c5scan - A vulnerability scanner for concrete5

Occasionally in my life I've helped out with various friends sites, and one of these was for a long time built upon a CMS called concrete5.  To me, conrete5 is a fairly different CMS from various other offerings such as Drupal and Wordpress, with more of a drag 'n drop interface.  The website boasts ease of use - "Easy to Use", "Easy to Theme", "Easy to Extend", and the user interface is fairly well put together.

Of course, it's a CMS, and it's PHP, so there's bound to be some vulns in there over time.  After a couple of experiences with upgrading after vulnerability disclosures, and inspired by wpscan, I thought it'd be useful to start scripting up a checker

The result of which is c5scan, and you can view or get c5scan on Github.

As an example of usage I thought I'd try the scanner against a few sites listed on the concrete5 showcase

$ ./c5scan.py -u http://www.cambridge.org/

**********************************************************
*                      ~ C5scan ~                        *
* A vulnerability and information gatherer for concrete5 *
*                auraltension@riseup.net                 *
**********************************************************

URL: http://www.cambridge.org/

[+] Interesting header: server: PWS/8.1.20.9
[+] robots.txt found at  http://www.cambridge.org/robots.txt

Enumerating updates in /updates/

Looking for Readme files
[+] Found a readme at:  http://www.cambridge.org/concrete/libraries/3rdparty/adodb/readme.txt
[+] Found a readme at:  http://www.cambridge.org/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm
[+] Found a readme at:  http://www.cambridge.org/concrete/blocks/video/README
[+] Found a readme at:  http://www.cambridge.org/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt
[+] Found a readme at:  http://www.cambridge.org/concrete/libraries/3rdparty/securimage/README.txt

Checking for known vulnerabilities in updates

$ ./c5scan.py -u http://www.mini.co.uk

**********************************************************
*                      ~ C5scan ~                        *
* A vulnerability and information gatherer for concrete5 *
*                auraltension@riseup.net                 *
**********************************************************

URL: http://www.mini.co.uk/

[+] Interesting header: server: Apache
[+] Interesting header: x-powered-by: PHP/5.1.6
[+] robots.txt found at  http://www.mini.co.uk/robots.txt

Enumerating updates in /updates/

Looking for Readme files
[+] Found a readme at:  http://www.mini.co.uk/concrete/libraries/3rdparty/adodb/readme.txt
[+] Found a readme at:  http://www.mini.co.uk/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm
[+] Found a readme at:  http://www.mini.co.uk/concrete/blocks/video/README
[+] Found a readme at:  http://www.mini.co.uk/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt
[+] Found a readme at:  http://www.mini.co.uk/concrete/libraries/3rdparty/securimage/README.txt

Checking for known vulnerabilities in updates

$ ./c5scan.py -u www.serena.com
  
**********************************************************
*                      ~ C5scan ~                        *
* A vulnerability and information gatherer for concrete5 *
*                auraltension@riseup.net                 *
**********************************************************

No http:// or https:// provided. Trying http://
URL: http://www.serena.com/

[+] Discovered version 5.6.1.2 from meta 'generator' tag
[+] Interesting header: server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4
[+] robots.txt found at  http://www.serena.com/robots.txt

Enumerating updates in /updates/
[+] Update version 5.6.1 exists
[+] Update version 5.6.1.2 exists
[+] Update version 5.6.1.2 exists

Looking for Readme files
[+] Found a readme at:  http://www.serena.com/concrete/libraries/3rdparty/adodb/readme.txt
[+] Found a readme at:  http://www.serena.com/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm
[+] Found a readme at:  http://www.serena.com/concrete/blocks/video/README
[+] Found a readme at:  http://www.serena.com/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt
[+] Found a readme at:  http://www.serena.com/concrete/libraries/3rdparty/securimage/README.txt

Checking for known vulnerabilities in updates
[+] A known vulnerability exists for 5.6.1.2:
Multiple CSRF and Stored XSS Vulnerabilities
http://www.exploit-db.com/exploits/26077/

Checking for known vulnerabilities in current version
[+] A known vulnerability exists for 5.6.1.2:
Multiple CSRF and Stored XSS Vulnerabilities
http://www.exploit-db.com/exploits/26077/

I've got a bunch of work to do over time, such as adding threading, ideas of additional checks, output formats, improving functionality in the checking of vulns, input lists/files, and various ways to make the checks more useful to the user.  But that's much of the fun of a random opensource project ;)

I'm also wanting to set aside some time to poke more into the concrete5 code itself to look for some bugs, understand it's structure and poke at it a bit, which I'm sure will result in more improvements.  You'll note in one of the examples above that there is a check for known vulnerabilities in any of the installed updates, as concrete5 leaves prior code in the /updates directory,, however I am yet to confirm whether any of the update code may even provide an attack vector.

I hope that somebody else can find this useful, andissue submissions are highly valued.

*serena.com had been advised of the positive finding on their site prior to the publishing of this post