vulnerability assessment report - indusface.com€¦ · this, or any other, security audit cannot...

Vulnerability Assessment Report

Demo Account

176.28.50.165

http://testhtml5.vulnweb.com/#/popular

Confidential

Scan Date: 2017-01-17

ScopeVulnerability Assessment for IP Address 176.28.50.165.

Limitations1. The entire test was carried out with no prior knowledge of the systems and applications.2. All test were carried out without any known credentials to systems and applications.3. IndusGuard does not carry out any DoS attacks or to run any exploits which can affect systems availability.

ConfidentialityThis document contains sensitive and/or confidential information, do not distribute, email, fax or transfer via anyelectronic mechanism without proper authorization. Information contained with in this document should be handled withappropriate caution. While reasonable attempts have been made to confirm the accuracy of the data contained herein,IndusGuard, assumes no liability for the completeness, use of, or conclusions drawn from such data.

DisclaimerThis, or any other, Security Audit cannot and does not guarantee security. IndusGuard makes no warranty or claim of anykind, whatsoever, about the accuracy or usefulness of any information provided herein. By using this information youagree that IndusGuard shall be held harmless in any event. IndusGuard makes this information available solely under itsTerms of Service Agreement published at soc.indusguard.com.

Executive SummaryTotal number of vulnerabilities identified for 176.28.50.165 is 209

of 120

Scan Date: 2017-01-17

Vulnerability v/s Severity Pie Chart Vulnerability v/s Open Status Pie Chart

Vulnerability v/s Severity Bar Chart Vulnerability Summary

Severity Total

Critical 4

High 23

Medium 86

Low 14

Info 82

of 120

Scan Date: 2017-01-17

Vulnerability Details

Title Total

OpenSSH < 7.0 Multiple Vulnerabilities 1

PHP 5.3.x < 5.3.15 Multiple Vulnerabilities 1

PHP Unsupported Vers ion Detection 1

Unsupported Unix Operating System 1

CGI Generic SQL Injection 1

CGI Generic SQL Injection (2nd pass) 1

CGI Generic SQL Injection (blind) 1

CGI Generic SQL Injection (blind, time based) 1

nginx < 1.4.4 / 1.5.7 ngx_parse_http SecurityBypass

1


PHP 5 < 5.2.7 Multiple Vulnerabilities 1

PHP 5.3.x < 5.3.13 CGI Query String CodeExecution

1





PHP 5.x < 5.2 Multiple Vulnerabilities 1

PHP 5.x < 5.2.2 Information Disclosure 1

PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities 1

PHP < 5.2.1 Multiple Vulnerabilities 1





PHP < 5.3.12 / 5.4.2 CGI Query String CodeExecution

1


ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution

1

CGI Generic Cookie Injection Scripting 1

CGI Generic Cross-Site Request ForgeryDetection (potential)

1

CGI Generic Cross-Site Scripting(comprehensive test)

1

CGI Generic Cross-Site Scripting (extendedpatterns)

1

CGI Generic Cross-Site Scripting (quick test) 1

CGI Generic HTML Injections (quick test) 1

CGI Generic Local File Inclus ion 1

nginx < 1.6.2 / 1.7.5 SSL Session Reuse 1


of 120

Scan Date: 2017-01-17

OpenSSH < 5.9 Multiple DoS 1


OpenSSH >= 2.3.0 AllowTcpForwarding PortBouncing

1

OpenSSH LoginGraceTime / MaxStartups DoS 1

OpenSSH S/KEY Authentication AccountEnumeration

1

OpenSSL 'ChangeCipherSpec' MiTMVulnerability

5

OPIE w/ OpenSSH Account Enumeration 1

PHP 5.3.x < 5.3.21 cURL X.509 CertificateDomain Name Matching MiTM Weakness

1


PHP 5.3.x < 5.3.23 Information Disclosure 1

PHP 5.3.x < 5.3.28 Multiple OpenSSLVulnerabilities

1







PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities 1

PHP Foreign Function Interface Arbitrary DLLLoading safe_mode Restriction Bypass

1

PHP ip2long Function String ValidationWeakness

1

PHP PHP_RSHUTDOWN_FUNCTION SecurityBypass

1

PHP Symlink Function Race Conditionopen_basedir Bypass

1

SSL Anonymous Cipher Suites Supported 1

SSL Certificate Cannot Be Trusted 5

SSL Certificate Expiry 5

SSL Certificate with Wrong Hostname 5

SSL DROWN Attack Vulnerability (DecryptingRSA with Obsolete and Weakened eNcryption)

2

SSL Medium Strength Cipher SuitesSupported

5

SSL Self-Signed Certificate 5

SSL Vers ion 2 (v2) Protocol Detection 3

SSL Weak Cipher Suites Supported 4

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits(LogJam)

1

SSL/TLS EXPORT_RSA <= 512-bit CipherSuites Supported (FREAK)

4

SSL/TLS Protocol Initialization VectorImplementation Information DisclosureVulnerability

5

of 120

Scan Date: 2017-01-17

SSLv3 Padding Oracle On DowngradedLegacy Encryption Vulnerability (POODLE)

3

Web Application SQL Backend Identification 1

Web Application Vulnerable to Clickjacking 1

Web Server info.php / phpinfo.php Detection 1

CGI Generic Injectable Parameter 1

FTP Supports Clear Text Authentication 1

PHP mb_send_mail() Function ParameterSecurity Bypass

1

POP3 Cleartext Logins Permitted 1

Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak LocalInformation Disclosure

1

SMTP Service Cleartext Login Permitted 1

SSH Server CBC Mode Ciphers Enabled 1

SSH Weak MAC Algorithms Enabled 1

SSL RC4 Cipher Suites Supported 5

Web Server Uses Plain Text AuthenticationForms

1

Browsable Web Directories 1

CGI Generic Tests HTTP Errors 1

CGI Generic Tests Load Estimation (all tests) 1

CGI Generic Tests Timeout 1

Common Platform Enumeration (CPE) 1

Device Type 1

DNS Server Detection 2

DNS Server Fingerprinting 1

DNS Server hostname.bind Map HostnameDisclosure

1

DNS Server Vers ion Detection 1

External URLs 1

FTP Server Detection 1

HTTP Methods Allowed (per directory) 3

HTTP Server Type and Vers ion 3

HTTP X-Content-Security-Policy ResponseHeader Usage

1

HTTP X-Frame-Options Response HeaderUsage

1

HyperText Transfer Protocol (HTTP)Information

3

IMAP Service Banner Retrieval 2

IMAP Service STARTTLS Command Support 1

OpenSSL Detection 5

Patch Report 1

PHP Vers ion 1

POP Server Detection 2

POP3 Service STLS Command Support 1

Service Detection: 3 ASCII Digit Code 1

of 120

Scan Date: 2017-01-17

Responses

SMTP Authentication Methods 2

SMTP Server Detection 2

SSH Algorithms and Languages Supported 1

SSH Protocol Vers ions Supported 1

SSH Server Type and Vers ion Information 1

SSL / TLS Vers ions Supported 5

SSL Certificate commonName Mismatch 5

SSL Certificate Information 5

SSL Cipher Block Chaining Cipher SuitesSupported

5

SSL Cipher Suites Supported 5

SSL Perfect Forward Secrecy Cipher SuitesSupported

1

SSL Session Resume Supported 3

TCP/IP Timestamps Supported 1

Web Application Potentially Sensitive CGIParameter Detection

1

Web mirroring 1

Web Server Allows Password Auto-Completion

1

Web Server Directory Enumeration 1

Web Server Harvested Email Addresses 1

Web Site Client Access Policy File Detection 1

Web Site Cross-Domain Policy File Detection 1

Open Services

www (tcp/8880)

www (tcp/8443)

pop3 (tcp/995)

imap (tcp/993)

smtp (tcp/465)

imap (tcp/143)

pop3 (tcp/110)

of 120

Scan Date: 2017-01-17

pop3pw (tcp/106)

www (tcp/80)

dns (udp/53)

dns (tcp/53)

smtp (tcp/25)

ssh (tcp/22)

ftp (tcp/21)

Vulnerabilities

Alert ID: 84650 Found on: 2017-01-17 Severity: Critical

PHP Unsupported Version Detection (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 10.0Cvss Score: 10.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:CPCI Compliance: Fail

Description:

According to its vers ion, the installation of PHP on the remote host is no longer supported. As a result, it is likely tocontain security vulnerabilities.

Solution:

Upgrade to a vers ion of PHP that is currently supported.

Result:

Source : X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2 Installed version : 5.3.10-1~lucid+2uwsgi2 End of supportdate : 2014/08/14 Announcement : http://php.net/archive/2014.php#id2014-08-14-1 Supported versions : 7.1.x /7.0.x / 5.6.x

References:

https://wiki.php.net/rfc/releaseprocess


PHP 5.3.x < 5.3.15 Multiple Vulnerabilities (tcp/80)

Open Status: NEW First Found: 2017-01-17

of 120

Scan Date: 2017-01-17

CVE ID: CVE-2012-2688,CVE-2012-3365Cvss Base: 10.0Cvss Score: 10.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:CPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is , therefore,potentially affected by the following vulnerabilities :

- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.(CVE-2012-2688)

- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)

Solution:

Upgrade to PHP vers ion 5.3.15 or later.

Result:

Version source : X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2 Installed version : 5.3.10-1~lucid+2uwsgi2 Fixedversion : 5.3.15

References:

http://www.php.net/ChangeLog-5.php#5.3.15


OpenSSH < 7.0 Multiple Vulnerabilities (tcp/22)

Open Status: NEW First Found: 2017-01-17Cvss Base: 10.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Description:

According to its banner, the vers ion of OpenSSH running on the remote host is prior to 7.0. It is , therefore, affected by thefollowing vulnerabilities :

- A flaw exists in the kbdint_next_device() function in file auth2-chall.c that allows the circumvention of MaxAuthTriesduring keyboard-interactive authentication.An attacker can exploit this issue to force the same authentication method to be tried thousands of times in a s inglepass by using a crafted keyboard-interactive 'devices' string, thus allowing a brute-force attack or causing a denial ofservice. (CVE-2015-5600)

- A security bypass vulnerability exists in sshd related to PAM support. An authenticated, remote attacker can exploit thisto impact the pre-authentication process, allowing the possible execution of arbitrary code. Note that this issue onlyaffects Portable OpenSSH.(OSVDB 126030)

- A flaw exists in sshd due to setting insecure world-writable permiss ions for TTYs. A local attacker can exploit this , byinjecting crafted terminal escape sequences, to execute commands for logged-in users.(OSVDB 126031)

- A use-after-free error exists in sshd related to PAM support. A remote attacker can exploit this to impact the pre-authentication process, allowing the possible execution of arbitrary code. Note that this issue only affects PortableOpenSSH. (OSVDB 126033)

Solution:

Upgrade to OpenSSH 7.0 or later.

of 120

Scan Date: 2017-01-17

Result:

Version source : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1 Installed version : 5.3p1 Fixed version : 7.0

References:

http://www.openssh.com/txt/release-7.0


Unsupported Unix Operating System (tcp/0)

Open Status: NEW First Found: 2017-01-17Cvss Base: 10.0Cvss Score: 10.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:CPCI Compliance: Fail

Description:

According to its vers ion, the remote Unix operating system is obsolete and no longer maintained by its vendor orprovider.

Lack of support implies that no new security patches will be released for it.

Solution:

Upgrade to a newer vers ion.

