crudminer man page

CrudMiner — Find known-vulnerable software in a webroot

Synopsis /path/to/www


The idea of CrudMiner came from having inherited a large webserver full of user-installed software. As it is nearly always the case, when clients are allowed to install their own software, they never actually bother to keep it patched and updated. I wrote CrudMiner with the sole task of looking for known-outdated web software and reporting it to me in a format that was easy to grok and process.



show program's version number and exit

-h, --help

show this help message and exit


Location of the crud.ini file (crud.ini).

-q, --quiet

Do not output anything (usually with -r or -m).

-r CSV, --csv-report=CSV

Produce a CSV report and save it in a file.

-s, --report-secure

Include secure versions in the report, as well as vulnerable.

-e ENV, --environment=ENV

Only analyze for these environments (php, perl, etc). Default: all


Mail options to use when sending notifications.


Do not nag about anything found during this run.


To run CrudMiner, simply do: /path/to/www

You can start by running it against tests. You probably want to run it on a periodic basis and notify you of the findings, for which you probably want to put the following command in your cron scripts: -q -r /path/to/report.csv /path/to/www

This will generate a CSV file with the findings, which you can later mail to yourself.

If you want to always test against the latest definitions, you can pass a --crudfile parameter to point to the github location of the crud.ini file: \
    --crudfile= \


Additionally, you can generate a simple mailmap.ini file with a mapping of paths to hostnames and admin email addresses. This will allow you to automatically nag owners of sites to update their software. Not that this is very effective, but it helps shift the blame: -q \
    --mailopts=/path/to/mailopts.ini \

See the provided example of the mailopts.ini for more info. No nagging will be done as long as mailmap.ini is empty.

If you want to disable nagging for a specific path, (e.g. if there are legitimate reasons for a specific version of the software to be installed, or if there is a global .htaccess that prevents any exploitation of said software), you may run the following: --do-not-nag /path/to/ignore

This will stop nagging as long as the version of the installed software remains the same. If new vulnerable software is found or if the installed version of the software changes, the nagging will recommence.

Further Work

As you can tell, this is fairly early in the development. You should check out the TODO file to see what is planned for the future.


License: GPLv3