RubyGems - wpscan - Versions diffs - 3.7.5 → 3.7.6 - Mend

wpscan 3.7.5 → 3.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/app/finders/plugins/known_locations.rb +6 -2
data/app/finders/themes/known_locations.rb +6 -2
data/app/models/wp_item.rb +3 -8
data/app/views/cli/core/banner.erb +1 -1
data/app/views/cli/vuln_api/status.erb +1 -1
data/app/views/json/core/banner.erb +1 -1
data/app/views/json/vuln_api/status.erb +1 -1
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +2 -0
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +2 -2
data/lib/wpscan/version.rb +1 -1
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29a5b1b220faac482fcc9dfc75acc1b5fa317b784781e661edaf62e8a4461b04
-  data.tar.gz: 6f6734691c70deafdccfbf955233ffaaa205ff6b74fb98d8f03445706f30931d
+  metadata.gz: 19a2c1feb1442174b5f721eda7586cfee74fb28e1adbc232e9c9ccff1f4857d8
+  data.tar.gz: 86b8ec27710e3274849621cf389aa78f8aec160463356bed8fdf916753b68c7d
 SHA512:
-  metadata.gz: 45ad4347d4492e62b1c7c12e095abbe07fafd2c68f45991372afdbe25a95a32d7c7bb03e3f80758ebbcc3dbc8408ed2698d05ecc607c8221978b6e8408a8d818
-  data.tar.gz: 0af442e8628c812c473d07a3342fe2195e2e786ebece14f05d788b98b464b2d54f7614847705645e85a6984f284850768968d51d7056e64bd4de7d8232bf0b0c
+  metadata.gz: 79fc67c24d7ff4ddcd37d89711e85cd7bdfa5fe85e1c097f880f210ccc509d0844d06cff73f742ad81233dc0136116bb97d916fe81e018efd00d8f6bc1d93be5
+  data.tar.gz: 03f8380c1c7ff59f9f034bdda8914ceb5ab335d636f52a9302cffdd32f13ec0b3f62a5f3a91ae41bd4c893e3c8580df09a3bcda7265c7917b4a79c1cf4901e09

data/app/finders/plugins/known_locations.rb CHANGED Viewed

@@ -19,8 +19,12 @@ module WPScan
         def aggressive(opts = {})
           found = []
-          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
-            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
+            finding_opts = opts.merge(found_by: found_by,
+                                      confidence: 80,
+                                      interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
+            found << Model::Plugin.new(slug, target, finding_opts)
             raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
           end

data/app/finders/themes/known_locations.rb CHANGED Viewed

@@ -19,8 +19,12 @@ module WPScan
         def aggressive(opts = {})
           found = []
-          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
-            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
+            finding_opts = opts.merge(found_by: found_by,
+                                      confidence: 80,
+                                      interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
+            found << Model::Theme.new(slug, target, finding_opts)
             raise Error::ThemesThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
           end

data/app/models/wp_item.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module WPScan
       # @option opts [ Hash ]   :version_detection The options to use when looking for the version
       # @option opts [ String ] :url The URL of the item
       def initialize(slug, blog, opts = {})
-        @slug  = URI.decode(slug)
+        @slug  = Addressable::URI.unencode(slug)
         @blog  = blog
         @uri   = Addressable::URI.parse(opts[:url]) if opts[:url]
@@ -83,11 +83,6 @@ module WPScan
                       end
       end
-      # URI.encode is preferered over Addressable::URI.encode as it will encode
-      # leading # character:
-      # URI.encode('#t#') => %23t%23
-      # Addressable::URI.encode('#t#') => #t%23
-      #
       # @param [ String ] path Optional path to merge with the uri
       #
       # @return [ String ]
@@ -95,7 +90,7 @@ module WPScan
         return unless @uri
         return @uri.to_s unless path
-        @uri.join(URI.encode(path)).to_s
+        @uri.join(Addressable::URI.encode(path)).to_s
       end
       # @return [ Boolean ]
@@ -166,7 +161,7 @@ module WPScan
       # @return [ Typhoeus::Response ]
       def head_and_get(path, codes = [200], params = {})
         final_path = +@path_from_blog
-        final_path << URI.encode(path) unless path.nil?
+        final_path << path unless path.nil?
         blog.head_and_get(final_path, codes, params)
       end

data/app/views/cli/core/banner.erb CHANGED Viewed

@@ -9,6 +9,6 @@ _______________________________________________________________
          WordPress Security Scanner by the WPScan Team
                          Version <%= WPScan::VERSION %>
 <%= ' ' * ((63 - WPScan::DB::Sponsor.text.length)/2) + WPScan::DB::Sponsor.text %>
-       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
+       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 _______________________________________________________________

data/app/views/cli/vuln_api/status.erb CHANGED Viewed

@@ -9,5 +9,5 @@
 <% end -%>
 <% else -%>
 <%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
-<%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.
+<%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
 <% end -%>

data/app/views/json/core/banner.erb CHANGED Viewed

@@ -5,7 +5,7 @@
     "@_WPScan_",
     "@ethicalhack3r",
     "@erwan_lr",
-    "@_FireFart_"
+    "@firefart"
   ],
   "sponsor": <%= WPScan::DB::Sponsor.text.to_json %>
 },

data/app/views/json/vuln_api/status.erb CHANGED Viewed

@@ -8,6 +8,6 @@
 "requests_remaining": <%= @status['requests_remaining'].to_json %>
 <% end -%>
 <% else -%>
-"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up."
+"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up"
 <% end -%>
 },

data/lib/wpscan/finders/dynamic_finder/wp_version.rb CHANGED Viewed

@@ -37,6 +37,8 @@ module WPScan
           end
         end
+        # This one has been disabled from the DF.yml as it was causing FPs when a plugin had numerous
+        # files matching a known WP version.
         class WpItemQueryParameter < QueryParameter
           def xpath
             @xpath ||=

data/lib/wpscan/target/platform/wordpress/custom_directories.rb CHANGED Viewed

@@ -71,7 +71,7 @@ module WPScan
         #
         # @return [ String ]
         def plugin_url(slug)
-          plugins_uri.join("#{URI.encode(slug)}/").to_s
+          plugins_uri.join("#{Addressable::URI.encode(slug)}/").to_s
         end
         # @return [ String ]
@@ -93,7 +93,7 @@ module WPScan
         #
         # @return [ String ]
         def theme_url(slug)
-          themes_uri.join("#{URI.encode(slug)}/").to_s
+          themes_uri.join("#{Addressable::URI.encode(slug)}/").to_s
         end
         # @return [ String, False ] String of the sub_dir found, false otherwise

data/lib/wpscan/version.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 # Version
 module WPScan
-  VERSION = '3.7.5'
+  VERSION = '3.7.6'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.7.5
+  version: 3.7.6
 platform: ruby
 authors:
 - WPScanTeam
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-11-11 00:00:00.000000000 Z
+date: 2020-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: 0.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: 0.8.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.76.0
+        version: 0.78.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.76.0
+        version: 0.78.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement