jscan_http is a command line utility that scans the directory of a Joomla site for PHP files and tries to access them directly via the web server. Ideally no output should be received from directly accessing any PHP file, with the exception of index.php, index2.php (etc) which should display regular HTML output. Some files will return warning text, such as "Restricted Access", and these will be ignored and considered safe. Any unexpected output will be logged to the console.
This tool is ideal for developers of Joomla component, modules, plugins and templates to ensure that their files correctly prevent direct access (by specifying the exact path to the file in the URL).
- PHP 5.3
License and Support
This tool is free to download and use. It is released as Open Source under the GNU General Public License.
No official support is provided. However, usage difficulties can be reported on the Art of Joomla project tracker.
Copy this file into the root of your Joomla web site (or another directory and use the -d option to specify the directory to scan).
Additional responses that are allowed when a file is directly accessed.
The base directory of the web server (eg, /usr/local/www). Defaults to the current working directory.
An alternative directory to scan (current working directory assumed as default).
The host or domain (defaults to "http://localhost").
Sets a limit on the number of files to scan.
See help text.
Show the results for all files parsed, not just those that fail.
A regular expression for file paths to exclude.
To scan the current Joomla site installed in a subfolder of localhost and jscan_http is installed in the base folder of the Joomla site:
> ./jscan_http.php -u "http://localhost/Joomla/1.5.20"
To scan the 1.6 trunk remotely on localhost.
> ./jscan_http.php -b /Users/foobar/htdocs -d /Users/foobar/htdocs/Joomla/trunk -x "/tests/" 500 * /administrator/components/com_config/controllers/component.php >>> Internal Server Error 500 * /administrator/components/com_search/helpers/site.php >>> Internal Server Error 0 * /administrator/index.php >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 0 * /cache/1a451b73e35d52dc26d333836b2beca0.php >>> Access Denied 0 * /cache/testing/7381142b500f394ef8fd06bd43749a9f.php >>> Access Denied 0 * /index.php >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 0 * /installation/index.php >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
This example shows that several files need to be investigated. The 500 return codes files are likely missing
defined('_JEXEC') or die; code at the top of the file. The output from the
index.php files is expected.
Thanks to Toowoomba Regional Council for sponsoring the development of this tool.