODNjNzdkNWJiODU0ZTllZjRmODQ1MjQ2Y2Y0ZTAwYzIxOGI2YjRj
15
+ ZTVlNDU4MGViZjY5ODU1ZmZlOTg0MzQyOTg4NDNmOGIwNjI0ZDY=
data/CHANGELOG.md CHANGED
@@ -1,5 +1,26 @@
1
1
  # ChangeLog
2
2
 
3
+ ## 0.4.7 _(April 12, 2014)_
4
+
5
+ - `Spider`
6
+ - Fixed mixed up status messages upon out-of-scope redirections.
7
+ - `HTTP`
8
+ - `disable_ssl_host_verification` set to `true`.
9
+ - `Element`
10
+ - `Capabilities::Auditable::Taint`
11
+ - Fixed bug when checking for trust level of issue when there's no match.
12
+ - `Form`
13
+ - Updated to handle empty base-href values.
14
+ - Plugins
15
+ - `autologin`
16
+ - Updated to handle stacked post-login redirects.
17
+ - Added debugging information for failed logins.
18
+ - `proxy`
19
+ - Fixed forwarding of request bodies.
20
+ - Modules
21
+ - All
22
+ - Updated descriptions and remedies.
23
+
3
24
  ## 0.4.6 _(January 1, 2014)_
4
25
 
5
26
  - CLI user interfaces
data/Gemfile CHANGED
@@ -1,4 +1,4 @@
1
- source 'http://rubygems.org'
1
+ source 'https://rubygems.org'
2
2
 
3
3
  gem 'yard'
4
4
  gem 'redcarpet'
data/README.md CHANGED
@@ -3,7 +3,7 @@
3
3
  <table>
4
4
  <tr>
5
5
  <th>Version</th>
6
- <td>0.4.6</td>
6
+ <td>0.4.7</td>
7
7
  </tr>
8
8
  <tr>
9
9
  <th>Homepage</th>
@@ -216,6 +216,7 @@ module Auditable::Taint
216
216
  # Grab an untainted response.
217
217
  submit do |response|
218
218
  @logged_issues.each do |issue|
219
+ next if !issue.match
219
220
  next if !response.body.include?( issue.match )
220
221
 
221
222
  issue.verification = true
@@ -736,12 +736,10 @@ class Form < Arachni::Element::Base
736
736
  #
737
737
  def self.from_document( url, document )
738
738
  document = Nokogiri::HTML( document.to_s ) if !document.is_a?( Nokogiri::HTML::Document )
739
- base_url = url
740
- begin
741
- base_url = document.search( '//base[@href]' )[0]['href']
742
- rescue
743
- base_url = url
744
- end
739
+
740
+ base_url = document.search( '//base[@href]' )[0]['href'] rescue nil
741
+ base_url = url if base_url.to_s.empty?
742
+
745
743
  document.search( '//form' ).map do |cform|
746
744
  next if !(form = form_from_element( base_url, cform ))
747
745
  form.url = url
data/lib/arachni/http.rb CHANGED
@@ -144,6 +144,7 @@ class HTTP
144
144
  follow_location: false,
145
145
  max_redirects: opts.redirect_limit,
146
146
  disable_ssl_peer_verification: true,
147
+ disable_ssl_host_verification: true,
147
148
  timeout: opts.http_timeout || HTTP_TIMEOUT,
148
149
  username: opts.http_username,
149
150
  password: opts.http_password
@@ -333,7 +333,7 @@ class Parser
333
333
  exception_jail( false ){ self.class.extractors[name].new.run( doc ) }
334
334
  end.flatten.uniq.compact.
335
335
  map { |path| to_absolute( path ) }.compact.uniq.
336
- reject { |path| skip?( path ) }
336
+ reject { |path| path.to_s.empty? || skip?( path ) }
337
337
  rescue ::Exception => e
338
338
  print_error e.to_s
339
339
  print_error_backtrace e
@@ -417,8 +417,20 @@ class Spider
417
417
  if res.redirection? && res.location
418
418
  @redirects << res.request.url
419
419
  location = to_absolute( res.location, res.request.url )
420
- if hit_redirect_limit? || skip?( location )
421
- print_info "Redirect limit reached, skipping: #{location}"
420
+
421
+ skipped = false
422
+ redir_limit = false
423
+
424
+ if (redir_limit = hit_redirect_limit?) || (skipped = skip?( location ))
425
+
426
+ if skipped
427
+ print_info "Ignoring redirection due to exclusion criteria: #{location}"
428
+ end
429
+
430
+ if redir_limit
431
+ print_info "Redirect limit reached, skipping: #{location}"
432
+ end
433
+
422
434
  decrease_pending
423
435
  next
424
436
  end
data/lib/version CHANGED
@@ -1 +1 @@
1
- 0.4.6
1
+ 0.4.7
@@ -14,14 +14,13 @@
14
14
  limitations under the License.
15
15
  =end
16
16
 
