View Issue Details

IDProjectCategoryView StatusLast Update
0007023Kali LinuxKali Package Bugpublic2021-02-02 09:37
Reporterproduct_hardhat Assigned Tosbrun  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Summary0007023: ruby-cms-scanner applying kali patch that breaks wpscan
Description

installed wpscan via apt-get. immediately got the following when running

Traceback (most recent call last):
12: from /usr/bin/wpscan:23:in <main>' 11: from /usr/lib/ruby/vendor_ruby/rubygems.rb:301:inactivate_bin_path'
10: from /usr/lib/ruby/vendor_ruby/rubygems.rb:301:in synchronize' 9: from /usr/lib/ruby/vendor_ruby/rubygems.rb:302:inblock in activate_bin_path'
8: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1370:in activate' 7: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:inactivate_dependencies'
6: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:in each' 5: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1406:inblock in activate_dependencies'
4: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1370:in activate' 3: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:inactivate_dependencies'
2: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:in each' 1: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1400:inblock in activate_dependencies'
/usr/lib/ruby/vendor_ruby/rubygems/dependency.rb:309:in to_specs': Could not find 'nokogiri' (~> 1.10.9) - did find: [nokogiri-1.11.1] (Gem::MissingSpecVersionError) Checked in 'GEM_PATH=/home/vmuser/.local/share/gem/ruby/2.7.0:/var/lib/gems/2.7.0:/usr/local/lib/ruby/gems/2.7.0:/usr/lib/ruby/gems/2.7.0:/usr/lib/x86_64-linux-gnu/ruby/gems/2.7.0:/usr/share/rubygems-integration/2.7.0:/usr/share/rubygems-integration/all:/usr/lib/x86_64-linux-gnu/rubygems-integration/2.7.0' , executegem envfor more information 12: from /usr/bin/wpscan:23:in<main>'
11: from /usr/lib/ruby/vendor_ruby/rubygems.rb:301:in activate_bin_path' 10: from /usr/lib/ruby/vendor_ruby/rubygems.rb:301:insynchronize'
9: from /usr/lib/ruby/vendor_ruby/rubygems.rb:302:in block in activate_bin_path' 8: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1370:inactivate'
7: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:in activate_dependencies' 6: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:ineach'
5: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1406:in block in activate_dependencies' 4: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1370:inactivate'
3: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:in activate_dependencies' 2: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1388:ineach'
1: from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1399:in block in activate_dependencies' /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1402:inrescue in block in activate_dependencies': Could not find 'nokogiri' (~> 1.10.9) among 80 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/home/vmuser/.local/share/gem/ruby/2.7.0:/var/lib/gems/2.7.0:/usr/local/lib/ruby/gems/2.7.0:/usr/lib/ruby/gems/2.7.0:/usr/lib/x86_64-linux-gnu/ruby/gems/2.7.0:/usr/share/rubygems-integration/2.7.0:/usr/share/rubygems-integration/all:/usr/lib/x86_64-linux-gnu/rubygems-integration/2.7.0' at: /usr/share/rubygems-integration/all/specifications/cms_scanner-0.13.0.gemspec, execute gem env for more information

missing thing is installed

$ dpkg --get-selections | grep nokogiri
ruby-nokogiri install

Steps To Reproduce
  • install wpscan
  • run it against any wp install

Relationships

has duplicate 0007017 resolvedsbrun wpscan does not start after upgrade 

Activities

steev

steev

2021-01-31 21:35

manager   ~0014173

I can't reproduce this here - have you run apt-get update?

sudo apt-get install wpscan
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
ruby-mime ruby-mini-exiftool ruby-net-http-digest-auth ruby-spider
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
ruby-cms-scanner ruby-nokogiri
The following NEW packages will be installed:
ruby-cms-scanner ruby-nokogiri wpscan
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.

Installing wpscan pulls in ruby-nokogiri

steev

steev

2021-01-31 21:51

manager   ~0014174

Last edited: 2021-02-01 00:01

Sorry - misread the error message - it seems wpscan doesn't like ruby-nokogiri 1.11.1. On a system that still has ruby-nokogiri 1.10.9+dfsg-1+b1 installed, wpscan runs fine. A workaround would be to download the 1.10 release from http://kali.download/kali/pool/main/r/ruby-nokogiri/ and install it - then you'd want to either apt-mark hold it, or re-install the older version until a fixed ruby-cms-scanner release happens.

