quick review of Pixy vulnerability scanner for PEAR users

Lot 49: Greg Beaver's blog

Friday, June 22. 2007

quick review of Pixy vulnerability scanner for PEAR users

Just a quick note, I tried out the Pixy XSS and SQLI Scanner (http://pixybox.seclab.tuwien.ac.at/pixy/index.php) on a few simple PEAR files.  On the first, I got a java exception, on the second it was unable to resolve the simplest of includes (no ability to resolve include_path).

In short, the thing is useless for anything written using PEAR.  Fun!

Posted by Greg Beaver in PEAR at 07:13 | Comments (4) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Wow, haven't looked at Pixy in about a year myself... good to see it's gone past 2.0.

Did you try the web interface, or did you download and run it locally? I had toyed with it about a year ago on some internal work code, seeing what it picked up, and I don't remember any problems running it.

If you downloaded it, look for me in the eclipse-usage.txt doc file ;-)
#1 Chuck Burgess (Homepage) on 2007-06-23 04:46 (Reply)
Greg, please email us the details of the issues that you encountered. We are very interested in solving problems and helping people use Pixy, but we need some information for that.

-- Nenad
#2 Nenad Jovanovic (Homepage) on 2007-06-26 00:34 (Reply)
Please send us the details of the problems you had with Pixy, so that we can solve these issues. We are very interested in improving our tool.

-- Nenad
#3 Nenad Jovanovic (Homepage) on 2007-07-02 02:26 (Reply)
Good work :-)
#4 sf (Homepage) on 2007-07-10 06:20 (Reply)

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/lang] tags to embed source code snippets
 
Submitted comments will be subject to moderation before being displayed.
 

Calendar

Back March '10
Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Categories


All categories

Popular Entries

Setting up your own PEAR channel with Chiara_PEAR_Server - the official way
(36)
Do you develop a website? It is infinitely better to synchronize live and development sites using the PEAR Installer
(25)
How to put the FAIL in open source
(22)
doing the PEAR thing
(19)
Using PEAR 1.4.0 to install PEAR packages on a remote host
(19)
phpDocumentor and __get/__set/__call - give us your ideas (RFC)
(17)
PEAR now fits in a bottle: meet go-pear.phar
(17)
Mac OS X ships with security hole-laden PEAR - how to upgrade immediately
(16)
Introducing pecl extension phar
(13)
go-pear.phar works! In related news, PHP_Archive is now PHP 5.1.0+
(12)