Feature Request: Security Audit should report 'extra' files

[tuaris]

Normally when an installation is compromised the attacker tends to drop in additional files that include malicious code. Sometimes these file go unnoticed because they might named in such ways to not stand out.

I think a nice feature to have with security_audit.php is to scan the installation directories for files that should not be there.

This would probably mean that WebCalendar would have to maintain a list of files to compare to. Additionally there isn't any reason I can think of why that file list wouldn't also include an hash to make sure no files were modified.

To avoid possible circumvention of this function the file list and hashes would need to be stored outside the installation directory.

[craigk5n]

These are all great ideas, but it does sound like a bit more overhead for the release process. Pull requests welcome :-)