jhttp_scan

Permalinks

The Art of Joomla: tutorials for Joomla developers, site implementers and artisans.

Artisan: a skilled worker who practices some trade or handicraft.

Written and maintained by Andrew Eddie - Joomla master developer.

Following on twitter?

@theArtOfJoomla

@AndrewEddie

Facebook new!

jhttp_scan

jscan_http is a command line utility that scans the directory of a Joomla site for PHP files and tries to access them directly via the web server. Ideally no output should be received from directly accessing any PHP file, with the exception of index.php, index2.php (etc) which should display regular HTML output. Some files will return warning text, such as "Restricted Access", and these will be ignored and considered safe. Any unexpected output will be logged to the console.

DOWNLOAD VERSION 1.0

This tool is ideal for developers of Joomla component, modules, plugins and templates to ensure that their files correctly prevent direct access (by specifying the exact path to the file in the URL).

Requirements

PHP 5.3

License and Support

Free to download and use.
Released as Open Source under the GNU General Public License.
No official support is provided. However, usage difficulties can be reported on the Art of Joomla project tracker. You may also like to discuss this extension at The Art of Joomla Google Group.

Documentation

Installation

Copy this file into the root of your Joomla web site (or another directory and use the -d option to specify the directory to scan).

Usage

./jscan_http [options]

Options

-a "string1|string2"
Additional responses that are allowed when a file is directly accessed.
-b directory
The base directory of the web server (eg, /usr/local/www).
-d directory
An alternative directory to scan (current working directory assumed as default).
-h uri
The host or domain (defaults to "http://localhost").
-n number
Sets a limit on the number of files to scan.
-q
See help text.
-v
Show the results for all files parsed, not just those that fail.
-x "regex"
A regular expression for file paths to exclude.

Examples

To scan the 1.6 trunk remotely on localhost.

> ./jscan_http.php -b /Users/foobar/htdocs -d /Users/foobar/htdocs/Joomla/trunk -x "/tests/"
500 * /administrator/components/com_config/controllers/component.php >>> Internal Server Error
500 * /administrator/components/com_search/helpers/site.php          >>> Internal Server Error
  0 * /administrator/index.php                                       >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
  0 * /cache/1a451b73e35d52dc26d333836b2beca0.php                    >>> Access Denied
  0 * /cache/testing/7381142b500f394ef8fd06bd43749a9f.php            >>> Access Denied
  0 * /index.php                                                     >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
  0 * /installation/index.php                                        >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

This example shows that several files need to be investigated. The 500 return codes files are likely missing defined('_JEXEC') or die; code at the top of the file. The output from the index.php files is expected.

Acknowledgments

Thanks to Toowoomba Regional Council for sponsoring the development of this tool.

Recommended