jscan_http is a command line utility that scans the directory of a Joomla site for PHP files and tries to access them directly via the web server.  Ideally no output should be received from directly accessing any PHP file, with the exception of index.php, index2.php (etc) which should display regular HTML output.  Some files will return warning text, such as "Restricted Access", and these will be ignored and considered safe. Any unexpected output will be logged to the console.

This tool is ideal for developers of Joomla component, modules, plugins and templates to ensure that their files correctly prevent direct access (by specifying the exact path to the file in the URL).

Requirements

• PHP 5.3

License and Support

This tool is free to download and use.  It is released as Open Source under the GNU General Public License.

No official support is provided.  However, usage difficulties can be reported on the Art of Joomla project tracker.

Documentation

Installation

Copy this file into the root of your Joomla web site (or another directory and use the -d option to specify the directory to scan).

Usage

./jscan_http [options]

Options

• -a "string1|string2"
  Additional responses that are allowed when a file is directly accessed.
• -b directory
  The base directory of the web server (eg, /usr/local/www).  Defaults to the current working directory.
• -d directory
  An alternative directory to scan (current working directory assumed as default).
• -u uri
  The host or domain (defaults to "http://localhost").
• -n number
  Sets a limit on the number of files to scan.
• -h
  See help text.
• -v
  Show the results for all files parsed, not just those that fail.
• -x "regex"
  A regular expression for file paths to exclude.

Examples

To scan the current Joomla site installed in a subfolder of localhost and jscan_http is installed in the base folder of the Joomla site:

> ./jscan_http.php -u "http://localhost/Joomla/1.5.20"

To scan the 1.6 trunk remotely on localhost.

> ./jscan_http.php -b /Users/foobar/htdocs -d /Users/foobar/htdocs/Joomla/trunk -x "/tests/"
500 * /administrator/components/com_config/controllers/component.php >>> Internal Server Error
500 * /administrator/components/com_search/helpers/site.php          >>> Internal Server Error
  0 * /administrator/index.php                                       >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
  0 * /cache/1a451b73e35d52dc26d333836b2beca0.php                    >>> Access Denied
  0 * /cache/testing/7381142b500f394ef8fd06bd43749a9f.php            >>> Access Denied
  0 * /index.php                                                     >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
  0 * /installation/index.php                                        >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML

This example shows that several files need to be investigated.  The 500 return codes files are likely missing defined('_JEXEC') or die; code at the top of the file.  The output from the index.php files is expected.

Acknowledgments

Thanks to Toowoomba Regional Council for sponsoring the development of this tool.