steverobbins / magescan Goto Github PK

Dear Team,

While "Unreachable Path Check" piece gives us lot of false positive... It will be a good enhancement if you can add Content Length of Received Bruteforced Paths...

| Path                                         | Response Code | Status |

Please add another column of "Content-Length" of resulted Paths.. So one can determine the false positives easily.

Sincerely,

Hi Steve, thanks for making this.

Using default PHP shipped with Ubuntu LTS 14.04:

$ mga scan myshop.nl
PHP Notice:  Use of undefined constant CURLOPT_NOBODY - assumed 'CURLOPT_NOBODY' in phar:///home/willem/Dropbox/desktop/files/bin/mga/src/MGA/Command/ScanCommand.php on line 281
PHP Fatal error:  Call to undefined function MGA\curl_init() in phar:///home/willem/Dropbox/desktop/files/bin/mga/src/MGA/Request.php on line 28
$ php -v
PHP 5.5.9-1ubuntu4.9 (cli) (built: Apr 17 2015 11:44:57) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
    with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies

Works fine on PHP 5.4.26

Hello Steve,

We have found a plain text file in a few Magento 1 and 2 sites. It was a plain txt file in the root of the site called srobbins.txt and the contents were just this:
"Steve was here A"

I am thinking your scan might have been modified by bad guys. I assume they are scanning for vulnerable ways to upload a file to a site. do any of your scanners test for this?

Move the array of checks for modules, unreachable paths and even versions so that they live in a separate set of file(s) or database. This will allow easier update of known modules, paths and also provide the option to create a custom/additional list outside of the core.

With the package having a new name, might be an idea to add a replace section into the composer file in case anybody depended on your original package.

"replace": {
    "steverobbins/magento-guest-audit": "*"
}

Due to the nature of your tool, might not be a big deal, but thought I'd mention it.

Below are the issues that i am having. I have tried to reinstall php and a couple other things any help would be nice.

root@kali:~/Documents/Active/SwagShop/magescan# php composer.phar update
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

Problem 1
- guzzle/guzzle v3.9.3 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.9.2 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.9.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.9.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.8.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.8.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.7.4 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.7.3 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.7.2 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.7.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.7.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.6.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.5.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.4.3 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.4.2 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.4.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.4.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.3.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.3.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.2.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.1.2 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.1.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.1.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.7 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.6 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.5 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.4 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.3 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.2 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v3.0.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v2.8.8 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v2.8.7 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v2.8.6 requires ext-curl * -> the requested PHP extension curl is missing from your system.
- guzzle/guzzle v2.8.5 requires ext-curl * -> the requested PHP extension curl is missing from your system.

• guzzle/guzzle v2.8.4 requires ext-curl * -> the requested PHP extension curl is missing from your system.
  • guzzle/guzzle v2.8.3 requires ext-curl * -> the requested PHP extension curl is missing from your system.
  • guzzle/guzzle v2.8.2 requires ext-curl * -> the requested PHP extension curl is missing from your system.
  • guzzle/guzzle v2.8.1 requires ext-curl * -> the requested PHP extension curl is missing from your system.
  • guzzle/guzzle v2.8.0 requires ext-curl * -> the requested PHP extension curl is missing from your system.
  • satooshi/php-coveralls v1.1.0 requires guzzle/guzzle ^2.8 || ^3.0 -> satisfiable by guzzle/guzzle[v2.8.0, v2.8.1, v2.8.2, v2.8.3, v2.8.4, v2.8.5, v2.8.6, v2.8.7, v2.8.8, v3.0.0, v3.0.1, v3.0.2, v3.0.3, v3.
    0.4, v3.0.5, v3.0.6, v3.0.7, v3.1.0, v3.1.1, v3.1.2, v3.2.0, v3.3.0, v3.3.1, v3.4.0, v3.4.1, v3.4.2, v3.4.3, v3.5.0, v3.6.0, v3.7.0, v3.7.1, v3.7.2, v3.7.3, v3.7.4, v3.8.0, v3.8.1, v3.9.0, v3.9.1, v3.9.2, v3.9.3
    ].
  • Installation request for satooshi/php-coveralls 1.1.* -> satisfiable by satooshi/php-coveralls[v1.1.0].

