CMSeeK

What is CMSeeK?

CMSeeK is an open source penetration testing tool to automate the process of detecting various types of CMS and its installed extensions. Only the Joomla CMS is supported by secureCodeBox. CMSeeK has a database with known vulnerabilities.

To learn more about the CMSeeK scanner itself, visit the CMSeeK GitHub repository here.

Deployment

The cmseek chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)
helm upgrade --install cmseek secureCodeBox/cmseek

Scanner Configuration

The CMSeeK targets are specified with the -u parameter. The target should be a URL.

Additional CMSeeK scan features can be configured via the parameter attribute.

Some useful example parameters listed below:

-u URL, --url URL : Target Url.
--follow-redirect : Follows all/any redirect(s).
--no-redirect : skips all redirects and tests the input target(s)
-r, --random-agent: Use a random user agent.
--googlebot: Use Google bot user agent.
--user-agent USER_AGENT: Specify a custom user agent

Requirements

Kubernetes: >=v1.11.0-0

Values

Key	Type	Default	Description
cascadingRules.enabled	bool	`false`	Enables or disables the installation of the default cascading rules for this scanner
imagePullSecrets	list	`[]`	Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
parser.affinity	object	`{}`	Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
parser.env	list	`[]`	Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
parser.image.pullPolicy	string	`"IfNotPresent"`	Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
parser.image.repository	string	`"docker.io/securecodebox/parser-cmseek"`	Parser image repository
parser.image.tag	string	defaults to the charts version	Parser image tag
parser.resources	object	{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }	Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
parser.scopeLimiterAliases	object	`{}`	Optional finding aliases to be used in the scopeLimiter.
parser.tolerations	list	`[]`	Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
parser.ttlSecondsAfterFinished	string	`nil`	seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner.activeDeadlineSeconds	string	`nil`	There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup)
scanner.affinity	object	`{}`	Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
scanner.backoffLimit	int	3	There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
scanner.env	list	`[]`	Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scanner.extraContainers	list	`[]`	Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scanner.extraVolumeMounts	list	`[]`	Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.extraVolumes	list	`[]`	Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.image.pullPolicy	string	`"IfNotPresent"`	Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
scanner.image.repository	string	`"docker.io/securecodebox/scanner-cmseek"`	Container Image to run the scan
scanner.image.tag	string	`nil`	defaults to the charts appVersion
scanner.nameAppend	string	`nil`	append a string to the default scantype name.
scanner.podSecurityContext	object	`{}`	Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.resources	object	`{}`	CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scanner.securityContext	object	`{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":true}`	Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.securityContext.allowPrivilegeEscalation	bool	`false`	Ensure that users privileges cannot be escalated
scanner.securityContext.capabilities.drop[0]	string	`"all"`	This drops all linux privileges from the container.
scanner.securityContext.privileged	bool	`false`	Ensures that the scanner container is not run in privileged mode
scanner.securityContext.readOnlyRootFilesystem	bool	`false`	Prevents write access to the containers file system
scanner.securityContext.runAsNonRoot	bool	`true`	Enforces that the scanner image is run as a non root user
scanner.suspend	bool	`false`	if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume <jobname>` or using a job scheduler like kueue
scanner.tolerations	list	`[]`	Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
scanner.ttlSecondsAfterFinished	string	`nil`	seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

License

Code of secureCodeBox is licensed under the Apache License 2.0.

CPU architectures

The scanner is currently supported for these CPU architectures:

linux/amd64

Examples

demo-old-joomla

Scan
Findings

# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: cmseek-example
spec:
  scanType: "cmseek"
  parameters:
    - "-u"
    - "old-joomla.demo-targets.svc.cluster.local" # Change to the website you want to scan
    - "--no-redirect"

# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

[
  {
    "name": "PHPMailer Remote Code Execution Vulnerability",
    "description": "Vulnerability of type PHPMailer Remote Code Execution Vulnerability found",
    "category": "Vulnerability",
    "location": "http://old-joomla.demo-targets.svc.cluster.local",
    "osi_layer": "APPLICATION",
    "severity": "HIGH",
    "attributes":
      {
        "joomla_version": "3.6.5",
        "references":
          [
            "CVE : CVE-2016-10033",
            "https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
            "https://github.com/opsxcq/exploit-CVE-2016-10033",
            "EDB : https://www.exploit-db.com/exploits/40969/",
          ],
      },
    "id": "f41eeb1c-142e-46f2-96ae-01c9f7ca1aa7",
    "parsed_at": "2021-09-28T15:06:29.225Z",
  },
  {
    "name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability",
    "description": "Vulnerability of type PPHPMailer Incomplete Fix Remote Code Execution Vulnerability found",
    "category": "Vulnerability",
    "location": "http://old-joomla.demo-targets.svc.cluster.local",
    "osi_layer": "APPLICATION",
    "severity": "HIGH",
    "attributes":
      {
        "joomla_version": "3.6.5",
        "references":
          [
            "CVE : CVE-2016-10045",
            "https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
            "EDB : https://www.exploit-db.com/exploits/40969/",
          ],
      },
    "id": "ef8852d1-719b-4a4d-8cd6-d818fffb6fd2",
    "parsed_at": "2021-09-28T15:06:29.225Z",
  },
  {
    "name": "Backup files",
    "description": "Visible Backup files found",
    "category": "Visible internal files",
    "location": "http://old-joomla.demo-targets.svc.cluster.local",
    "osi_layer": "APPLICATION",
    "severity": "INFORMATIONAL",
    "attributes":
      {
        "joomla_backup_files": "http://old-joomla.demo-targets.svc.cluster.local/administrator,",
      },
    "id": "021b92a7-0c24-4f3c-b4b9-217e3a2e1ce9",
    "parsed_at": "2021-09-28T15:06:29.225Z",
  },
]

What is CMSeeK?​

Deployment​

Scanner Configuration​

Requirements​

Values​

License​

CPU architectures​

Examples​

demo-old-joomla​