17
- #
18
17
  # It's designed to work with PHP, Perl, Python, Java, ASP and Ruby
19
18
  # but still needs some more testing.
20
19
  #
21
20
  #
22
21
  # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
23
22
  #
24
- # @version 0.2
23
+ # @version 0.2.1
25
24
  #
26
25
  # @see http://cwe.mitre.org/data/definitions/94.html
27
26
  # @see http://php.net/manual/en/function.eval.php
@@ -29,7 +28,6 @@
29
28
  # @see http://docs.python.org/py3k/library/functions.html#eval
30
29
  # @see http://www.aspdev.org/asp/asp-eval-execute/
31
30
  # @see http://en.wikipedia.org/wiki/Eval#Ruby
32
- #
33
31
  class Arachni::Modules::CodeInjection < Arachni::Module::Base
34
32
 
35
33
  def self.rand1
@@ -81,7 +79,7 @@ class Arachni::Modules::CodeInjection < Arachni::Module::Base
81
79
  was successful.},
82
80
  elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
83
81
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
84
- version: '0.2',
82
+ version: '0.2.1',
85
83
  references: {
86
84
  'PHP' => 'http://php.net/manual/en/function.eval.php',
87
85
  'Perl' => 'http://perldoc.perl.org/functions/eval.html',
@@ -91,16 +89,44 @@ class Arachni::Modules::CodeInjection < Arachni::Module::Base
91
89
  targets: %w(PHP Perl Python ASP),
92
90
  issue: {
93
91
  name: %q{Code injection},
94
- description: %q{Arbitrary code can be injected into the web application
95
- which is then executed as part of the system.},
92
+ description: %q{A modern web application will be reliant on
93
+ several different programming languages. These languages can
94
+ be broken up into two flavours. These are client side
95
+ languages such as those that run in the browser eg.
96
+ JavaScript and HTML, and server side languages that are
97
+ executed by the server (ASP, PHP, JSP, etc) to form the
98
+ dynamic pages (client side code) that are then sent to the
99
+ client. Because all server side code should be executed by
100
+ the server, it should only ever come from a trusted source.
101
+ Code injection occurs when the server takes untrusted server
102
+ side code (ie. From the client) and executes the code as if
103
+ it were on the server. Cyber-criminals will abuse this
104
+ weakness to execute their own arbitrary code on the server,
105
+ and could result in complete compromise of the server.
106
+ Arachni was able to inject specific server side code and
107
+ have the executed output from the code contained within the
108
+ server response. This indicates that proper input
109
+ sanitisation is not occurring.},
96
110
  tags: %w(code injection regexp),
97
111
  cwe: '94',
98
112
  severity: Severity::HIGH,
99
113
  cvssv2: '7.5',
100
- remedy_guidance: %q{User inputs must be validated and filtered
101
- before being evaluated as executable code.
102
- Better yet, the web application should stop evaluating user
103
- inputs as any part of dynamic code altogether.},
114
+ remedy_guidance: %q{ It is recommended that untrusted or
115
+ invalidated data is never stored where it may then be
116
+ executed as server side code. To validate data, the
117
+ application should ensure that the supplied value contains
118
+ only the characters that are required to perform the
119
+ required action. For example, where a username is required,
120
+ then no non-alpha characters should be accepted.
121
+ Additionally, within PHP, the "eval" and "preg_replace"
122
+ functions should be avoided as these functions can easily be
123
+ used to execute untrusted data. If these functions are used
124
+ within the application then these parts should be rewritten.
125
+ The exact way to rewrite the code depends on what the code
126
+ in question does, so there is no general pattern for doing
127
+ so. Once the code has been rewritten the eval() function
128
+ should be disabled. This can be achieved by adding eval to
129
+ disable_funcions within the php.ini file.},
104
130
  remedy_code: '',
105
131
  metasploitable: 'unix/webapp/arachni_php_eval'
106
132
  }
@@ -18,7 +18,7 @@
18
18
  #
19
19
  # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
20
20
  #
21
- # @version 0.1
21
+ # @version 0.2
22
22
  class Arachni::Modules::CodeExecutionPHPInputWrapper < Arachni::Module::Base
23
23
 