To enable extensions, verify that they are enabled in your .ini files:
- /etc/php/7.3/cli/php.ini
- /etc/php/7.3/cli/conf.d/10-mysqlnd.ini
- /etc/php/7.3/cli/conf.d/10-opcache.ini
- /etc/php/7.3/cli/conf.d/10-pdo.ini
- /etc/php/7.3/cli/conf.d/15-xml.ini
- /etc/php/7.3/cli/conf.d/20-calendar.ini
- /etc/php/7.3/cli/conf.d/20-ctype.ini
- /etc/php/7.3/cli/conf.d/20-dom.ini
- /etc/php/7.3/cli/conf.d/20-exif.ini
- /etc/php/7.3/cli/conf.d/20-fileinfo.ini
- /etc/php/7.3/cli/conf.d/20-ftp.ini
- /etc/php/7.3/cli/conf.d/20-gettext.ini
- /etc/php/7.3/cli/conf.d/20-iconv.ini
- /etc/php/7.3/cli/conf.d/20-json.ini
- /etc/php/7.3/cli/conf.d/20-mbstring.ini
- /etc/php/7.3/cli/conf.d/20-mysqli.ini
- /etc/php/7.3/cli/conf.d/20-pdo_mysql.ini
- /etc/php/7.3/cli/conf.d/20-phar.ini
- /etc/php/7.3/cli/conf.d/20-posix.ini
- /etc/php/7.3/cli/conf.d/20-readline.ini
- /etc/php/7.3/cli/conf.d/20-shmop.ini
- /etc/php/7.3/cli/conf.d/20-simplexml.ini
- /etc/php/7.3/cli/conf.d/20-sockets.ini
- /etc/php/7.3/cli/conf.d/20-sysvmsg.ini
- /etc/php/7.3/cli/conf.d/20-sysvsem.ini
- /etc/php/7.3/cli/conf.d/20-sysvshm.ini
- /etc/php/7.3/cli/conf.d/20-tokenizer.ini
- /etc/php/7.3/cli/conf.d/20-wddx.ini
- /etc/php/7.3/cli/conf.d/20-xmlreader.ini
- /etc/php/7.3/cli/conf.d/20-xmlwriter.ini
- /etc/php/7.3/cli/conf.d/20-xsl.ini
You can also run php --ini inside terminal to see which files are used by PHP in CLI mode.

Hi,

I'm trying to get magescan to run on OS X. I've tried both from source (latest git master) and using the magescan.phar file.

My PHP version (installed with homebrew):

$ php -v
PHP 5.3.29 (cli) (built: May  3 2016 13:51:54) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2014 Zend Technologies

Error when running from source:

$ php bin/magescan 
PHP Warning:  require_once(/Users/ryan/Tools/magescan/src/../vendor/autoload.php): failed to open stream: No such file or directory in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15

Warning: require_once(/Users/ryan/Tools/magescan/src/../vendor/autoload.php): failed to open stream: No such file or directory in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15
PHP Fatal error:  require_once(): Failed opening required '/Users/ryan/Tools/magescan/src/../vendor/autoload.php' (include_path='.:') in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15

Fatal error: require_once(): Failed opening required '/Users/ryan/Tools/magescan/src/../vendor/autoload.php' (include_path='.:') in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15
Ryans-MacBook-Pro:bin ryan$ php magescan scan:all www.example.com
PHP Warning:  require_once(/Users/ryan/Tools/magescan/src/../vendor/autoload.php): failed to open stream: No such file or directory in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15

Warning: require_once(/Users/ryan/Tools/magescan/src/../vendor/autoload.php): failed to open stream: No such file or directory in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15
PHP Fatal error:  require_once(): Failed opening required '/Users/ryan/Tools/magescan/src/../vendor/autoload.php' (include_path='.:') in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15

Fatal error: require_once(): Failed opening required '/Users/ryan/Tools/magescan/src/../vendor/autoload.php' (include_path='.:') in /Users/ryan/Tools/magescan/src/bootstrap.php on line 15

^ for the above errors, I searched the magescan directory for the vendor subdirectory but didn't find one. This file also doesn't exist magescan/src/bootstrap.php.

Error when trying to run from magescan.phar:

$ php magescan.phar scan:all www.example.com
PHP Parse error:  syntax error, unexpected '[', expecting ')' in phar:///Users/ryan/Tools/magescan/magescan.phar/vendor/guzzlehttp/promises/src/functions.php on line 41

Parse error: syntax error, unexpected '[', expecting ')' in phar:///Users/ryan/Tools/magescan/magescan.phar/vendor/guzzlehttp/promises/src/functions.php on line 41

I was following the instructions from the README file on Github. Any help appreciated.

