Skip to content

Commit 64bf9e8

Browse files
gaiterjonesgaiterjones
committed
0.13
1 parent 718b384 commit 64bf9e8

File tree

1 file changed

+68
-48
lines changed

1 file changed

+68
-48
lines changed

magento_appsec_file_check.php

+68-48
Original file line numberDiff line numberDiff line change
@@ -11,72 +11,88 @@
1111

1212
// SECURITY NOTICES AND QUERIES
1313
//
14-
$_securityNotices=array(
15-
'APPSEC-1034' => array(
16-
'text' => 'addressing bypassing custom admin URL',
17-
'exec' => array(
18-
'path' => array(
19-
$_magentoPath. 'app/code/*'
20-
),
21-
'cmd' => 'grep -irl ' ,
22-
'query' => array(
23-
'"<use>admin</use>"'
14+
$_securityPatches=array(
15+
'SUPEE-6788' => array
16+
(
17+
'APPSEC-1034' => array(
18+
'text' => 'addressing bypassing custom admin URL',
19+
'exec' => array(
20+
'path' => array(
21+
$_magentoPath. 'app/code/*'
22+
),
23+
'cmd' => 'grep -irl ' ,
24+
'query' => array(
25+
'"<use>admin</use>"'
26+
)
27+
),
28+
'magentopath' => $_magentoPath),
29+
'APPSEC-1063' => array(
30+
'text' => 'addressing possible SQL injection',
31+
'exec' => array(
32+
'path' => array(
33+
$_magentoPath. 'app/code/community/*',
34+
$_magentoPath. 'app/code/local/*'
35+
),
36+
'cmd' => 'grep -irl ' ,
37+
'query' => array(
38+
'"collection->addFieldToFilter(\'"',
39+
'"collection->addFieldToFilter(\'\`"',
2440
)
25-
),
26-
'magentopath' => $_magentoPath),
27-
'APPSEC-1063' => array(
28-
'text' => 'addressing possible SQL injection',
29-
'exec' => array(
30-
'path' => array(
31-
$_magentoPath. 'app/code/community/*',
32-
$_magentoPath. 'app/code/local/*'
33-
),
34-
'cmd' => 'grep -irl ' ,
35-
'query' => array(
36-
'"collection->addFieldToFilter(\'"',
37-
'"collection->addFieldToFilter(\'\`"',
38-
)
39-
),
40-
'magentopath' => $_magentoPath),
41-
'APPSEC-1057' => array(
42-
'text' => 'template processing method allows access to private information',
43-
'exec' => array(
44-
'path' => array(
45-
$_magentoPath. 'app/code/community/*',
46-
$_magentoPath. 'app/code/local/*',
47-
$_magentoPath. 'app/locale/*',
48-
$_magentoPath. 'app/design/frontend/*'
49-
),
50-
'cmd' => 'grep -irl ' ,
51-
'query' => array(
52-
'"{{config path="',
53-
'"{{block type="',
54-
)
55-
),
56-
'magentopath' => $_magentoPath)
41+
),
42+
'magentopath' => $_magentoPath),
43+
'APPSEC-1057' => array(
44+
'text' => 'template processing method allows access to private information',
45+
'exec' => array(
46+
'path' => array(
47+
$_magentoPath. 'app/code/community/*',
48+
$_magentoPath. 'app/code/local/*',
49+
$_magentoPath. 'app/locale/*',
50+
$_magentoPath. 'app/design/frontend/*'
51+
),
52+
'cmd' => 'grep -irl ' ,
53+
'query' => array(
54+
'"{{config path="',
55+
'"{{block type="',
56+
)
57+
),
58+
'magentopath' => $_magentoPath)
59+
)
5760
);
5861

5962
// EXEC
6063
//
6164
echo '*** '. "\033[1;32m". 'Magento security file check'. "\033[0m". ' ***'. "\n";
6265
$_count=1;
6366

64-
foreach ($_securityNotices as $_name => $_securityNotice)
67+
foreach ($_securityPatches as $_patchName => $_securityNotices)
6568
{
69+
echo $_patchName. "\n";
70+
$_total=0;
71+
72+
foreach ($_securityNotices as $_appsec => $_securityNotice)
73+
{
6674

67-
echo '['. $_count++. '] '. $_name. ', '. $_securityNotice['text']. "\n";
68-
echo doExec($_securityNotice,$_name)."\n\n";
75+
echo '['. $_count++. '] '. $_appsec. ', '. $_securityNotice['text']. "\n";
76+
77+
$_result=doExec($_securityNotice,$_appsec);
78+
$_total=$_total + $_result['total'];
79+
80+
echo $_result['text']. "\n";
6981

82+
}
83+
84+
echo $_patchName. ' '. ($_total > 0 ? "\033[1;31m". $_total. "\033[0m". ' affected files.' : $_total. 'affected files.'). "\n";
7085
}
7186

7287
echo '***********************************'. "\n";
7388
exit;
7489

7590

76-
function doExec($_securityNotice,$_name)
91+
function doExec($_securityNotice,$_appsec)
7792
{
7893
$_text='';
7994
$_exec=$_securityNotice['exec']['cmd'];
95+
$_total=0;
8096

8197
foreach ($_securityNotice['exec']['path'] as $_searchPath)
8298
{
@@ -100,10 +116,11 @@ function doExec($_securityNotice,$_name)
100116
if (0 === $_status)
101117
{
102118
$_count=$_count + count($_output);
119+
$_total=$_total + $_count;
103120

104121
foreach ($_output as $_line)
105122
{
106-
$_search=$_search.'['. "\033[1;32m". $_name. "\033[0m". '] '. $_searchQuery. ' found in '. "\033[1;31m". str_replace($_securityNotice['magentopath'],' ', $_line). "\033[0m\n";
123+
$_search=$_search.'['. "\033[1;32m". $_appsec. "\033[0m". '] '. $_searchQuery. ' found in '. "\033[1;31m". str_replace($_securityNotice['magentopath'],' ', $_line). "\033[0m\n";
107124
}
108125

109126
} else {
@@ -115,6 +132,9 @@ function doExec($_securityNotice,$_name)
115132
$_text=$_text.($_count > 0 ? "\033[1;31m". $_count. "\033[0m". ' affected files : ' : $_count. 'affected files.'). "\n". $_search. "\n";
116133
}
117134

118-
return $_text;
135+
return array(
136+
'text' => $_text,
137+
'total' => $_total
138+
);
119139

120140
}

0 commit comments

Comments
 (0)