Erwan.lr

Erwan.lr

2021-02-01 11:23

reporter   ~0014175

WPScan dev here, since CMSScanner 0.12.2, Nokogiri 1.11 is fetched (https://github.com/wpscanteam/CMSScanner/blob/v0.12.2/cms_scanner.gemspec#L23), so this should not happen.

I've downloaded the latest Kali (64bit), WPScan was at 3.8.10, updated it with sudo apt-get update && sudo apt-get install wpscan and then ran WPScan (v3.8.13) w/o any issue.

steev

steev

2021-02-01 14:08

manager   ~0014176

Thanks for replying Erwan, but here, I'm seeing the same issue as the original poster on both x86_64 and arm64.

steev@c630:~$ apt policy wpscan
wpscan:
Installed: 3.8.13-0kali1
Candidate: 3.8.13-0kali1
Version table:
3.8.13-0kali1 500
500 https://kali.download/kali kali-rolling/non-free arm64 Packages
500 https://kali.download/kali kali-dev/non-free arm64 Packages
100 /var/lib/dpkg/status
steev@c630:~$ apt policy ruby-nokogiri
ruby-nokogiri:
Installed: 1.11.1+dfsg-1
Candidate: 1.11.1+dfsg-1
Version table:
1.11.1+dfsg-1 500
500 https://kali.download/kali kali-rolling/main arm64 Packages
500 https://kali.download/kali kali-dev/main arm64 Packages
100 /var/lib/dpkg/status
steev@c630:~$ apt policy ruby-cms-scanner
ruby-cms-scanner:
Installed: 0.13.0-0kali1
Candidate: 0.13.0-0kali1
Version table:
*** 0.13.0-0kali1 500
500 https://kali.download/kali kali-rolling/main arm64 Packages
500 https://kali.download/kali kali-dev/main arm64 Packages
100 /var/lib/dpkg/status

Erwan.lr

Erwan.lr

2021-02-01 15:13

reporter   ~0014177

Looking at the /usr/share/rubygems-integration/all/specifications/cms_scanner-0.13.0.gemspec, some version constraints are wrong in there, e.g:

s.add_runtime_dependency(%q&lt;nokogiri>.freeze, [&quot;~> 1.10.9&quot;])
s.add_runtime_dependency(%q&lt;yajl-ruby>.freeze, [&quot;>= 1.3.1&quot;])

Even though the versions are correct at https://gitlab.com/kalilinux/packages/ruby-cms-scanner/-/blob/kali/master/cms_scanner.gemspec

So it seems that you have something (like a patching script?) changing the versions before installing the gem. Actually, I just found it: https://gitlab.com/kalilinux/packages/ruby-cms-scanner/-/blob/kali/master/debian/patches/change-minimal-required-version.patch

steev

steev

2021-02-01 18:20

manager   ~0014179

Thanks, assigned the bug to Sophie to get that patch updated :)

sbrun

sbrun

2021-02-02 09:36

manager   ~0014183

fixed in version ruby-cms-scanner version 0.13.1-0kali1

Issue History

Date Modified Username Field Change
2021-01-31 21:12 product_hardhat New Issue
2021-01-31 21:35 steev Note Added: 0014173
2021-01-31 21:51 steev Note Added: 0014174
2021-02-01 00:01 steev Note Edited: 0014174
2021-02-01 11:23 Erwan.lr Note Added: 0014175
2021-02-01 14:08 steev Note Added: 0014176
2021-02-01 15:13 Erwan.lr Note Added: 0014177
2021-02-01 18:19 steev Assigned To => sbrun
2021-02-01 18:19 steev Status new => confirmed
2021-02-01 18:19 steev Summary wpscan missing ruby modules => ruby-cms-scanner applying kali patch that breaks wpscan
2021-02-01 18:20 steev Note Added: 0014179
2021-02-02 09:36 sbrun Status confirmed => resolved
2021-02-02 09:36 sbrun Resolution open => fixed
2021-02-02 09:36 sbrun Note Added: 0014183
2021-02-02 09:37 sbrun Relationship added has duplicate 0007017