Since switching to guzzle some requests are timing out, even when only looking for headers. Check to make sure "file exists" checks are as efficient as possible, and not downloading the entire object when it's not needed.

Compare 1.12.6 with 1.12.5, there's no .phar attached in the release.

Check for meta sitemap tag

Check that sitemap file exists

I have executed bin/magescan scan:version 2020llc.com, But its hang. I have tried to change CURLOPT_CONNECTTIMEOUT from 150 to 10, No luck. If the site is not responding or slow, then I think it's come out from the command prompt, but it is not working.

Other website it is working such as
bin/magescan scan:version dinntrophy.com

Magento Information

+-----------+------------+
| Parameter | Value |
+-----------+------------+
| Edition | Enterprise |
| Version | 1.13.0.2 |
+-----------+------------+

It seems the built magescan.phar results are not in par with the results return from https://www.magescan.com

hp magescan.phar scan:version http://cheesecloth.ca/
+-----------+------------------+
| Edition   | Community        |
| Version   | 1.7.0.1, 1.7.0.2 |
+-----------+------------------+

php magescan.phar scan:patch http://cheesecloth.ca/
+------------+---------+
| Name       | Status  |
+------------+---------+
| SUPEE-5344 | Unknown |
| SUPEE-5994 | Unknown |
| SUPEE-6285 | Unknown |
| SUPEE-6482 | Unknown |
| SUPEE-6788 | Unknown |
| SUPEE-7405 | Unknown |
| SUPEE-8788 | Unknown |
+------------+---------+

all the patch seems "applied" by https://magescan.com results.
This site contains an suspicious script that post data to "https://jquery-validation.org/js/jquery-2.2.2.min.js", which is offline at the moment.

Contrast to the above.

php magescan.phar scan:version yatooq.com

+-----------+-----------+
| Edition   | Community |
| Version   | 1.9.2.0   |
+-----------+-----------+

php magescan.phar scan:patch  yatooq.com
+------------+---------+
| Name       | Status  |
+------------+---------+
| SUPEE-5344 | Unknown |
| SUPEE-5994 | Unknown |
| SUPEE-6285 | Unknown |
| SUPEE-6482 | Unknown |
| SUPEE-6788 | Unknown |
| SUPEE-7405 | Unknown |
| SUPEE-8788 | Unknown |
+------------+---------+

Again, https://www.magescan.com return know results.

Should I just treat "Unknown" patch status as "bad"?

Show Magento version if possbile

How would you feel about each check being moved to it's own command so you could run them individually if required. scan:modules, scan:unreachable etc. Obviously we'd still keep scan, only it would become a meta command that proxies to all sub-commands, rather than containing all the logic itself.

this will add Added hash for CE 1.9.3.0

also consider adding to magento-version-identification-php the md5 from https://github.com/gwillem/magento-version-identification/blob/master/md5sums/magento-EE-1.14.3.0

let me know i can create a pr for both projects.

D.

I m getting below error while installing it:
Your requirements could not be resolved to an installable set of packages.

Problem 1
- The requested package satooshi/php-coveralls dev-master exists as satooshi/php-coveralls[0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 1.0.x-dev, 1.1.x-dev, 2.0.x-dev, v0.6.0, v0.6.1, v0.7.0, v0.7.1, v1.0.0, v1.0.1, v1.0.2, v1.1.0, v2.0.0] but these are rejected by your constraint.

Please let me know how to fix.

Thanks

Running with scan:patch returns unknown for any Magento site tested. I've debugged and it appears that the call to magereport.com returns a 0 byte result.

Likely that something has changed at magereport.com's end.

parse data from catalog/seo_sitemap/product

Hi Steve, thanks again for making this!

I'm no PHP programmer but ran into this error using phpunit:

1) MageScan\Test\Command\ScanCommandTest::testExecute
"Symfony\Component\Console\Helper\TableHelper" is deprecated since version 2.5 and will be removed in 3.0. Use "Symfony\Component\Console\Helper\Table" instead.

/home/willem/git/magescan/vendor/symfony/console/Helper/HelperSet.php:86
/home/willem/git/magescan/vendor/symfony/console/Command/Command.php:636
/home/willem/git/magescan/src/MageScan/Command/ScanCommand.php:160
/home/willem/git/magescan/src/MageScan/Command/ScanCommand.php:129
/home/willem/git/magescan/vendor/symfony/console/Command/Command.php:259
/home/willem/git/magescan/vendor/symfony/console/Tester/CommandTester.php:80
/home/willem/git/magescan/test/MGA/Command/ScanCommandTest.php:34

Can you add Magento 2 support when it launches ( Q4 this year )?