Result:

Ubuntu 10.04 support ended on 2013-05-09 (Desktop) / 2015-04-30 (Server).Upgrade to Ubuntu 16.04.For moreinformation, see : https://wiki.ubuntu.com/Releases

Alert ID: 84606 Found on: 2017-01-17 Severity: High

CGI Generic SQL Injection (2nd pass) (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 7.5Cvss Score: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

By providing specially crafted parameters to CGIs, IndusGuard was able to get an error from the underlying database.This error suggests that the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or eventake control of the remote operating system.

Solution:

Modify the relevant CGIs so that they properly escape arguments.

Result:

During testing for cookie manipulation vulnerabilities, SQL errors were noticed, suggesting that the scripts /parameters listed below may also be vulnerable to SQL Injection (SQLi).-------- request --------GET /listproducts.php?cat=<script>document.cookie="testbodp=9194;"</script> HTTP/1.1Host: rs202995.rs.hosteurope.deAccept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/4.0(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Pragma: no-cacheAccept: image/gif, image/x-xbitmap,image/jpeg, image/pjpeg, image/png, */*-------------------------------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual thatcorresponds to your MySQL server version for the right syntax to use near'=<script>document.cookie="testbodp=9194;"</script>' at line 1Warning: mysql_fetch_array() expects

of 120

Scan Date: 2017-01-17

parameter 1 to be resource, b [...]</div>-------------------------------- request --------GET /listproducts.php?artist=<script>document.cookie="testbodp=9194;"</script> HTTP/1.1Host: rs202995.rs.hosteurope.deAccept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/4.0(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Pragma: no-cacheAccept: image/gif, image/x-xbitmap,image/jpeg, image/pjpeg, image/png, */*-------------------------------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual thatcorresponds to your MySQL server version for the right syntax to use near'=<script>document.cookie="testbodp=9194;"</script>' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]</div>-------------------------------- request --------GET /listproducts.php?cat=<script>document.cookie="testbodp=9194;"</script>&artist=1 HTTP/1.1Host:rs202995.rs.hosteurope.deAccept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Pragma: no-cacheAccept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*-------------------------------- output --------<div id="content">Error: You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near'=<script>document.cookie="testbodp=9194;"</script>' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]</div>------------------------During testing for arbitrary command execution (timebased) vulnerabilities, SQL errors were noticed, suggesting that the scripts / parameters listed below may also bevulnerable to SQL Injection (SQLi).-------- request --------GET /listproducts.php?artist=1&cat=1%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1Host:rs202995.rs.hosteurope.deAccept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Pragma: no-cacheAccept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*-------------------------------- output --------<div id="content">Error: You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near 'x || sleep 3 &'at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------Duringtesting for blind SQL injection (time based) vulnerabilities, SQL errors were not

References:

http://en.wikipedia.org/wiki/SQL_injection

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.securitydocs.com/library/2651

http://projects.webappsec.org/SQL-Injection


CGI Generic SQL Injection (blind) (tcp/80)


Description:

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, IndusGuard wasable to get a very different response, which suggests that it may have been able to modify the behavior of the applicationand directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remotedatabase, or even take control of the remote operating system.

Note that this script is experimental and may be prone to false positives.

Solution:

Modify the affected CGI scripts so that they properly escape arguments.

of 120

Scan Date: 2017-01-17

Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to blind SQLinjection :+ The 'artist' parameter of the /artists.php CGI :/artists.php?artist=1+and+1=0-------- output --------<div id="content"><h2 id='pageName'>artist:r4w8173</h2><div class='story'><p><p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec mo[...] Sed aliquam sem ut arcu. Phasellus sollicitudin. Vestibulum co [...]-------- vs --------<div id="content"></div>------------------------+ The 'cat'parameter of the /listproducts.php CGI :/listproducts.php?artist=1&cat=1+and+1=0-------- output --------<div id="content"><h2 id='pageName'>Posters</h2><divclass='story'><a href='product.php?pic=1'><h3>The shore</h3></a><p><a href='showimage.php?file=./pictures/1.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/1.jpg&size=160' width='160' he [...]Sed aliquam sem ut arcu.</p><p>painted by: <ahref='artists.php?ar [...]Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?ar [...]-------- vs --------<div id="content"></div>------------------------/listproducts.php?artist=1&cat=1+and+1=0 {2}-------- output --------<div id="content"><h2 id='pageName'>Posters</h2><divclass='story'><a href='product.php?pic=1'><h3>The shore</h3></a><p><a href='showimage.php?file=./pictures/1.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/1.jpg&size=160' width='160' he [...]Sed aliquam sem ut arcu.</p><p>painted by: <ahref='artists.php?ar [...]Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?ar [...]-------- vs --------<div id="content"></div>------------------------+ The 'pic' parameter of the /product.php CGI :/product.php?pic=1+and+1=0-------- output--------<div id="content"><h2 id='pageName'>Theshore</h2><div class='story'><p><a href='showimage.php?file=./pictures/1.jpg' target='_blank'><imgstyle='cursor:pointer' border='0' align='center' src='showimage.php?file=./pictures/1.jpg&size=160' width='160'height='100'></a><h3>Short description</h3><p>Lo [...]Sed aliquam sem ut arcu.</p><h3>Longdescription</h3><p><p>This picture is an 53 cm x 12 cm masterpiece.-------- vs --------<div id="content"></div>------------------------Clicking directly on these URLs should exhibit the issue :(you will probably need to read the HTMLsource)http://rs202995.rs.hosteurope.de/artists.php?artist=1+and+1=0http://rs202995.rs.hosteurope.de/listproducts.php?artist=1&cat=1+and+1=0http://rs202995.rs.hosteurope.de/product.php?pic=1+and+1=0

References:





CGI Generic SQL Injection (blind, time based) (tcp/80)


Description:

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, IndusGuard wasable to get a s lower response, which suggests that it may have been able to modify the behavior of the application anddirectly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remotedatabase, or even take control of the remote operating system.


of 120

Scan Date: 2017-01-17

Solution:

Modify the affected CGI scripts so that they properly escape arguments.

Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to blind SQLinjection (time based) :+ The 'artist' parameter of the /artists.php CGI :/artists.php?artist=1%20AND%20SLEEP(21)=0-------- output --------<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><title>artists</title><link rel="stylesheet" href="style.css" type="text/css">[...]------------------------+ The 'cat'parameter of the /listproducts.php CGI :/listproducts.php?artist=1&cat=1%20AND%20SLEEP(3)=0-------- output --------------------------------+ The 'pic' parameter of the /product.php CGI :/product.php?pic=1%20AND%20SLEEP(21)=0--------output --------<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><title>picture details</title><link rel="stylesheet" href="style.css" type="text/css">[...]------------------------Clicking directlyon these URLs should exhibit the issue :(you will probably need to read the HTMLsource)http://rs202995.rs.hosteurope.de/artists.php?artist=1%20AND%20SLEEP(21)=0http://rs202995.rs.hosteurope.de/product.php?pic=1%20AND%20SLEEP(21)=0

References:





CGI Generic SQL Injection (tcp/80)


Description:

By providing specially crafted parameters to CGIs, IndusGuard was able to get an error from the underlying database.This error suggests that the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or eventake control of the remote operating system.

Solution:

Modify the relevant CGIs so that they properly escape arguments.

Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to SQLinjection :+ The 'cat' parameter of the /listproducts.php CGI :/listproducts.php?cat=convert(varchar,0x7b5d)--------output --------<div id="content">Error: You have an error inyour SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to usenear 'varchar,0x7b5d)' at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'artist' parameter of the /listproducts.php CGI :/listproducts.php?artist=convert(varchar,0x7b5d)-------- output --------<div id="content">Error: You have an error inyour SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to usenear 'varchar,0x7b5d)' at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>-----

of 120

Scan Date: 2017-01-17

-------------------+ The 'cat' parameter of the /listproducts.php CGI :/listproducts.php?cat=convert(varchar,0x7b5d)&artist=1-------- output --------<divid="content">Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQLserver version for the right syntax to use near 'varchar,0x7b5d)' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]</div>------------------------Clicking directly on these URLs should exhibit the issue:(you will probably need to read the HTML source)http://rs202995.rs.hosteurope.de/listproducts.php?cat=convert(varchar,0x7b5d)

References:

http://en.wikipedia.org/wiki/SQL_injection




http://www.owasp.org/index.php/Guide_to_SQL_Injection


PHP < 5.2.8 Multiple Vulnerabilities (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2008-5814,CVE-2008-5844Cvss Base: 7.5Cvss Score: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is earlier than 5.2.8. As such, it is potentiallyaffected by the following vulnerabilities :

- PHP fails to properly sanitize error messages of arbitrary HTML or script code, would code allow for cross-s ite scriptingattacks if PHP's 'display_errors ' setting is enabled. (CVE-2008-5814)

- Vers ion 5.2.7 introduced a regression with regard to 'magic_quotes' functionality due to an incorrect fix to the filterextension. As a result, the 'magic_quotes_gpc' setting remains off even if it is set to on. (CVE-2008-5844)

Solution:


Result:

Version source : http://rs202995.rs.hosteurope.de/secured/phpinfo.php Installed version : 5.1.6 Fixed version :5.2.8

References:

http://bugs.php.net/42718

http://www.php.net/releases/5_2_8.php



Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2011-3379,CVE-2011-

4566,CVE-2011-4885,CVE-2012

of 120

Scan Date: 2017-01-17

Cvss Base: 7.5Cvss Score: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.3.9. As such, it may be affected bythe following security issues :

- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)

- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collis ions when computing the hash values for storage in a hash table. (CVE-2011-4885) - An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bitplatforms. (CVE-2011-4566)

- Calls to libxslt are not restricted via xs ltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)

- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)

- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the sessionfeature. (CVE-2012-0788)

- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of serviceattack via memory consumption.(CVE-2012-0789)

Solution:


Result:


References:

http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5

http://www.php.net/archive/2012.php#id2012-01-11-1

http://archives.neohapsis .com/archives/bugtraq/2012-01/0092.html

https://bugs.php.net/bug.php?id=55475





PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2012-1823

of 120

Scan Date: 2017-01-17

Cvss Base: 8.3Cvss Score: 8.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such ispotentially affected by a remote code execution and information disclosure vulnerability.

An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or topotentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters as commandline arguments including switches such as '-s ', '-d', and '-c'.

Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is notan exploitable configuration.

Solution:

Upgrade to PHP vers ion 5.3.12 / 5.4.2 or later. A 'mod_rewrite' workaround is available as well.

Result:

Version source : X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2 Installed version : 5.3.10-1~lucid+2uwsgi2 Fixedversion : 5.3.12 / 5.4.2

References:

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/






PHP 5.x < 5.2.2 Information Disclosure (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2007-1649Cvss Base: 7.8Cvss Score: 7.8Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:NPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP 5.x installed on the remote host is older than 5.2.2. An attacker may readsome heap memory by processing 'S:' serialized data.

Solution:


Result:


References:


of 120

Scan Date: 2017-01-17



Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2013-4113Cvss Base: 9.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Description:

According to its banner, the vers ion of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is , therefore, potentiallyaffected by the following vulnerabilities:

- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)

- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)

Note that this check does not attempt to exploit these vulnerabilities, but instead, relies only on PHP's self-reportedvers ion number.

Solution:

Apply the vendor patch or upgrade to PHP vers ion 5.3.27 or later.

Result:


References:







2386,CVE-2012-3450Cvss Base: 8.5Cvss Score: 8.5Cvss Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:CPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and as such ispotentially affected the following vulnerabilities :

- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to aheap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due to thiserror. (CVE-2012-2386)

- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute force attacks. (CVE-2012-2143)

- Several design errors involving the incorrect pars ing of PHP PDO prepared statements could lead to disclosure ofsensitive information or denial of service. (CVE-2012-3450)

of 120

Scan Date: 2017-01-17

Solution:


Result:


References:

http://www.nessus.org/u?6adf7abc



http://www.nessus.org/u?99140286




6039,CVE-2008-0599,CVE-2008Cvss Base: 7.5Cvss Score: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.6. Such vers ions may beaffected by the following issues :

- A stack buffer overflow in FastCGI SAPI.