24
24
  def self.options
@@ -56,18 +56,51 @@ class Arachni::Modules::CodeExecutionPHPInputWrapper < Arachni::Module::Base
56
56
  uses the php://input wrapper to try and load it.},
57
57
  elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
58
58
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
59
- version: '0.1',
59
+ version: '0.2',
60
60
  references: {
61
61
  'OWASP' => 'https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution'
62
62
  },
63
63
  targets: %w(PHP),
64
64
  issue: {
65
65
  name: %q{Code injection (php://input wrapper)},
66
- description: %q{The web application can be forced to execute
67
- arbitrary code via the php://input wrapper.},
66
+ description: %q{A modern web application will be reliant on
67
+ several different programming languages. These languages can
68
+ be broken up into two flavours. These are client side
69
+ languages such as those that run in the browser eg.
70
+ JavaScript and HTML, and server side languages that are
71
+ executed by the server (ASP, PHP, JSP, etc) to form the
72
+ dynamic pages (client side code) that are then sent to the
73
+ client. Because all server side code should be executed by
74
+ the server, it should only ever come from a trusted source.
75
+ Code injection occurs when the server takes untrusted server
76
+ side code (ie. From the client) and executes the code as if
77
+ it were on the server. Cyber-criminals will abuse this
78
+ weakness to execute their own arbitrary code on the server,
79
+ and could result in complete compromise of the server.
80
+ Arachni was able to inject specific server side code wrapped
81
+ within a php wrapper (<?php ... ?>) and have the executed
82
+ output from the code contained within the server response.
83
+ This indicates that proper input sanitisation is not
84
+ occurring..},
68
85
  tags: %w(remote injection php code execution),
69
86
  cwe: '94',
70
- severity: Severity::HIGH
87
+ severity: Severity::HIGH,
88
+ remedy_guidance: %q{It is recommended that untrusted or
89
+ invalidated data is never stored where it may then be
90
+ executed as server side code. To validate data, the
91
+ application should ensure that the supplied value contains
92
+ nly the characters that are required to perform the required
93
+ action. For example, where a username is required, then no
94
+ non-alpha characters should be accepted. Additionally,
95
+ within PHP, the "eval" and "preg_replace" functions should
96
+ be avoided as these functions can easily be used to execute
97
+ untrusted data. If these functions are used within the
98
+ application then these parts should be rewritten. The exact
99
+ way to rewrite the code depends on what the code in question
100
+ does, so there is no general pattern for doing so. Once the
101
+ code has been rewritten the eval() function should be
102
+ disabled. This can be achieved by adding eval to
103
+ disable_funcions within the php.ini file.},
71
104
  }
72
105
 
73
106
  }
@@ -23,7 +23,7 @@
23
23
  #
24
24
  # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
25
25
  #
26
- # @version 0.3
26
+ # @version 0.4
27
27
  #
28
28
  # @see http://cwe.mitre.org/data/definitions/94.html
29
29
  # @see http://php.net/manual/en/function.eval.php
@@ -62,7 +62,7 @@ class Arachni::Modules::CodeInjectionTiming < Arachni::Module::Base
62
62
  was successful using a time delay.},
63
63
  elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
64
64
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
65
- version: '0.3',
65
+ version: '0.4',
66
66
  references: {
67
67
  'PHP' => 'http://php.net/manual/en/function.eval.php',
68
68
  'Perl' => 'http://perldoc.perl.org/functions/eval.html',
@@ -74,21 +74,44 @@ class Arachni::Modules::CodeInjectionTiming < Arachni::Module::Base
74
74
 