Thanks!

Can you add a command line switch to output JSON format for automation?

Thanks!

Thanks for creating this tool but the latest release doesn't have the .phar file available, which is so convenient! I tried self-updating from 1.12.7 but that failed - and appears to be a problem with current release too (reported separately). Thanks.

Right now it's sending requests synchronously, which takes longer. We should make use of the curl_multi_* functions.

i want need set proxy url like crawlera proxy in php
how can it possible in that ?

When I started this my only goal was to try and make a Symphony Console app with play with travis/phpunit. To keep this going I think some refactoring is needed. As part of that initiative I think it's best to separate out the commands.

The ScanCommand class is growing more complex and will continue to grow with each new feature. Before long it won't be maintainable. I'm not certain on the design yet, but here is my proposal:

# list available checks
magescan list
# check magento version, etc
magescan version store.example.com
# run all checks
magescan all store.example.com

For the list command to work, each command would need to be identified, perhaps the way n98-magerun does it with a config.yaml. I guess this means I need to customize the Application object as well.

It would also be nice to setup some sort of ~/.magescan/config.ext to locally set things like HTTPS validation (#65).

In the long run I think this will make the app more sustainable, easier to develop, and will lead to better unit testing.

Hi,

It couldn't get the magento details, but able to get from https://www.magereport.com

Magento Information

+-----------+---------+
| Parameter | Value |
+-----------+---------+
| Edition | Unknown |
| Version | Unknown

Use an example.com or magento testing site.

My Mac by default doesn't have any root certs available for PHP/curl. How would you feel about adding something like:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

We could add an option to enable it if you prefer, but verifying the SSL doesn't seem massively important for a security scanning tool. Happy to make a pull request this evening, just wanted to check your thoughts.

Installation via

mkdir -p ~/.n98-magerun/modules
git clone https://github.com/steverobbins/magescan ~/.n98-magerun/modules/magescan

also tried

git clone https://github.com/steverobbins/magescan magescan
cd magescan
curl -sS https://getcomposer.org/installer | php
php composer.phar install

Error Message

Stack trace:
#0 /home/kkrieger/.n98-magerun/modules/magescan/src/MageScan/Command/Scan/AbstractCommand.php(104): MageScan\Request->__construct('http://www.popu...', false)
#1 phar:///usr/local/bin/magerun/vendor/symfony/console/Command/Command.php(211): MageScan\Command\Scan\AbstractCommand->initialize(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 phar:///usr/local/bin/magerun/vendor/symfony/console/Application.php(853): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 phar:///usr/local/bin/magerun/vendor/symfony/console/Application.php(185): Symfony\Component\Console\Application->doRunCommand(Object(MageScan\Command\Scan\AllCommand), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Conso in /home/kkrieger/.n98-magerun/modules/magescan/src/MageScan/Request.php on line 78

php -v

php -v                                                 
PHP 7.2.19-0ubuntu0.19.04.2 (cli) (built: Aug 13 2019 11:45:23) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.19-0ubuntu0.19.04.2, Copyright (c) 1999-2018, by Zend Technologies

php -m

[PHP Modules]
calendar
Core
ctype
date
exif
fileinfo
filter
ftp
gettext
hash
iconv
json
libxml
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
Phar
posix
readline
Reflection
session
shmop
sockets
sodium
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
Zend OPcache
zlib

[Zend Modules]
Zend OPcache

I've downloaded all magento versions and made a programmatic analysis of md5sum distribution of {js, skin, media} files among releases. This yielded:

{
    "skin/adminhtml/default/default/boxes.css": {
        "84b67457247969a206456565111c456b": "CE 1.1.4", 
        "d0511b190cdddf865cca7873917f9a69": "CE 1.1.1", 
        "a2c7f9ddda846ba76220d7bcbe85c985": "CE 1.2.1", 
        "1cbeca223c2e15dcaf500caa5d05b4ed": "CE 1.7.0.0"
    }, 
    "js/varien/product.js": {
        "6af30941970891608b0be568896946db": "CE 1.2.0"
    }, 
    "js/mage/adminhtml/sales.js": {
        "839ead52e82a2041f937389445b8db04": "CE 1.3.3.0", 
        "bdacf81a3cf7121d7a20eaa266a684ec": "CE 1.5.1.0", 
        "d80c40eeef3ca62eb4243443fe41705e": "CE 1.5.0.1", 
        "48d609bb2958b93d7254c13957b704c4": "CE 1.6.1.0", 
        "a86ad3ba7ab64bf9b3d7d2b9861d93dc": "CE 1.0", 
        "a0436f1eee62dded68e0ec860baeb699": "CE 1.9.1.0", 
        "26c8fd113b4e51aeffe200ce7880b67a": "CE 1.8.0.0", 
        "5656a8c1c646afaaf260a130fe405691": "CE 1.8.1.0", 
        "95e730c4316669f2df71031d5439df21": "CE 1.1.0", 
        "17da0470950e8dd4b30ccb787b1605f5": "CE 1.1.6", 
        "5112f328e291234a943684928ebd3d33": "CE 1.1.7", 
        "c8dd0fd8fa3faa9b9f0dd767b5a2c995": "CE 1.9.1.1", 
        "a4296235ba7ad200dd042fa5200c11b0": "CE 1.6.0.0", 
        "d1bfb9f8d4c83e4a6a826d2356a97fd7": "CE 1.3.1.1", 
        "4422dffc16da547c671b086938656397": "CE 1.4.2.0", 
        "0e400488c83e63110da75534f49f23f3": "CE 1.3.2.1"
    }, 
    "js/mage/adminhtml/product.js": {
        "e887acfc2f7af09e04f8e99ac6f7180d": "CE 1.3.0"
    }, 
    "skin/frontend/rwd/default/css/styles.css": {
        "bf6c8e2ba2fc5162dd5187b39626a3a0": "CE 1.9.0.1", 
        "8a874fcb6cdcb82947ee4dbbe1822f3e": "CE 1.9.0.0"
    }, 
    "js/prototype/validation.js": {
        "295494d0966637bdd03e4ec17c2f338c": "CE 1.4.1.0", 
        "d3252becf15108532d21d45dced96d53": "CE 1.4.1.1"
    }, 
    "js/mage/adminhtml/tools.js": {
        "ea81bcf8d9b8fcddb27fb9ec7f801172": "CE 1.3.2.2", 
        "86bbebe2745581cd8f613ceb5ef82269": "CE 1.7.0.1", 
        "d594237950932b9a3948288a020df1ba": "CE 1.3.2.4"
    }, 
    "js/lib/flex.js": {
        "4040182326f3836f98acabfe1d507960": "CE 1.4.0.1", 
        "eb84fc6c93a9d27823dde31946be8767": "CE 1.4.0.0"
    }
}

It's not perfect, as some (minor) versions don't have a unique file+hash combination under js/skin/media, but for the majority it works.

Magerun command in README should be fixed:

magerun magescan:scan  ✔  561  13:55:48

[Symfony\Component\Console\Exception\CommandNotFoundException]
Command "magescan:scan" is not defined.

Did you mean one of these?
magescan:scan:unreachable
magescan:scan:catalog
magescan:scan:sitemap
magescan:scan:version
magescan:scan:module
magescan:scan:server
magescan:scan:patch
magescan:scan:all

Check skin/js files that exist which are known to be associated with a module.

Hi @steverobbins This is more of a question rather than an issue.

I was wondering if there is a way of detecting what and how many stores & store views a site is using? Maybe even websites? I was looking on the frontend end for any reference to __store in the html and also to see if there was a store cookie, sometimes I find them but often I do not. I wonder if there are any other clues.

It would be useful info to have when comparing your site architecture with competitors. Anyway great tool, thanks :)

This is a problem with composer install/update:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - The requested package satooshi/php-coveralls dev-master exists as satooshi/php-coveralls[0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 1.0.x-dev, 1.1.x-dev, 2.0.x-dev, v0.6.0, v0.6.1, v0.7.0, v0.7.1, v1.0.0, v1.0.1, v1.0.2, v1.1.0, v2.0.0] but these are rejected by your constraint.

Greetings Jan

Hi, I just downloaded latest release Version v1.12.9 and tried with the following URL:

php magescan.phar scan:all http://192.168.1.10/magento

The scanner detects magento's version however, all the file checks fail. I examined network traffic and saw that the HEAD requests are missing the magento directory specified in the URL, hence all tests return a 404.

I could not find an option to overcome this problem.

Thanks for creating this tool. But the "self-update" command fails as magescan.steverobbins.com does not resolve to an IP address.