Freewvs/FAQ

Aus schokokeks.org Wiki
Zur Navigation springen Zur Suche springen
Q: What does freewvs do?

It scans your webroot for known vulnerable versions of popular web applications.

Q: What does the output tell me?

Output looks like this:

Drupal 5.2 (5.3) CVE-2007-5416 /home/joe/websites/joessite/

This says that in /home/joe/websites/joessite/, there's a drupal installation of version 5.2. This version is vulnerable to CVE-2007-5416 (CVE is an ID system for vulnerability management, you can lookup them at http://cve.mitre.org/ ).

It's suggested that you update at least to 5.3.

Q: CVE-2007-XXXX seems to be very minor, at least it doesn't affect me. Am I safe?

No, as freewvs only checks for the latest vulnerabilities. There may be other vulnerabilities in your version not listed by freewvs. The only way to be sure is to check the upstream changelog (at least if you trust them that they mention all security related fixes in the changelog). In doubt, better update.

Q: My favorite web software foobar has vulnerabilities all the time, can you add it?

Well, the default answer is "send in patches". The format of the files in freewvsdb is quite simple.

Q: freewvs says foobar 3.7 is safe, but there's been a new vulnerability found.

Send me a message and I'll update.

Q: There is no version inside the brackets, what does that mean?

It means your web application hasn't released a security update. It probably means you should look out for another application with better security management.