- An integer overflow in printf().

- An security issue aris ing from improper calculation of the length of PATH_TRANSLATED in cgi_main.c.

- A safe_mode bypass in cURL.

- Incomplete handling of multibyte chars ins ide escapeshellcmd().

- Issues in the bundled PCRE fixed by vers ion 7.6.

Solution:


Result:


References:

http://archives.neohapsis .com/archives/bugtraq/2008-03/0321.html

http://archives.neohapsis .com/archives/fulldisclosure/2008-05/0103.html



of 120

Scan Date: 2017-01-17




0831,CVE-2012-1172Cvss Base: 7.5Cvss Score: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is earlier than 5.3.11, and as such is potentiallyaffected by multiple vulnerabilities :

- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handledproperly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)

- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.(CVE-2012-1172)

- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and'readline_read_history'.

- The 'header()' function does not detect multi- line headers with a CR. (Bug #60227 / CVE-2011-1398)

Solution:


Result:


References:

http://www.nessus.org/u?e81d4026




http://marc.info/?l=oss-security&m=134626481806571&w=2




PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities (tcp/80)


0911,CVE-2007-1001,CVE-2007Cvss Base: 7.5Cvss Score: 7.5

of 120

Scan Date: 2017-01-17

Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such vers ions may beaffected by several issues, including buffer overflows in the GD library.

Solution:

Upgrade to PHP 4.4.7 / 5.2.2 or later.

Result:

Version source : http://rs202995.rs.hosteurope.de/secured/phpinfo.php, Installed version : 5.1.6 Fixed version :4.4.7 / 5.2.2

References:





Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2013-2110Cvss Base: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Description:

According to its banner, the vers ion of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is , therefore, potentiallyaffected by the following vulnerabilities:

- An error exists in the function 'php_quot_print_encode' in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certain strings (Bug #64879)

- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c' that couldallow denial of service attacks. (Bug #64895)

Note that this check does not attempt to exploit these vulnerabilities, but instead, relies only on PHP's self-reportedvers ion number.

Solution:

Apply the vendor patch or upgrade to PHP vers ion 5.3.26 or later.

Result:


References:

http://www.IndusGuard.org/u?60cbc5f0

http://www.IndusGuard.org/u?8456482e



PHP 5 < 5.2.7 Multiple Vulnerabilities (tcp/80)

of 120

Scan Date: 2017-01-17



Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.7. Such vers ions may beaffected by several security issues :

- File truncation can occur when calling 'dba_replace()' with an invalid argument.

- There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371)

- A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given.(CVE-2008-3658)

- There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659)

- When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660)

- Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remoteattacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666).

- A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsoleteAPI call. (CVE-2008-2829)

- A heap-based buffer overflow may be triggered via a call to 'mb_check_encoding()', part of the 'mbstring' extension.(CVE-2008-5557)

- Miss ing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow forbypassing security restriction due to SAPI 'php_getuid()' overloading. (CVE-2008-5624)

- Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting.(CVE-2008-5625)

- The ZipArchive:extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from filenames. (CVE-2008-5658)

Solution:


Note that 5.2.7 was been removed from distribution because of a regression in that vers ion that results in the'magic_quotes_gpc' setting remaining off even if it was set to on.

Result:


References:

http://securityreason.com/achievement_securityalert/57



http://www.sektioneins.de/advisories/SE-2008-06.txt

of 120

Scan Date: 2017-01-17



http://www.openwall.com/lists/oss-security/2008/08/08/2




http://bugs.php.net/bug.php?id=42862









Description:


- An unspecified error occurs in certificate validation ins ide 'php_openssl_apply_verification_policy'.

- An unspecified input validation vulnerability affects the color index in 'imagecolortransparent()'.

- An unspecified input validation vulnerability affects exif processing.

- Calling 'popen()' with an invalid mode can cause a crash under Windows. (Bug #44683)

- An integer overflow in 'xml_utf8_decode()' can make it easier to bypass cross-s ite scripting and SQL injectionprotection mechanisms using a specially crafted string with a long UTF-8 encoding. (Bug #49687)

- 'proc_open()' can bypass 'safe_mode_protected_env_vars '.(Bug #49026)

Solution:


Result:


of 120

Scan Date: 2017-01-17

References:



http://news.php.net/php.internals/45597





0207,CVE-2014-0237,CVE-2014Cvss Base: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Description:

According to its banner, the vers ion of PHP installed on the remote host is 5.3.x prior to 5.3.29. It is , therefore, affected bythe following vulnerabilities :

- A heap-based buffer overflow error exists in the file 'ext/date/lib/parse_iso_intervals .c' related to handling DateIntervalobjects that allows denial of service attacks. (CVE-2013-6712)

- A boundary checking error exists related to the Fileinfo extension, Composite Document Format (CDF) handling, and thefunction 'cdf_read_short_sector'. (CVE-2014-0207)

- A flaw exists with the 'cdf_unpack_summary_info()' function within 'src/cdf.c' where multiple file_printf calls occur whenhandling specially crafted CDF files.This could allow a context dependent attacker to crash the web application using PHP. (CVE-2014-0237)

- A flaw exists with the 'cdf_read_property_info()' function within 'src/cdf.c' where an infinite loop occurs when handlingspecially crafted CDF files. This could allow a context dependent attacker to crash the web application using PHP. (CVE-2014-0238)

- A type-confusion error exists related to the Standard PHP Library (SPL) extension and the function 'unserialize'. (CVE-2014-3515)

- An error exists related to configuration scripts and temporary file handling that could allow insecure file usage. (CVE-2014-3981)

- A heap-based buffer overflow error exists related to the function 'dns_get_record' that could allow execution ofarbitrary code. (CVE-2014-4049)

- An out-of-bounds read exists in printf. (Bug #67249)

Note that IndusGuard has not attempted to exploit these issues, but has instead relied only on the application's self-reported vers ion number.

Additionally, note that vers ion 5.3.29 marks the end of support for the PHP 5.3.x branch.

Solution:


Result:


of 120

Scan Date: 2017-01-17

References:

http://php.net/archive/2014.php#id2014-08-14-1



PHP 5.x < 5.2 Multiple Vulnerabilities (tcp/80)



Description:

According to its banner, the vers ion of PHP 5.x installed on the remote host is older than 5.2. Such vers ions may beaffected by several buffer overflows.

To exploit these issues, an attacker would need the ability to upload an arbitrary PHP script on the remote server or tomanipulate several variables processed by some PHP functions such as 'htmlentities().'

Solution:


Result:

Version source : http://rs202995.rs.hosteurope.de/secured/phpinfo.php Installed version : 5.1.6 Fixed version : 5.2

References:

http://www.hardened-php.net/advisory_092006.133.html



PHP 5.3.x < 5.3.13 CGI Query String Code Execution (tcp/80)


2335,CVE-2012-2336Cvss Base: 8.3Cvss Score: 8.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, ispotentially affected by a remote code execution and information disclosure vulnerability.

The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code andcode execution via query parameters are still possible.

Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is notan exploitable configuration.

Solution:

of 120

Scan Date: 2017-01-17

Upgrade to PHP vers ion 5.3.13 or later. A 'mod_rewrite' workaround is available as well.

Result:


References:

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/








Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.1. Such vers ions may beaffected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution,'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals .

Solution:


Result:


References:



nginx < 1.4.4 / 1.5.7 ngx_parse_http Security Bypass (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 7.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Description:

According to the self-reported vers ion in the Server response header, the installed vers ion of nginx is greater than 0.8.41but prior to 1.4.4 / 1.5.7. It is , therefore, affected by a security bypass vulnerability in 'ngx_http_parse.c' when a file with aspace at the end of the URI is requested.

Solution:

Either apply the patch manually or upgrade to nginx 1.4.4 / 1.5.7 or later.

Result:

of 120

Scan Date: 2017-01-17

Version source : nginx/1.4.1 Installed version : 1.4.1 Fixed version : 1.4.4 / 1.5.7

References:

http://nginx.org/en/security_advisories.html

http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html

http://nginx.org/en/CHANGES-1.4

http://nginx.org/en/CHANGES



Open Status: NEW First Found: 2017-01-17Cvss Base: 8.5Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

Description:

According to its banner, the vers ion of OpenSSH running on the remote host is prior to 6.9. It is , therefore, affected by thefollowing vulnerabilities :

- A flaw exists within the x11_open_helper() function in the 'channels .c' file that allows connections to be permitted after'ForwardX11Timeout' has expired. A remote attacker can exploit this to bypass timeout checks and XSECURITYrestrictions. (CVE-2015-5352)

- Various issues were addressed by fixing the weakness in agent locking by increasing the failure delay, storing thesalted hash of the password, and using a timing-safe comparison function.

- An out-of-bounds read error exists when handling incorrect pattern lengths. A remote attacker can exploit this to causea denial of service or disclose sensitive information in the memory.

- An out-of-bounds read error exists when pars ing the 'EscapeChar' configuration option.

Solution:


Result:


References:


http://www.IndusGuard.org/u?725c4682


ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution (tcp/21)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2011-4130Cvss Base: 9.0Cvss Score: 9.0Cvss Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:CPCI Compliance: Fail

Description:

of 120

Scan Date: 2017-01-17

The remote host is us ing ProFTPD, a free FTP server for Unix and Linux.

According to its banner, the vers ion of ProFTPD installed on the remote host is earlier than 1.3.3g or 1.3.4. As such, it ispotentially affected by a code execution vulnerability due to how the server manages the response pool that is used tosend responses from the server to the client. A remote, authenticated attacker could could leverage this issue toexecute arbitrary code on the remote host, subject to the privileges of the user running the affected application.

Note that IndusGuard did not actually test for the flaw but instead has relied on the vers ion in ProFTPD's banner.

Solution:

Upgrade to ProFTPD vers ion 1.3.3g / 1.3.4 or later.

Result:

Version source : 220 ProFTPD 1.3.3e Server (ProFTPD) [176.28.50.165] Installed version : 1.3.3e Fixed version :1.3.3g / 1.3.4

References:

http://www.zerodayinitiative.com/advisories/ZDI-11-328/


http://bugs.proftpd.org/show_bug.cgi?id=3711

http://www.proftpd.org/docs/NEWS-1.3.3g

http://www.proftpd.org/docs/NEWS-1.3.4

Alert ID: 84504 Found on: 2017-01-17 Severity: Medium

SSL Certificate with Wrong Hostname (tcp/995)

Open Status: NEW First Found: 2017-01-17Cvss Base: 5.0Cvss Score: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:NPCI Compliance: Fail

Description:

The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Solution:

Purchase or generate a proper certificate for this service.

Result:

The identity known by IndusGuard is : rs202995.rs.hosteurope.deThe Common Name in the certificate is :Parallels Panel


SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) (tcp/995)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2014-3566Cvss Base: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Description:

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. Thevulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers

of 120

Scan Date: 2017-01-17

in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries ifthey are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer issupported by the client and service.

The TLS Fallback SCSV extension prevents 'vers ion rollback' attacks without impacting legacy clients; however, it canonly protect connections when the client and service support the extension. Sites that cannot disable SSLv3 immediatelyshould enable this extension.

This is a vulnerability in the SSLv3 specification, not in a particular SSL implementation. Disabling SSLv3 is the only way tocompletely mitigate the vulnerability.