75
75
  issue: {
76
76
  name: %q{Code injection (timing attack)},
77
- description: %q{Arbitrary code can be injected into the web application
78
- which is then executed as part of the system.
79
- (This issue was discovered using a timing attack; timing attacks
80
- can result in false positives in cases where the server takes
81
- an abnormally long time to respond.
82
- Either case, these issues will require further investigation
83
- even if they are false positives.)},
77
+ description: %q{A modern web application will be reliant on
78
+ several different programming languages. These languages can
79
+ be broken up into two flavours. These are client side
80
+ languages such as those that run in the browser eg.
81
+ JavaScript and HTML, and server side languages that are
82
+ executed by the server (ASP, PHP, JSP, etc) to form the
83
+ dynamic pages (client side code) that are then sent to the
84
+ client. Because all server side code should be executed by
85
+ the server, it should only ever come from a trusted source.
86
+ Code injection occurs when the server takes untrusted server
87
+ side code (ie. From the client) and executes the code as if
88
+ it were on the server. Cyber-criminals will abuse this
89
+ weakness to execute their own arbitrary code on the server,
90
+ and could result in complete compromise of the server. By
91
+ injecting server side code that is known to take a specific
92
+ amount of time to execute Arachni was able to detect time
93
+ based code injection. This indicates that proper input
94
+ sanitisation is not occurring.},
84
95
  tags: %w(code injection timing blind),
85
96
  cwe: '94',
86
97
  severity: Severity::HIGH,
87
98
  cvssv2: '7.5',
88
- remedy_guidance: %q{User inputs must be validated and filtered
89
- before being evaluated as executable code.
90
- Better yet, the web application should stop evaluating user
91
- inputs as any part of dynamic code altogether.},
99
+ remedy_guidance: %q{It is recommended that untrusted or
100
+ invalidated data is never stored where it may then be
101
+ executed as server side code. To validate data, the
102
+ application should ensure that the supplied value contains
103
+ nly the characters that are required to perform the required
104
+ action. For example, where a username is required, then no
105
+ non-alpha characters should be accepted. Additionally,
106
+ within PHP, the "eval" and "preg_replace" functions should
107
+ be avoided as these functions can easily be used to execute
108
+ untrusted data. If these functions are used within the
109
+ application then these parts should be rewritten. The exact
110
+ way to rewrite the code depends on what the code in question
111
+ does, so there is no general pattern for doing so. Once the
112
+ code has been rewritten the eval() function should be
113
+ disabled. This can be achieved by adding eval to
114
+ disable_funcions within the php.ini file.},
92
115
  remedy_code: '',
93
116
  metasploitable: 'unix/webapp/arachni_php_eval'
94
117
  }
@@ -42,7 +42,7 @@
42
42
  #
43
43
  # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
44
44
  #
45
- # @version 0.3.1
45
+ # @version 0.3.2
46
46
  #
47
47
  # @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
48
48
  # @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
@@ -167,27 +167,57 @@ class Arachni::Modules::CSRF < Arachni::Module::Base
167
167
  It requires a logged-in user's cookie-jar.},
168
168
  elements: [ Element::FORM ],
169
169
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
170
- version: '0.3.1',
170
+ version: '0.3.2',
171
171
  references: {
172
172
  'Wikipedia' => 'http://en.wikipedia.org/wiki/Cross-site_request_forgery',
173
173
  'OWASP' => 'http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)',
174
- 'CGI Security' => 'http://www.cgisecurity.com/csrf-faq.html'
174
+ 'CGI Security' => 'http://www.cgisecurity.com/csrf-faq.html',
175
+ 'WASC' => 'http://projects.webappsec.org/w/page/13246919/Cross%20Site%20Request%20Forgery'
175
176
  },
176
177
  targets: %w(Generic),
177
178
 
