CoMisSion is a tool to quickly analyze a CMS setup. The tool:
- checks for the core version;
- looks for the last core version;
- looks for vulnerabilities in core version used;
- checks for plugins version;
- looks for vulnerabilities in plugins version used;
🔥 Attention : CoMisSion is not looking for vulnerabilities by analysing source code. Vulnerabilities are gathered from public databases like wpvulndb. Finding new vulnerabilities is not the purpose of this tool.
A complete report can be generated in following format :
- XLSX
- CSV
- JSON (to allow the tool to be used in a CI process)
The tool has been tested on Linux only. Colored output plus some other things should not work. Feel free to provide feedback on this topic if you try :).
./commision.py -c wordpress -d /cms_dir -o report.xlsx -t XLSX
git clone https://github.com/Intrinsec/comission
pip install -r requirements.txt
usage: comission.py [-h] -d DIR -c CMS [-o FILE] [-t TYPE] [--skip-core] [--skip-plugins] [--skip-themes]
-h, --help show this help message and exit
-d DIR, --dir DIR CMS root directory
-c CMS, --cms CMS CMS type (drupal, wordpress)
-o FILE, --output FILE Path to output file
-t TYPE, --type TYPE Type of output file (CSV, XLSX, JSON). Default to XLSX.
--skip-core Set this to skip core analysis
--skip-plugins Set this to skip plugins analysis
--skip-themes Set this to skip themes analysis
- Wordpress
- Drupal (no vulnerability checks)
We are not publishing any official image yet. To use the tool with docker, you can build an image. In the project folder, build with:
docker build -t isec/comission .
Then run it with :
docker run -it --rm -v /TARGET_PATH/:/cms_path/ -v /OUTPUT_DIR/:/output/ isec/comission -d /cms_path/ -c drupal -o /output/test_docker.xlsx -t XLSX
Be careful to change the path "TARGET_PATH" and "OUTPUT_DIR" to match your folders.
Paul Mars (Intrinsec)
Based on an idea of Etienne Boursier (Intrinsec)
This tools is distributed under the GPLv3 license. But be careful, the tool uses the wpvulndb API to gather information on WordPress core and plugins.