Solution:

Disable SSLv3.

Services that must support SSLv3 should enable the TLS Fallback SCSV extension until SSLv3 can be disabled.

Result:

IndusGuard determined that the remote server supports SSLv3 with at least one CBC cipher suite, indicating thatthis server is vulnerable.It appears that TLSv1 or newer is supported on the server. However, the Fallback SCSVmechanism is not supported, allowing connections to be "rolled back" to SSLv3.

References:

https://www.imperialviolet.org/2014/10/14/poodle.html

https://www.openssl.org/~bodo/ss l-poodle.pdf

https://tools .ietf.org/html/draft-ietf-tls -downgrade-scsv-00


SSL Medium Strength Cipher Suites Supported (tcp/995)

Open Status: NEW First Found: 2017-01-17Cvss Base: 4.3Cvss Score: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:NPCI Compliance: Fail

Description:

The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard asthose with key lengths at least 56 bits and less than 112 bits .

Note: This is considerably easier to exploit if the attacker is on the same physical network.

Solution:

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Result:

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={keyexchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}{export flag}


SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and Weakened eNcryption) (tcp/995)

of 120

Scan Date: 2017-01-17

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2016-0800Cvss Base: 4.0Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Description:

The remote host supports SSLv2 and therefore may be affected by a vulnerability that allows a cross-protocolBleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). Thisvulnerability exists due to a flaw in the Secure Sockets Layer Vers ion 2 (SSLv2) implementation, and it allows capturedTLS traffic to be decrypted. A man-in-the-middle attacker can exploit this to decrypt the TLS connection by utilizingpreviously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2server that uses the same private key.

Solution:

Disable SSLv2 and export grade cryptography cipher suites. Ensure that private keys are not used anywhere with serversoftware that supports SSLv2 connections.

Result:

The remote host is affected by SSL DROWN and supports the followingvulnerable cipher suites : Low StrengthCiphers (<= 64-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40)Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128)Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication}Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:

https://drownattack.com/

https://drownattack.com/drown-attack-paper.pdf


SSL Weak Cipher Suites Supported (tcp/995)


Description:

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.


Solution:

Reconfigure the affected application if possible to avoid use of weak ciphers.

Result:

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) SSLv2DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSAEnc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={keyexchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}{export flag}

References:

http://www.openssl.org/docs/apps/ciphers.html

of 120

Scan Date: 2017-01-17


SSL Version 2 (v2) Protocol Detection (tcp/995)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2005-2969Cvss Base: 5.0Cvss Score: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:NPCI Compliance: Fail

Description:

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographicflaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Solution:

Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.

Result:

- SSLv2 is enabled and the server supports at least one cipher.- SSLv3 is enabled and the server supports at leastone cipher.

References:

http://www.schneier.com/paper-ss l.pdf

http://support.microsoft.com/kb/187498

http://www.linux4beginners.info/node/disable-ss lv2


SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK) (tcp/995)

Open Status: NEW First Found: 2017-01-17Cvss Base: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Description:

The remote host supports EXPORT_RSA cipher suites with keys less than or equal to 512 bits . An attacker can factor a512-bit RSA modulus in a short amount of time.

A man-in-the middle attacker may be able to downgrade the session to use EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to remove support for weak cipher suites.

Solution:

Reconfigure the service to remove support for EXPORT_RSA cipher suites.

Result:

EXPORT_RSA cipher suites supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSAEnc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Thefields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetricencryption method} Mac={message authentication code} {export flag}

References:

https://www.smacktls .com/#freak

of 120

Scan Date: 2017-01-17

https://www.openssl.org/news/secadv_20150108.txt

http://www.IndusGuard.org/u?b78da2c4


OpenSSL 'ChangeCipherSpec' MiTM Vulnerability (tcp/995)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2014-0224Cvss Base: 5.8Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Description:

The OpenSSL service on the remote host is vulnerable to a man-in-the-middle (MiTM) attack, based on its response totwo consecutive 'ChangeCipherSpec' messages during the incorrect phase of an SSL/TLS handshake.

This flaw could allow a MiTM attacker to decrypt or forge SSL messages by telling the service to begin encryptedcommunications before key material has been exchanged, which causes predictable keys to be used to secure futuretraffic.

Solution:

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/orserver) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Result:

The remote service accepted an SSL ChangeCipherSpec message at an incorrect point in the handshakeleading to weak keys being used, and then attempted to decrypt an SSL record using those weak keys.Thischeck detects unpatched OpenSSL 1.0.1, 1.0.0, and 0.9.8 services. Only 1.0.1 has been shown to be exploitable;however, OpenSSL 1.0.0 and 0.9.8 have received similar patches and users of these versions have beenadvised to upgrade as a precaution.

References:

http://www.IndusGuard.org/u?d5709faa

https://www.imperialviolet.org/2014/06/05/earlyccs.html



SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (tcp/995)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2011-3389Cvss Base: 4.3Cvss Score: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:NPCI Compliance: Fail

Description:

A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encryptedtraffic served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This script tries to establish an SSL/TLS remote connection using an affected SSL vers ion and cipher suite, and then

of 120

Scan Date: 2017-01-17

solicits return data.If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.

OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option isspecified when OpenSSL is initialized.

Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry keyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord.

Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not,depending on whether or not a countermeasure has been enabled.

Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detectthe BEAST attack where it exploits the vulnerability at HTTPS client-s ide (i.e., Internet browser). The detection at server-s ide does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits thevulnerability at client-s ide, and both SSL/TLS clients and servers can independently employ the split recordcountermeasure.

Solution:

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.

Note that additional configuration may be required after the installation of the MS12-006 security update in order toenable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details .

Result:

Negotiated cipher suite: AES256-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES-CBC(256)|Mac=SHA1

References:

http://www.openssl.org/~bodo/tls -cbc.txt

http://vnhacker.blogspot.com/2011/09/beast.html

http://technet.microsoft.com/en-us/security/bulletin/ms12-006


http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx


SSL Certificate Cannot Be Trusted (tcp/995)

Open Status: NEW First Found: 2017-01-17Cvss Base: 6.4Cvss Score: 6.4Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:NPCI Compliance: Fail

Description:

The server's X.509 certificate does not have a s ignature from a known public certificate authority. This s ituation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority.This can occur either when the top of the chain is an unrecognized, self-s igned certificate, or when intermediatecertificates are miss ing that would connect the top of the certificate chain to a known public certificate authority.

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either whenthe scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

of 120

Scan Date: 2017-01-17

Third, the certificate chain may contain a s ignature that either didn't match the certificate's information, or was notpossible to verify. Bad s ignatures can be fixed by getting the certificate with the bad s ignature to be re-s igned by itsis suer. Signatures that could not be verified are the result of the certificate's issuer us ing a s igning algorithm thatIndusGuard either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establisha man in the middle attack against the remote host.

Solution:


Result:

The following certificate was part of the certificate chainsent by the remote host, but it has expired :|-Subject :C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]|-NotAfter : Nov 09 10:32:06 2013 GMTThe following certificate was at the top of the certificatechain sent by the remotehost, but it is signed by an unknowncertificate authority :|-Subject :C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]|-Issuer :C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]


SSL Self-Signed Certificate (tcp/995)


Description:

The X.509 certificate chain for this service is not s igned by a recognized certificate authority. If the remote host is apublic host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against theremote host.

Note that this check does not check for certificate chains that end in a certificate that is not self-s igned, but is s igned byan unrecognized certificate authority.

Solution:


Result:

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed andwas notfound in the list of known certificate authorities :|-Subject :C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]


SSL Certificate Expiry (tcp/995)


Description:

This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whetherany have already expired.

Solution:

of 120

Scan Date: 2017-01-17

Purchase or generate a new SSL certificate to replace the existing one.

Result:

The SSL certificate has already expired : Subject : C=US, ST=Virginia, L=Herndon, O=Parallels, OU=ParallelsPanel, CN=Parallels Panel, [email protected] Issuer : C=US, ST=Virginia, L=Herndon,O=Parallels, OU=Parallels Panel, CN=Parallels Panel, [email protected] Not valid before : Nov 910:32:06 2012 GMT Not valid after : Nov 9 10:32:06 2013 GMT




Description:


Solution:


Result:





Description:

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. Thevulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphersin cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries ifthey are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.




Solution:

Disable SSLv3.


Result:

of 120

Scan Date: 2017-01-17


References:







Description:



Solution:


Result:

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={keyexchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}{export flag}


SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and Weakened eNcryption) (tcp/993)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2016-0800Cvss Base: 4.0Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Description:

The remote host supports SSLv2 and therefore may be affected by a vulnerability that allows a cross-protocolBleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). Thisvulnerability exists due to a flaw in the Secure Sockets Layer Vers ion 2 (SSLv2) implementation, and it allows capturedTLS traffic to be decrypted. A man-in-the-middle attacker can exploit this to decrypt the TLS connection by utilizingpreviously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2server that uses the same private key.

Solution:

Disable SSLv2 and export grade cryptography cipher suites. Ensure that private keys are not used anywhere with serversoftware that supports SSLv2 connections.

Result:

of 120

Scan Date: 2017-01-17

The remote host is affected by SSL DROWN and supports the followingvulnerable cipher suites : Low StrengthCiphers (<= 64-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40)Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128)Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication}Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:

https://drownattack.com/

https://drownattack.com/drown-attack-paper.pdf




Description:



Solution:


Result:

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) SSLv2DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSAEnc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={keyexchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}{export flag}

References:





Description:


of 120

Scan Date: 2017-01-17

Solution:


Result:

- SSLv2 is enabled and the server supports at least one cipher.- SSLv3 is enabled and the server supports at leastone cipher.

References:







Description:



Solution:


Result:


References:







Description:


of 120

Scan Date: 2017-01-17


Solution:


Result:


References:







Description:



This script tries to establish an SSL/TLS remote connection using an affected SSL vers ion and cipher suite, and thensolicits return data.If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.





Solution:

of 120

Scan Date: 2017-01-17



Result:


References:









Description:






Solution:


Result:


of 120

Scan Date: 2017-01-17




Description:



Solution:


Result:





Description:


Solution:


Result:





of 120

Scan Date: 2017-01-17

Description:


Solution:


Result:



SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (LogJam) (tcp/465)

Open Status: NEW First Found: 2017-01-17Cvss Base: 4.0Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Description:

The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits .Through cryptanalys is , a third party may be able to find the shared secret in a short amount of time (depending onmodulus s ize and attacker resources). This may allow the attacker to recover the plain text or potentially violate theintegrity of connections.

Solution:

Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

Result:

Vulnerable connection combinations : SSL/TLS version : TLSv1.0 Cipher suite :TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Logjam attack difficulty : Hard(would require nation-state resources) SSL/TLS version : TLSv1.0 Cipher suite :TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Logjam attack difficulty :Hard (would require nation-state resources) SSL/TLS version : TLSv1.0 Cipher suite :TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Logjam attack difficulty : Hard(would require nation-state resources) SSL/TLS version : SSLv3 Cipher suite :TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Logjam attack difficulty : Hard(would require nation-state resources) SSL/TLS version : SSLv3 Cipher suite :TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Logjam attack difficulty :Hard (would require nation-state resources) SSL/TLS version : SSLv3 Cipher suite :TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA Diffie-Hellman MODP size (bits) : 1024 Logjam attack difficulty : Hard(would require nation-state resources)

References:

http://weakdh.org/




Description:

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. Thevulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphersin cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if

of 120

Scan Date: 2017-01-17

they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.




Solution:

Disable SSLv3.


