Hi everyone, I work in the cybersecurity field and I’m currently dealing with some Zope and Plone cases, where I’m facing difficulties identifying the exact version.
The scenario is as follows: I only have access to the web page running the Plone CMS, with no authentication available.
OpenVAS, using scans with or without SSH authentication, is able to identify Zope.
Tenable, despite having a plugin, is not able to identify Zope and Plone even when authenticated; it only states that Zope and Plone are present, but does not report the version.
Using Nmap, it is possible to identify Zope, but I cannot identify Plone.
How can I manually identify the Zope or Plone version without being directly authenticated to the application?
Once the Zope version is identified, is there a mapping of which Plone versions are supported by that specific Zope version?
Inspecting the Server header for this purpose is unreliable since it can be overriden by the front-end proxy. Inspecting the rendered HTML or inspecting the JS bundled may lead to some insight. For example, the bundle.min.js contains version information about plone.mockup which may be traced down to a particular Plone version. If you find resources with ++resource++… inside the rendered HTML is a good indicator for a Plone site. Apart from that, there is not much you can do (which is a good thing).
Fuck off and put your trap elsewhere. If you are not able to figure it out yourself it could be by intend. Typo3 sites with bad configuration offer all the patches included (and missing) in one place. Happy one day exploiting!
There is no need to expose the CMS Type, Version etc. on a public site. Being too proud is a good target for social engineering.
On the other hand: "don´t fear the reaper" - White Hat Pentesters are welcome.
Sorry for the harsh words. They meet your avatar appearance quite well. May the force be with us.
(For those who grow up without Aesop's Fables: Check out fox, crow, cheese and singing.)
Rant off.
If this is just a naive question: I love naive people.
One more thing: Search for the story by Richard Feynman (in his selfbio) about a visit to a funfair with his father, when they encountered a mentalist show. The mentalist, named D'Amico, unveilled his trick, because he was fooled by the father pretending he was a mentalist colleague.
from his Biography [["Surely You're Joking, Mr. Feynman!": Adventures of a Curious Character]]
The proud rooster in me is still vulnerable to expose some smartass stuff.
For all the others: Take a look at clawlee (crawlee.python, crawlee.js) – a nice framework for scraping just the important stuff for AI / LLM usage. Supports Playwright for visual testing the results as well – If you know what you are doing, @Tom you can help us out if you know better stuff to check a site is still using Plone