178
179
  issue: {
179
180
  name: %q{Cross-Site Request Forgery},
180
- description: %q{The web application does not, or can not,
181
- sufficiently verify whether a well-formed, valid, consistent
182
- request was intentionally provided by the user who submitted the request.
183
- This is due to a lack of secure anti-CSRF tokens to verify
184
- the freshness of the submitted data.},
181
+ description: %q{In the majority of today's web applications,
182
+ clients are required to submit forms. When these forms are
183
+ submitted that contents within the form are typically
184
+ processed by the server. An example of such a form is when
185
+ an administrator wishes to create a new user for the
186
+ application. In the simplest form the administrator would
187
+ submit a form with the users Name, Password, and Role (level
188
+ of access). Cross Site Request Forgery (CSRF) is where an
189
+ administrator could be tricked into clicking on a link that
190
+ if logged into the application would automatically submit
191
+ the form without any further interaction. Cyber-criminals
192
+ will look for sites where sensitive functions are performed
193
+ in this vulnerable manner, and then craft malicious requests
194
+ that will be used against clients in a social engineering
195
+ attack. There are 3 things that are required for a CSRF
196
+ attack to occur. 1. The form must perform a sensitive action
197
+ 2. The victim (admin the example above) must have an active
198
+ session 3. Most importantly, all parameter values must be
199
+ known or guessable. Arachni discovered that all parameters
200
+ within the form were known or predictable, and therefore
201
+ could be vulnerable to CSRF. Manual verification may be
202
+ required to check whether the submission will then perform a
203
+ sensitive action such as reset a password, modify user
204
+ profiles, post content for a forum, etc.},
185
205
  tags: %w(csrf rdiff form token),
186
206
  cwe: '352',
187
207
  severity: Severity::HIGH,
188
- remedy_guidance: %q{A unique token that guaranties freshness of submitted
189
- data must be added to all web application elements that can affect
190
- business logic.}
208
+ remedy_guidance: %q{Based on the risk determined by manual
209
+ verification of whether the submission will then perform a
210
+ sensitive action, it is recommended that the server utilise
211
+ CSRF tokens. These can be configured in such a way that each
212
+ session generates a new CSRF token or such that each
213
+ individual request requires a new token. CSRF tokens are
214
+ passed to the server as a normal parameter and not as a
215
+ cookie value. It is equally important that the server track
216
+ and maintain the status of each token, this will enable a
217
+ server to reject any request that does not contain a valid
218
+ token, and therefore prevent any cyber-criminal from knowing
219
+ or guessing all parameter values. For examples of framework
220
+ specific remediation, refer to the references.}
191
221
  }
192
222
  }
193
223
  end
@@ -18,7 +18,7 @@
18
18
  #
19
19
  # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
20
20
  #
21
- # @version 0.1.1
21
+ # @version 0.1.2
22
22
  #
23
23
  # @see http://cwe.mitre.org/data/definitions/98.html
24
24
  # @see https://www.owasp.org/index.php/PHP_File_Inclusion
@@ -103,7 +103,7 @@ class Arachni::Modules::FileInclusion < Arachni::Module::Base
103
103
  based on the presence of relevant content or errors in the HTTP responses.},
104
104
  elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
105
105
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
106
- version: '0.1.1',
106
+ version: '0.1.2',
107
107
  references: {
108
108
  'OWASP' => 'https://www.owasp.org/index.php/PHP_File_Inclusion'
109
109
  },
@@ -111,13 +111,43 @@ class Arachni::Modules::FileInclusion < Arachni::Module::Base
111
111
 
112
112
  issue: {
113
113
  name: %q{File Inclusion},
114
- description: %q{The web application enforces improper limitation
115
- of a pathname.},
114
+ description: %q{Web applications occasionally use
115
+ parameter values to store the location of a file required by
116
+ the server. An example of this is often seen in error pages
117
+ where the actual file path for the error page is called the
118
+ parameter value. For example
119
+ 'yoursite.com/error.php?page=404.php'. A file inclusion
120
+ occurs when the parameter value (ie. path to file being
121
+ called by the server) can be substituted with the path of
122
+ another resource on the same server, and the server then
123
+ displays that resource as text without processing it.
124
+ Therefore revealing the server side source code. Cyber-
125
+ criminals will abuse this vulnerability to view restricted
126
+ files or the source code of various files on the server.
127
+ Arachni discovered that it was possible to substitute a
128
+ parameter value with another resource and have the server
129
+ return the contents of the resource to the client within
130
+ the response. },
116
131
  tags: %w(file inclusion error injection regexp),
117
132
  cwe: '98',
118
133
  severity: Severity::HIGH,
119
- remedy_guidance: %q{User inputs must be validated and filtered
120
- before being used as a part of a filesystem path.}
134
+ remedy_guidance: %q{ It is recommended that untrusted or
135
+ invalidated data is never used to form a literal file
136
+ include request. To validate data, the application should
137
+ ensure that the supplied value for a file is permitted. This
138
+ can be achieved by performing whitelisting on the parameter
139
+ value. The whitelist should contain a list of pages that the
140
+ application is permitted to fetch resources from. If the
141
+ supplied value does not match any value in the whitelist
142
+ then the server should redirect to a standard error page.
143
+ In some scenarios where dynamic content is being requested
144
+ it may not be possible to perform validation of a list of
145
+ trusted resources, therefor the list must also become
146
+ dynamic (update as the files change), or perform filtering
147
+ to remove any unrequired user input such as semicolons or
148
+ periods etc. and only permit a-z0-9. It is also advised that
149
+ sensitive file are not stored within the web root, and that
150
+ the user permissions enforced by the directory are correct.}
121
151
  }
122
152
 
123
153
  }