Result:


References:







Description:



Solution:


Result:

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication}Enc={symmetric encryption method} Mac={message authentication code} {export flag}




of 120

Scan Date: 2017-01-17

CVE ID: CVE-2005-2969Cvss Base: 5.0Cvss Score: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:NPCI Compliance: Fail

Description:


Solution:


Result:

- SSLv3 is enabled and the server supports at least one cipher.

References:





SSL Anonymous Cipher Suites Supported (tcp/465)


Description:

The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a servicethat encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host'sidentity and renders the service vulnerable to a man-in-the-middle attack.


Solution:


Result:

Here is the list of SSL anonymous ciphers supported by the remote server : Medium Strength Ciphers (> 64-bitand < 112-bit key) TLSv1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 High StrengthCiphers (>= 112-bit key) TLSv1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetricencryption method} Mac={message authentication code} {export flag}

References:



of 120

Scan Date: 2017-01-17



Description:



Solution:


Result:


References:







Description:






of 120

Scan Date: 2017-01-17



Solution:



Result:


References:









Description:






of 120

Scan Date: 2017-01-17

Solution:


Result:





Description:



Solution:


Result:





Description:


Solution:


Result:


of 120

Scan Date: 2017-01-17




Description:


Solution:


Result:





Description:



Solution:


Result:

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields aboveare : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method}Mac={message authentication code} {export flag}




Description:


of 120

Scan Date: 2017-01-17


Solution:


Result:

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512)Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 exportDES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername}Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authenticationcode} {export flag}

References:





Description:



Solution:


Result:


References:







Description:

of 120

Scan Date: 2017-01-17



Solution:


Result:


References:







Description:







Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detectthe BEAST attack where it exploits the vulnerability at HTTPS client-s ide (i.e., Internet browser). The detection at server-s ide does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits thevulnerability at client-s ide, and both SSL/TLS clients and servers can independently employ the split record

of 120

Scan Date: 2017-01-17

countermeasure.

Solution:



Result:


References:









Description:






Solution:


Result:

The following certificate was part of the certificate chainsent by the remote host, but it has expired :|-Subject :C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]|-NotAfter : Nov 09 10:32:06 2013 GMTThe following certificate was at the top of the certificatechain sent by the remotehost, but it is signed by an unknowncertificate authority :|-Subject :

of 120

Scan Date: 2017-01-17

C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]|-Issuer :C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]




Description:



Solution:


Result:





Description:


Solution:


Result:




Open Status: NEW First Found: 2017-01-17Cvss Base: 5.0Cvss Score: 5.0

of 120

Scan Date: 2017-01-17

Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:NPCI Compliance: Fail

Description:


Solution:


Result:





Description:



Solution:


Result:

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields aboveare : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method}Mac={message authentication code} {export flag}




Description:



Solution:


Result:

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512)

of 120

Scan Date: 2017-01-17

Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 exportDES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername}Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authenticationcode} {export flag}

References:





Description:



Solution:


Result:


References:







Description:



Solution:

of 120

Scan Date: 2017-01-17


Result:


References:







Description:








Solution:



of 120

Scan Date: 2017-01-17

Result:


References:









Description:






Solution:


Result:





of 120

Scan Date: 2017-01-17

Cvss Base: 6.4Cvss Score: 6.4Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:NPCI Compliance: Fail

Description:



Solution:


Result:





Description:


Solution:


Result:



Web Application SQL Backend Identification (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 5.0Cvss Score: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:NPCI Compliance: Fail

Description:

At least one web application hosted on the remote web server is built on a SQL backend that IndusGuard was able toidentify by looking at error messages.

of 120

Scan Date: 2017-01-17

Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend.

Solution:

Filter out error messages.

Result:

The web application appears to be based on MySQLThis information was leaked by these URLs:http://rs202995.rs.hosteurope.de/

References:

http://projects.webappsec.org/Fingerprinting


CGI Generic Local File Inclusion (tcp/80)


Description:

The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, anattacker may be able to include a local file and disclose its content.

Solution:

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to local fileinclusion :+ The 'file' parameter of the /showimage.php CGI :/showimage.php?file=showimage.php-------- output --------<?php// header("Content-Length: 1" /*. filesize($name)*/);if( isset($_GET["file"]) && !isset($_GET["size"]) ){------------------------Clicking directly on these URLs should exhibit the issue :(you will probably need to read the HTMLsource)http://rs202995.rs.hosteurope.de/showimage.php?file=showimage.php

References:

http://en.wikipedia.org/wiki/Remote_File_Inclus ion


CGI Generic Cross-Site Request Forgery Detection (potential) (tcp/80)


Description:

The spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by randomtokens, a common anti-cross-s ite request forgery (CSRF) protection. The web application might be vulnerable to CSRFattacks.

Note that :

- IndusGuard did not exploit the flaw,- IndusGuard cannot identify sensitive actions -- for example, on an online bank, consulting an account is less sensitivethan transfering money.

of 120

Scan Date: 2017-01-17

You will have to audit the source of the CGI scripts and check if they are actually affected.

Solution:


Result:

The following CGIs are not protected by a random token:/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/.php/.php/AJAX/index.php/.php/.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/.php/.php/AJAX/index.php/.php/showxml.php/.php/showxml.php/.php/AJAX/index.php/.php/.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/.php/.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/.php/.php/AJAX/index.php/.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/.php/.php/AJAX/index.php/showxml.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/.php/cart.php/hpp/params.php/secured/newuser.php/AJAX/.php/artists.php/listproducts.php/search.php/AJAX/index.php/.php/userinfo.php/hpp//product.php/AJAX/index.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/showxml.php/.php/.php/.php/AJAX/index.php/showxml.php/.php/showxml.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/showxml.php/.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/showxml.php/.php/.php/showxml.php/.php/AJAX/index.php/showxml.php/.php/showxml.php/.php/.php/AJAX/index.php/showxml.php/.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/showxml.php/showxml.php/.php/.php/.php/AJAX/index.php/.php/.php/showxml.php/.php/.php/AJAX/index.php/.php/.php/showxml.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/.php/.php/.php/AJAX/index.php/.php/showxml.php/.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/.php/showxml.php/.php

References:

http://en.wikipedia.org/wiki/Cross-s ite_request_forgery


CGI Generic Cross-Site Scripting (extended patterns) (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 4.3Cvss Score: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:NPCI Compliance: Fail

Description:

The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings with maliciousJavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in auser's browser within the security context of the affected s ite. These XSS vulnerabilities are likely to be 'non-pers istent'or 'reflected'.

Solution:


Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to cross-sitescripting (extended patterns) :+ The 'pp' parameter of the /hpp/ CGI :/hpp/?pp=504%20onerror="alert(504);--------output --------<a href="?pp=12">check</a><br/><a href="params.php?p=valid&pp=504+onerror%3D%22alert%28504%29%3B">link1</a><br/><a href="params.php?

of 120

Scan Date: 2017-01-17

p=valid&pp=504 onerror="alert(504);">link2</a><br/><form action="params.php?p=valid&pp=504onerror="alert(504);"><input type=submit name=aaaa/></form><br/><hr><ahref='http://blog.mindedsecurity.com/2009/05/client-side-http-p [...]------------------------Clicking directly on these URLsshould exhibit the issue :(you will probably need to read the HTML source)http://rs202995.rs.hosteurope.de/hpp/?pp=504%20onerror="alert(504);

References:

http://en.wikipedia.org/wiki/Cross_s ite_scripting#Non-pers istent

http://www.nessus.org/u?9717ad85

http://projects.webappsec.org/Cross-Site+Scripting


CGI Generic Cross-Site Scripting (comprehensive test) (tcp/80)


Description:

The remote web server hosts CGI scripts that fail to adequately sanitize request strings of malicious JavaScript. Byleveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user'sbrowser within the security context of the affected s ite. These XSS are likely to be 'non-pers istent' or 'reflected'.

Solution:


Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to cross-sitescripting (comprehensive test) :+ The 'pp' parameter of the /hpp/ CGI :/hpp/?pp=<<<<<<<<<<foo"bar'204>>>>>-------- output --------<a href="?pp=12">check</a><br/><ahref="params.php?p=valid&pp=%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar%27204%3E%3E%3E%3E%3E">link1</a><br/><a href="params.php?p=valid&pp=<<<<<<<<<<foo"bar'204>>>>>">link2</a><br/><formaction="params.php?p=valid&pp=<<<<<<<<<<foo"bar'204>>>>>"><input type=submitname=aaaa/></form><br/><hr><a href='http://blog.mindedsecurity.com/2009/05/client-side-http-p [...]------------------------+ The 'file' parameter of the /showimage.php CGI :/showimage.php?file=<<<<<<<<<<foo"bar'204>>>>>-------- output --------Warning: fopen(): Unable to access<<<<<<<<<<foo"bar'204>>>>> in /hj/var/www/showimage.php on line 7Warning:fopen(<<<<<<<<<<foo"bar'204>>>>>): failed to open stream: [...]------------------------+ The 'cat' parameter of the/listproducts.php CGI :/listproducts.php?cat=<<<<<<<<<<foo"bar'204>>>>>-------- output --------<div id="content">Error: You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near'=<<<<<<<<<<foo"bar'204>>>>>' at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource,b [...]</div>------------------------+ The 'artist' parameter of the /listproducts.php CGI :/listproducts.php?artist=<<<<<<<<<<foo"bar'204>>>>>-------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual that corresponds to yourMySQL server version for the right syntax to use near '=<<<<<<<<<<foo"bar'204>>>>>' at line 1Warning:mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'cat' parameter of the/listproducts.php CGI :/listproducts.php?cat=<<<<<<<<<<foo"bar'204>>>>>&artist=1-------- output --------<div id="content">Error: You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near'=<<<<<<<<<<foo"bar'204>>>>>' at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource,b [...]</div>------------------------+ The 'pp' parameter of the /hpp/params.php CGI :/hpp/params.php?pp=<<<<<<<<<<foo"bar'204>>>>>-------- output --------<<<<<<<<<<foo"bar'204>>>>>------------------------+ The 'p'parameter of the /hpp/params.php CGI :/hpp/params.php?p=<<<<<<<<<<foo"bar'204>>>>>-------- output --------

of 120

Scan Date: 2017-01-17

<<<<<<<<<<foo"bar'204>>>>>------------------------+ The 'pp' parameter of the /hpp/params.php CGI:/hpp/params.php?pp=<<<<<<<<<<foo"bar'204>>>>>&p=valid&aaaa/=-------- output --------valid<<

References:





CGI Generic Cookie Injection Scripting (tcp/80)


Description:

The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with maliciousJavaScript.

By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the webapplication, it may be possible to launch a 'sess ion fixation' attack using this mechanism.

Please note that :

- IndusGuard did not check if the session fixation attack is feasible.

- This is not the only vector of sess ion fixation.

