Joomscan mis-reports Joomla version

[kbrookes]

Hi there,

I've just checked a brand new joomla site with Joomscan (after a lot of hardening) and had an interesting report come back.

I'm absolutely, 100% on Joomla 3.8.6. I'm on a VPS that was spun up just for this project, which started when Joomla was on 3.8.5.

Joomscan has reported back the version as 2.5.

Also, it's listed a bunch of vulnerabilities that shouldn't be relevant to this version:

https://www.dropbox.com/s/91k515an0gt9uv1/Screenshot%202018-03-15%2015.29.13.png?dl=0

It's also found an admin directory that doesn't exist: http://www.mysite.com/admin/

Given that it's misreporting these things, that's probably a good thing, insofar as an actual attacker will pursue outdated vectors. However I'm about to go through pen-testing and I'm curious to see if they'll just report back this list of vulnerabilities as if it's actually the case.

Regards,

Kelsey

[jgor]

I've seen this behavior as well and it looks like it's due to https://github.com/rezasp/joomscan/blob/b2dad6ac01fab2f7907c128afadec96a9d1fb81f/core/ver.pl#L46 detecting v1.4.0.1 of media/system/js/mootools-more.js. As of now that's still the latest version in Joomla so it's not a good indicator alone.

I don't see a great solution but checking the copyrights of those js resources would narrow it down to a range of versions, e.g. the history on https://github.com/joomla/joomla-cms/blob/staging/media/system/js/keepalive-uncompressed.js shows that copyright 2017 was added just before 3.7.0, updated to 2018 for 3.8.4, and updated to 2019 for 3.9.2.