Solution:


Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to cookiemanipulation :+ The 'pp' parameter of the /hpp/ CGI :/hpp/?pp=<script>document.cookie="testbodp=9194;"</script>-------- output --------<a href="?pp=12">check</a><br/><a href="params.php?p=valid&pp=%3Cscript%3Edocument.cookie%3D%22testbodp%3D9194%3B%22%3C%2Fscript%3E">link1</a><br/><a href="params.php?p=valid&pp=<script>document.cookie="testbodp=9194;"</script>">link2</a><br/><formaction="params.php?p=valid&pp=<script>document.cookie="testbodp=9194;"</script>"><input type=submitname=aaaa/></form><br/><hr><a href='http://blog.mindedsecurity.com/2009/05/client-side-http-p [...]------------------------+ The 'cat' parameter of the /listproducts.php CGI :/listproducts.php?cat=<script>document.cookie="testbodp=9194;"</script>-------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual thatcorresponds to your MySQL server version for the right syntax to use near'=<script>document.cookie="testbodp=9194;"</script>' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]</div>------------------------+ The 'artist' parameter of the /listproducts.php CGI:/listproducts.php?artist=<script>document.cookie="testbodp=9194;"</script>-------- output --------<div id="content">Error: You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near'=<script>document.cookie="testbodp=9194;"</script>' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]</div>------------------------+ The 'cat' parameter of the /listproducts.php CGI:/listproducts.php?cat=<script>document.cookie="testbodp=9194;"</script>&artist=1-------- output --------<div id="content">Error: You have an error in your SQL syntax;

of 120

Scan Date: 2017-01-17

check the manual that corresponds to your MySQL server version for the right syntax to use near'=<script>document.cookie="testbodp=9194;"</script>' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]</div>------------------------+ The 'pp' parameter of the /hpp/params.php CGI:/hpp/params.php?pp=<script>document.cookie="testbodp=9194;"</script>-------- output --------<script>document.cookie="testbodp=9194;"</script>------------------------+ The 'p' parameter of the /hpp/params.phpCGI :/hpp/params.php?p=<script>document.cookie="testbodp=9194;"</script>-------- output --------<script>document.cookie="testbodp=9194;"</script>------------------------+ The 'pp' parameter of the/hpp/params.php CGI :/hpp/params.php?pp=<script>document.cookie="testbodp=9194;"</script>&p=valid&aaaa/=-------- output --------valid<script>document.cookie="testbodp=9194;"</script>------------------------+ The 'p' parameter of the/hpp/params.php CGI :/hpp/params.php?pp=12&p=<script>document.cookie="testbodp=9194;"</script>&aaaa/=-------- output --------<script>document.cookie="testbodp=9194;"</script>12------------------------

References:

http://en.wikipedia.org/wiki/Session_fixation

http://www.owasp.org/index.php/Session_Fixation

http://www.acros.s i/papers/session_fixation.pdf

http://projects.webappsec.org/Session-Fixation


CGI Generic Cross-Site Scripting (quick test) (tcp/80)


Description:

The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. Byleveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user'sbrowser within the security context of the affected s ite.These XSS are likely to be 'non pers istent' or 'reflected'.

Solution:


Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to cross-sitescripting (quick test) :+ The 'pp' parameter of the /hpp/ CGI :/hpp/?pp=<IMG%20SRC="javascript:alert(104);">-------- output --------<a href="?pp=12">check</a><br/><a href="params.php?p=valid&pp=%3CIMG+SRC%3D%22javascript%3Aalert%28104%29%3B%22%3E">link1</a><br/><ahref="params.php?p=valid&pp=<IMG SRC="javascript:alert(104);">">link2</a><br/><formaction="params.php?p=valid&pp=<IMG SRC="javascript:alert(104);">"><input type=submitname=aaaa/></form><br/><hr><a href='http://blog.mindedsecurity.com/2009/05/client-side-http-p [...]------------------------+ The 'cat' parameter of the /listproducts.php CGI :/listproducts.php?cat=<IMG%20SRC="javascript:alert(104);">-------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual that corresponds to yourMySQL server version for the right syntax to use near '=<IMG SRC="javascript:alert(104);">' at line 1Warning:mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'artist' parameter of the/listproducts.php CGI :/listproducts.php?artist=<IMG%20SRC="javascript:alert(104);">-------- output --------<div id="content">Error: You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '=<IMGSRC="javascript:alert(104);">' at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource, b[...]</div>------------------------+ The 'cat' parameter of the /listproducts.php CGI :/listproducts.php?

of 120

Scan Date: 2017-01-17

cat=<IMG%20SRC="javascript:alert(104);">&artist=1-------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual thatcorresponds to your MySQL server version for the right syntax to use near '=<IMG SRC="javascript:alert(104);">'at line 1Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'pp'parameter of the /hpp/params.php CGI :/hpp/params.php?pp=<IMG%20SRC="javascript:alert(104);">--------output --------<IMG SRC="javascript:alert(104);">------------------------+ The 'p' parameter of the /hpp/params.php CGI:/hpp/params.php?p=<IMG%20SRC="javascript:alert(104);">-------- output --------<IMGSRC="javascript:alert(104);">------------------------+ The 'pp' parameter of the /hpp/params.php CGI :/hpp/params.php?pp=<IMG%20SRC="javascript:alert(104);">&p=valid&aaaa/=-------- output --------valid<IMGSRC="javascript:alert(104);">------------------------+ The 'p' parameter of the /hpp/params.php CGI :/hpp/params.php?pp=12&p=<IMG%20SRC="javascript:alert(104);">&aaaa/=-------- output --------<IMGSRC="javascript:alert(104);">12------------------------Clicking directly on these URLs should exhibit the issue :(you willprobably need to read the HTML source)http://rs202995.rs.hosteurope.de/hpp/?pp=<IMG%20SRC="javascript:alert(104);">

References:





Web Application Vulnerable to Clickjacking (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Description:

The remote web server does not set an X-Frame-Options response header in all content responses.

X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported byall major browser vendors.

Solution:

Return the X-Frame-Options HTTP header with the page's response.

This prevents the page's content from being rendered by another s ite when using the frame or iframe HTML tags.

Result:

The following pages do not use a clickjacking mitigation response header and contain a clickable event : -http://rs202995.rs.hosteurope.de/ - http://rs202995.rs.hosteurope.de/AJAX/ -http://rs202995.rs.hosteurope.de/AJAX/index.php - http://rs202995.rs.hosteurope.de/AJAX/index.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/GET -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/POST -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/infotitle -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php -

of 120

Scan Date: 2017-01-17

http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/styles.css -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/GET -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/POST -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/infotitle -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/styles.css -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php?id= - http://rs

References:

http://en.wikipedia.org/wiki/Clickjacking

http://www.IndusGuard.org/u?1bced8d9

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet


nginx < 1.6.2 / 1.7.5 SSL Session Reuse (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 4.0Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Description:

According to the self-reported vers ion in the server response header, the vers ion of nginx installed on the remote host is0.5.6 or higher, 1.6.x prior to 1.6.2, or 1.7.x prior to 1.7.5. It is , therefore, affected by an SSL session or TLS session ticketkey handling error. A flaw exists in the file 'event/ngx_event_openssl.c' that could allow a remote attacker to obtainsensitive information or to take control of a session.

Note that this issue only affects servers having multiple 'server{}' configurations sharing the same values for'ss l_session_cache' or 'ss l_session_ticket_key'.

Solution:

Upgrade to nginx 1.6.2 / 1.7.5 or later.

of 120

Scan Date: 2017-01-17

Result:

Version source : nginx/1.4.1 Installed version : 1.4.1 Fixed version : 1.6.2 / 1.7.5

References:

http://bh.ht.vc/vhost_confusion.pdf

http://nginx.org/en/security_advisories.html




http://nginx.org/en/CHANGES

http://nginx.org/en/CHANGES-1.6


CGI Generic HTML Injections (quick test) (tcp/80)


Description:

The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. Byleveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within thesecurity context of the affected s ite.

The remote web server may be vulnerable to IFRAME injections or cross-s ite scripting attacks :

- IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimesimplemented for 'phishing' attacks.

- XSS are extensively tested by four other scripts .

- Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning.

Solution:

Either restrict access to the vulnerable application or contact the vendor for an update.

Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to HTMLinjection :+ The 'pp' parameter of the /hpp/ CGI :/hpp/?pp=<"qbvxty%0A>-------- output --------<a href="?pp=12">check</a><br/><a href="params.php?p=valid&pp=%3C%22qbvxty%0A%3E">link1</a><br/><ahref="params.php?p=valid&pp=<"qbvxty>">link2</a><br/><form action="params.php?p=valid&pp=<"qbvxty>"><input type=submit name=aaaa/></form><br/>------------------------+ The 'p' parameter ofthe /hpp/params.php CGI :/hpp/params.php?p=<"qbvxty%0A>-------- output --------<"qbvxty>------------------------+ The'pp' parameter of the /hpp/params.php CGI :/hpp/params.php?pp=<"qbvxty%0A>-------- output --------<"qbvxty>------------------------+ The 'p' parameter of the /hpp/params.php CGI :/hpp/params.php?p=<"qbvxty%0A>&pp=12--------output --------<"qbvxty>12------------------------+ The 'pp' parameter of the /hpp/params.php CGI :/hpp/params.php?p=valid&pp=<"qbvxty%0A>-------- output --------valid<"qbvxty>------------------------+ The 'artist' parameter of the/listproducts.php CGI :/listproducts.php?artist=<"qbvxty%0A>-------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual thatcorresponds to your MySQL server version for the right syntax to use near '=<"qbvxty>' at line 1Warning:

of 120

Scan Date: 2017-01-17

mysql_fetch_array() expects parameter 1 to be resource, b [...]------------------------+ The 'cat' parameter of the/listproducts.php CGI :/listproducts.php?cat=<"qbvxty%0A>-------- output --------<div id="content">Error: You have an error in your SQL syntax; check the manual thatcorresponds to your MySQL server version for the right syntax to use near '=<"qbvxty>' at line 1Warning:mysql_fetch_array() expects parameter 1 to be resource, b [...]------------------------/listproducts.php?artist=1&cat=<"qbvxty%0A>-------- output --------<divid="content">Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQLserver version for the right syntax to use near '=<"qbvxty>' at line 1Warning: mysql_fetch_array() expectsparameter 1 to be resource, b [...]------------------------Clicking directly on these URLs should exhibit the issue :(you willprobably need to read the HTML source)http://rs202995.rs.hosteurope.de/hpp/?pp=<"qbvxty%0A>http://rs202995.rs.hosteurope.de/hpp/params.php?p=<"qbvxty%0A>http://rs202995.rs.hosteurope.de/hpp/params.php?pp=<"qbvxty%0A>http://rs202995.rs.hosteurope.de/hpp/params.php?p=<"qbvxty%0A>&pp=12http://rs202995.rs.hosteurope.de/hpp/params.php?p=valid&pp=<"qbvxty%0A>http://rs202995.rs.hosteurope.de/listproducts.php?artist=<"qbvxty%0A>http://rs202995.rs.hosteurope.de/listproducts.php?cat=<"qbvxty%0A>http://rs202995.rs.hosteurope.de/listproducts.php?artist=1&cat=<"qbvxty%0A>

References:

http://www.nessus.org/u?f8fdd645




4782,CVE-2007-4783,CVE-2007Cvss Base: 4.4Cvss Score: 4.4Cvss Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.5. Such vers ions may beaffected by various issues, including but not limited to several buffer overflows.

Solution:


Result:


References:



PHP Foreign Function Interface Arbitrary DLL Loading safe_mode Restriction Bypass (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2007-4528Cvss Base: 4.3Cvss Score: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:NPCI Compliance: Fail

of 120

Scan Date: 2017-01-17

Description:

According to its banner, the vers ion of PHP installed on the remote host is affected by a security bypass vulnerability. TheForeign Function Interface (ffi) extension does not follow safe_mode restrictions, which allows context-dependentattackers to execute arbitrary code by loading an arbitrary DLL and calling a function.

Solution:

There is no known solution at this time.

Result:

Version source : X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2 Installed version : 5.3.10-1~lucid+2uwsgi2

References:

http://pecl.php.net/package-info.php?package=ffi


PHP ip2long Function String Validation Weakness (tcp/80)


Description:

According to its banner, the 'ip2long()' function in the vers ion of PHP installed on the remote host may incorrectly validatean arbitrary string and return a valid network IP address.

Solution:


Result:


References:

http://retrogod.altervista.org/php_ip2long.htm

http://www.securityfocus.com/archive/1/441529/100/100/threaded


PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2013-4073,CVE-2013-6420Cvss Base: 6.8Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Description:

According to its banner, the vers ion of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is , therefore, potentiallyaffected by the following vulnerabilities :

- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoofSSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate s igned by anauthority that the client trusts. (CVE-2013-4073)

of 120

Scan Date: 2017-01-17

- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extension parsedX.509 certificates. A remote attacker could use this flaw to provide a malicious, self-s igned certificate or a certificatesigned by a trusted authority to a PHP application using the aforementioned function. This could cause the application tocrash or possibly allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter.(CVE-2013-6420)

Note that this check does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedvers ion number.

Solution:


Result:


References:

http://seclists .org/fulldisclosure/2013/Dec/96

https://bugzilla.redhat.com/show_bug.cgi?id=1036830

http://www.IndusGuard.org/u?b6ec9ef9



PHP 5.3.x < 5.3.21 cURL X.509 Certificate Domain Name Matching MiTM Weakness (tcp/80)

Open Status: NEW First Found: 2017-01-17Cvss Base: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Description:

According to its banner, the vers ion of PHP 5.3.x installed on the remote host is prior to 5.3.21. It is , therefore, potentiallyaffected by a weakness in the cURL extension that can allow SSL spoofing and man-in-the-middle attacks.

When attempting to validate a certificate, the cURL library (libcurl) fails to verify that a server hostname matches adomain name in an X.509 certificate's 'Subject Common Name' (CN) or 'SubjectAltName'.

Note that this check does not attempt to verify whether the PHP install has been built with the cURL extention, but insteadrelies only on PHP's self-reported vers ion number.

Solution:


Result:


References:





of 120

Scan Date: 2017-01-17


Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2009-2687Cvss Base: 5.1Cvss Score: 5.1Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.10. Such vers ions are reportedlyaffected by multiple vulnerabilities :

- Sufficient checks are not performed on fields reserved for offsets in function 'exif_read_data()'. Successful exploitationof this issue could result in a denial of service condition. (bug 48378)

- Provided 'safe_mode_exec_dir' is not set (not set by default), it may be possible to bypass 'safe_mode' restrictions bypreceding a backslash in functions such as 'exec()', 'system()', 'shell_exec()', 'passthru()' and 'popen()' on a systemrunning PHP on Windows. (bug 45997)

Solution:


Result:


References:






PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities (tcp/80)


1129,CVE-2010-1130Cvss Base: 6.4Cvss Score: 6.4Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:NPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such vers ions may beaffected by several security issues :

- Directory paths not ending with '/' may not be correctly validated ins ide 'tempnam()' in 'safe_mode' configuration.

- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in sessionextensions.

- An unspecified vulnerability affects the LCG entropy.

Solution:

of 120

Scan Date: 2017-01-17

Upgrade to PHP vers ion 5.3.2 / 5.2.13 or later.

Result:

Version source : http://rs202995.rs.hosteurope.de/secured/phpinfo.php Installed version : 5.1.6 Fixed version :5.3.2 / 5.2.13

References:


http://securityreason.com/securityalert/7008







PHP 5.3.x < 5.3.23 Information Disclosure (tcp/80)


Description:

According to its banner, the vers ion of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is , therefore, potentiallyaffected by an information disclosure vulnerability.

The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documentsdefined by an attacker and could allow access to arbitrary files.

Note that this check does not attempt to exploit the vulnerability, but instead, relies only on PHP's self-reported vers ionnumber.

Solution:


Result:


References:

http://www.IndusGuard.org/u?7c770707





of 120

Scan Date: 2017-01-17

2872,CVE-2007-3294,CVE-2007Cvss Base: 6.8Cvss Score: 6.8Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.4. Such vers ions may beaffected by various issues, including but not limited to several overflows.

Solution:


Result:


References:



PHP PHP_RSHUTDOWN_FUNCTION Security Bypass (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2012-1171Cvss Base: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Description:

According to its banner, the vers ion of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1 andthus, is potentially affected by a security bypass vulnerability.

An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.

Note that this check has not attempted to exploit this issue, but has instead relied only on PHP's self-reported vers ionnumber.

Solution:

Upgrade to PHP vers ion 5.3.11 / 5.4.1 or later.

Result:

Version source : X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2 Installed version : 5.3.10-1~lucid+2uwsgi2 Fixedversion : 5.3.11 / 5.4.1

References:

http://www.IndusGuard.org/u?bcc428c2



PHP Symlink Function Race Condition open_basedir Bypass (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2006-5178Cvss Base: 6.2Cvss Score: 6.2

of 120

Scan Date: 2017-01-17

Cvss Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:CPCI Compliance: Fail

Description:

According to its banner, the vers ion of PHP installed on the remote host is affected by a security bypass vulnerability. Arace condition exists in the symlink function that allows local users to bypass the open_basedir restriction by using acombination of symlink, mkdir, and unlink functions.

Solution:


Result:


References:





1271,CVE-2009-1272Cvss Base: 5.0Cvss Score: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:PPCI Compliance: Fail

Description:


- Background color is not correctly validated with a non true color image in function 'imagerotate()'. (CVE-2008-5498)

- A denial of service condition can be triggered by trying to extract zip files that contain files with relative paths in file ordirectory names.

- Function 'explode()' is affected by an unspecified vulnerability.

- It may be possible to trigger a segfault by passing a specially crafted string to function 'json_decode()'.

- Function 'xml_error_string()' is affected by a flaw which results in messages being off by one.

Solution:


Result:


References:

http://news.php.net/php.internals/42762



of 120

Scan Date: 2017-01-17





Description:


- It is possible to bypass the 'safe_mode' configuration setting using 'tempnam()'. (CVE-2009-3557)

- It is possible to bypass the 'open_basedir' configuration setting using 'posix_mkfifo()'. (CVE-2009-3558)

- Provided file uploading is enabled (it is by default), an attacker can upload files us ing a POST request with'multipart/form-data' content even if the target script doesn't actually support file uploads per se. By supplying a largenumber (15,000+) of files, he may be able to cause the web server to stop responding while it processes the file list.(CVE-2009-4017)

- Miss ing protection for '$_SESSION' from interrupt corruption and improved 'sess ion.save_path' check.(CVE-2009-4143)

- Insufficient input string validation in the 'htmlspecialchars()' function. (CVE-2009-4142)

Solution:


Result:


References:

http://www.nessus.org/u?57f2d08f





Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2013-1635,CVE-2013-1643Cvss Base: 4.3Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Description:

According to its banner, the vers ion of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is , therefore, potentiallyaffected by the following vulnerabilities :

- An error exists in the file 'ext/soap/soap.c' related to the 'soap.wsdl_cache_dir' configuration directive and writingcache files that could allow remote 'wsdl' files to be written to arbitrary locations. (CVE-2013-1635)

of 120

Scan Date: 2017-01-17

- An error exists in the file 'ext/soap/php_xml.c' related to pars ing SOAP 'wsdl' files and external entities that could causePHP to parse remote XML documents defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)

Note that this check does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reported vers ionnumber.

Solution:


Result:


References:

http://www.IndusGuard.org/u?2dcf53bd

http://www.IndusGuard.org/u?889595b1






Description:

According to its banner, the vers ion of PHP installed on the remote host is older than 5.2.3. Such vers ions may beaffected by several issues, including an integer overflow, 'safe_mode' and 'open_basedir' bypass, and a denial of servicevulnerability.

Solution:


Result:


References:



Web Server info.php / phpinfo.php Detection (tcp/80)


Description:

of 120

Scan Date: 2017-01-17

Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debuggingpurposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker candiscover a large amount of information about the remote web server, including :

- The username of the user who installed php and if they are a SUDO user.

- The IP address of the host.

- The vers ion of the operating system.

- The web server vers ion.

- The root directory of the web server.

- Configuration information about the remote PHP installation.

Solution:

Remove the affected file(s).

Result:

IndusGuard discovered the following URL that calls phpinfo() : -http://rs202995.rs.hosteurope.de/secured/phpinfo.php


OpenSSH LoginGraceTime / MaxStartups DoS (tcp/22)

Open Status: NEW First Found: 2017-01-17Cvss Base: 5.0Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Description:

According to its banner, a vers ion of OpenSSH earlier than vers ion 6.2 is listening on this port. The default configurationof OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and MaxStartups thresholdsby periodically making a large number of new TCP connections and thereby prevent legitimate users from gainingaccess to the service.

Note that this check has not tried to exploit the issue or detect whether the remote service uses a vulnerableconfiguration. Instead, it has s imply checked the vers ion of OpenSSH running on the remote host.

Solution:

Upgrade to OpenSSH 6.2 and review the associated server configuration settings.

Result:


References:


http://openssh.org/txt/release-6.2

http://tools .cisco.com/security/center/viewAlert.x?alertId=28883


OpenSSH < 5.9 Multiple DoS (tcp/22)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2010-4755,CVE-2011-5000Cvss Base: 4.0

of 120

Scan Date: 2017-01-17

Cvss Base: 4.0Cvss Score: 4.0Cvss Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of OpenSSH running on the remote host is prior to vers ion 5.9. Such vers ions areaffected by multiple denial of service vulnerabilities :

- A denial of service vulnerability exists in the gss-serv.c 'ssh_gssapi_parse_ename' function. A remote attacker may beable to trigger this vulnerability if gssapi-with-mic is enabled to create a denial of service condition via a large value in acertain length field.(CVE-2011-5000)

- On FreeBSD, NetBSD, OpenBSD, and other products, a remote, authenticated attacker could exploit the remote_glob()and process_put() functions to cause a denial of service (CPU and memory consumption).(CVE-2010-4755)

Solution:


Result:


References:

http://cxsecurity.com/research/89

http://s ite.pi3.com.pl/adv/ssh_1.txt


OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing (tcp/22)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2004-1653Cvss Base: 6.4Cvss Score: 6.4Cvss Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:NPCI Compliance: Fail

Description:

According to its banner, the remote host is running OpenSSH, vers ion 2.3.0 or later. Such vers ions of OpenSSH allowforwarding TCP connections. If the OpenSSH server is configured to allow anonymous connections (e.g. AnonCVS),remote, unauthenticated users could use the host as a proxy.

Solution:

Disallow anonymous users, set AllowTcpForwarding to 'no', or use the Match directive to restrict anonymous users.

Result:

Version source : ssh-2.0-openssh_5.3p1 debian-3ubuntu7.1 Installed version : 5.3p1

References:

http://marc.info/?l=bugtraq&m=109413637313484&w=2

http://www.nessus.org/u?2c86d008


OpenSSH S/KEY Authentication Account Enumeration (tcp/22)

of 120

Scan Date: 2017-01-17


Description:

When OpenSSH has S/KEY authentication enabled, it is possible to determine remotely if an account configured for S/KEYauthentication exists .

Note that IndusGuard has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host.As a result, it will not detect if the remote host has implemented a workaround.

Solution:

A patch currently does not exist for this issue. As a workaround, either set 'ChallengeResponseAuthentication' in theOpenSSH config to 'no' or use a vers ion of OpenSSH without S/KEY support compiled in.

Result:

Version source : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1 Installed version : 5.3p1

References:

http://www.nessus.org/u?87921f08


OPIE w/ OpenSSH Account Enumeration (tcp/22)


Description:

When using OPIE for PAM and OpenSSH, it is possible for remote attackers to determine the existence of certain useracounts.

Note that IndusGuard has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host.As a result, it does not detect if the remote host actually has OPIE for PAM installed.

Solution:

A patch currently does not exist for this issue. As a workaround, ensure that OPIE for PAM is not installed.

Result:

Version source : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1 Installed version : 5.3p1

References:




Open Status: NEW First Found: 2017-01-17Cvss Base: 6.8Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

of 120

Scan Date: 2017-01-17

Description:

According to its banner, the vers ion of OpenSSH running on the remote host is prior to vers ion 6.6. It is , therefore,affected by the following vulnerabilities :

- An error exists related to the function 'hash_buffer' in the file 'schnorr.c' that could allow denial of service attacks. Notethat the J-PAKE protocol must be enabled at compile time via the 'CFLAGS' variable '-DJPAKE' in the file 'Makefile.inc' inorder for the OpenSSL installation to be vulnerable. This is not enabled by default. Further note that only vers ions 5.3through 6.5.x are affected by this issue. (CVE-2014-1692)

- An error exists related to the 'AcceptEnv' configuration setting in 'sshd_config' and wildcards. An attacker can bypassenvironment restrictions by using a specially crafted request. (CVE-2014-2532)

Solution:


Result:


References:


http://www.gossamer-threads.com/lists/openssh/dev/57663#57663



Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2010-4478,CVE-2012-0814Cvss Base: 6.8Cvss Score: 6.8Cvss Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:PPCI Compliance: Fail

Description:

According to its banner, the vers ion of OpenSSH running on the remote host is earlier than 5.7. Vers ions before 5.7 maybe affected by the following vulnerabilities :

- A security bypass vulnerability because OpenSSH does not properly validate the public parameters in the J-PAKEprotocol. This could allow an attacker to authenticate without the shared secret. Note that this issue is only exploitablewhen OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default, and that IndusGuardhas not checked whether J-PAKE support is indeed enabled. (CVE-2010-4478)

- The auth_parse_options function in auth-options.c in sshd provides debug messages containing authorized_keyscommand options, which allows remote, authenticated users to obtain potentially sensitive information by reading thesemessages. (CVE-2012-0814)

Solution:


Result:


References:

http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5

http://www.nessus.org/u?3f1722f0

of 120

Scan Date: 2017-01-17

Alert ID: 84506 Found on: 2017-01-17 Severity: Low

SSL RC4 Cipher Suites Supported (tcp/995)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2013-2566Cvss Base: 2.6Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Description:

The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of apseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing itsrandomness.

If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)ciphertexts, the attacker may be able to derive the plaintext.

Solution:

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers.

Result:

List of RC4 cipher suites supported by the remote server : Low Strength Ciphers (<= 64-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSAEnc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSAEnc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:

http://www.IndusGuard.org/u?217a3666

http://cr.yp.to/talks/2013.03.12/s lides.pdf

http://www.isg.rhul.ac.uk/tls /




Description:



Solution:


Result:

List of RC4 cipher suites supported by the remote server : Low Strength Ciphers (<= 64-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA

of 120

Scan Date: 2017-01-17

Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSAEnc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:







Description:



Solution:


Result:

List of RC4 cipher suites supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHAKx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:







Description:


of 120

Scan Date: 2017-01-17


Solution:


Result:

List of RC4 cipher suites supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) TLSv1 RC4-MD5Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields aboveare : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method}Mac={message authentication code} {export flag}

References:







Description:



Solution:


Result:

List of RC4 cipher suites supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) TLSv1 RC4-MD5Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields aboveare : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method}Mac={message authentication code} {export flag}

References:





POP3 Cleartext Logins Permitted (tcp/110)

of 120

Scan Date: 2017-01-17

Open Status: NEW First Found: 2017-01-17Cvss Base: 2.6Cvss Score: 2.6Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:NPCI Compliance: Pass

Description:

The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attacker canuncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authentication mechanism(eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.

Solution:

Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.

Result:

The following cleartext methods are supported :SASL LOGIN CRAM-MD5 PLAINUSER

References:

http://tools .ietf.org/html/rfc2222



Web Server Uses Plain Text Authentication Forms (tcp/80)


Description:

The remote web server contains several HTML form fields containing an input of type 'password' which transmit theirinformation to a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

Solution:

Make sure that every sensitive form transmits content over HTTPS.

Result:

Page : /login.phpDestination Page: /userinfo.phpPage : /signup.phpDestination Page: /secured/newuser.php


PHP mb_send_mail() Function Parameter Security Bypass (tcp/80)

Open Status: NEW First Found: 2017-01-17CVE ID: CVE-2006-1014Cvss Base: 3.2Cvss Score: 3.2Cvss Vector: CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:NPCI Compliance: Pass

Description:

According to its banner, the vers ion of PHP installed on the remote host is affected by a flaw that allows an attacker togain unauthorized privileges. When used with sendmail and when accepting remote input for the additional_parameters

of 120

Scan Date: 2017-01-17

argument to the mb_send_mail function, it is possible for context-dependent attackers to read and create arbitrary files.

Solution:


Result:


References:



CGI Generic Injectable Parameter (tcp/80)


Description:

IndusGuard was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response.

The affected parameters are candidates for extended injection tests like cross-s ite scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts . The results may be useful for ahuman pen-tester.

Solution:

n/a

Result:

Using the GET HTTP method, IndusGuard found that :+ The following resources may be vulnerable to injectableparameter :+ The 'pp' parameter of the /hpp/ CGI :/hpp/?pp=%00zjfvtt-------- output --------<a href="?pp=12">check</a><br/><a href="params.php?p=valid&pp=%00zjfvtt">link1</a><br/><a href="params.php?p=valid&pp=.zjfvtt">link2</a><br/><form action="params.php?p=valid&pp=.zjfvtt"><input type=submitname=aaaa/></form><br/><hr><a href='http://blog.mindedsecurity.com/2009/05/client-side-http-p [...]------------------------+ The 'file' parameter of the /showimage.php CGI :/showimage.php?file=zjfvtt-------- output --------Warning:fopen(): Unable to access zjfvtt in /hj/var/www/showimage.php on line 7Warning: fopen(zjfvtt): failed to openstream: No such file or dir [...]------------------------+ The 'cat' parameter of the /listproducts.php CGI :/listproducts.php?cat=zjfvtt-------- output --------<div id="content">Error: Unknowncolumn 'zjfvtt' in 'where clause'Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'artist' parameter of the /listproducts.php CGI :/listproducts.php?artist=zjfvtt-------- output --------<div id="content">Error: Unknown column 'zjfvtt' in 'whereclause'Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'cat'parameter of the /listproducts.php CGI :/listproducts.php?cat=zjfvtt&artist=1-------- output --------<div id="content">Error: Unknown column 'zjfvtt' in 'whereclause'Warning: mysql_fetch_array() expects parameter 1 to be resource, b [...]</div>------------------------+ The 'pp'parameter of the /hpp/params.php CGI :/hpp/params.php?pp=%00zjfvtt-------- output --------.zjfvtt------------------------+ The'p' parameter of the /hpp/params.php CGI :/hpp/params.php?p=%00zjfvtt-------- output --------.zjfvtt------------------------+The 'pp' parameter of the /hpp/params.php CGI :/hpp/params.php?pp=%00zjfvtt&p=valid&aaaa/=-------- output --------valid.zjfvtt------------------------+ The 'p' parameter of the /hpp/params.php CGI :/hpp/params.php?pp=12&p=%00zjfvtt&aaaa/=-------- output --------.zjfvtt12------------------------Clicking directly on these URLs should exhibitthe issue :(you will probably need to read the HTML source)http://rs202995.rs.hosteurope.de/hpp/?pp=%00zjfvtthttp://rs202995.rs.hosteurope.de/showimage.php?file=zjfvtthttp://rs202995.rs.hosteurope.de/listproducts.php?cat=zjfvtthttp://rs202995.rs.hosteurope.de/listproducts.php?artist=zjfvtthttp://rs202995.rs.hosteurope.de/listproducts.php?cat=zjfvtt&artist=1http://rs202995.rs.hosteurope.de/hpp/params.php?pp=%00zjfvtthttp://rs202995.rs.hosteurope.de/hpp/params.php?p=%00zjfvtthttp://rs202995.rs.hosteurope.de/hpp/params.php?pp=%00zjfvtt&p=valid&aaaa/=http://rs202995.rs.hosteurope.de/hpp/params.php?pp=12&p=%00zjfvtt&aaaa/=

of 120

Scan Date: 2017-01-17


SMTP Service Cleartext Login Permitted (tcp/25)


Description:

The remote host is running an SMTP server that advertises that it allows cleartext logins over unencrypted connections.An attacker may be able to uncover user names and passwords by sniffing traffic to the server if a less secureauthentication mechanism (i.e. LOGIN or PLAIN) is used.

Solution:

Configure the service to support less secure authentication mechanisms only over an encrypted channel.

Result:

The SMTP server advertises the following SASL methods over anunencrypted channel : All supported methods :PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5 Cleartext methods : PLAIN, LOGIN

References:




SSH Weak MAC Algorithms Enabled (tcp/22)

Open Status: NEW First Found: 2017-01-17Cvss Base: 2.6Cvss Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Description:

The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this check only checks for the options of the SSH server and does not check for vulnerable software vers ions.

Solution:

Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.

Result:

The following client-to-server Message Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96The following server-to-client Message Authentication Code (MAC) algorithmsaresupported : hmac-md5 hmac-md5-96 hmac-sha1-96


SSH Server CBC Mode Ciphers Enabled (tcp/22)


Description:

of 120

Scan Date: 2017-01-17

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recoverthe plaintext message from the ciphertext.

Note that this check only checks for the options of the SSH server and does not check for vulnerable software vers ions.

Solution:

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCMcipher mode encryption.

Result:

The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbcaes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] following server-to-client CipherBlock Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbccast128-cbc [email protected]


Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure(tcp/22)

Open Status: NEW First Found: 2017-01-17Cvss Base: 2.1Cvss Score: 2.1Cvss Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:NPCI Compliance: Pass

Description:

According to its banner, the vers ion of OpenSSH running on the remote host is earlier than 5.8p2. Such vers ions may beaffected by a local information disclosure vulnerability that could allow the contents of the host's private key to beaccessible by locally tracing the execution of the ssh-keysign utility. Having the host's private key may allow theimpersonation of the host.

Note that installations are only vulnerable if ssh-rand-helper was enabled during the build process, which is not the casefor *BSD, OS X, Cygwin and Linux.

Solution:

Upgrade to Portable OpenSSH 5.8p2 or later.

Result:

Version source : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1 Installed version : 5.3p1 Fixed version : 5.8p2

References:

http://www.openssh.com/txt/portable-keysign-rand-helper.adv

http://www.openssh.com/txt/release-5.8p2


FTP Supports Clear Text Authentication (tcp/21)


Description:

The remote FTP server allows the user's name and password to be transmitted in clear text, which could be interceptedby a network sniffer or a man-in-the-middle attack.

of 120

Scan Date: 2017-01-17

Solution:

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that controlconnections are encrypted.

Result:

This FTP server does not support 'AUTH TLS'.

Alert ID: 84498 Found on: 2017-01-17 Severity: Info

HyperText Transfer Protocol (HTTP) Information (tcp/8880)


Description:

This test gives some information about the remote HTTP protocol - the vers ion used, whether HTTP Keep-Alive and HTTPpipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution:

n/a

Result:

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : OPTIONS, GET, HEAD, POSTHeaders :Connection: close Expires: Thu, 16 Feb 2017 10:40:40 GMT Cache-Control: max-age=2592000 Content-Type:text/html Content-Length: 345 Date: Tue, 17 Jan 2017 10:40:40 GMT Server: sw-cp-server


HTTP Methods Allowed (per directory) (tcp/8880)


Description:

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.

As this list may be incomplete, the check also tests - if 'Thorough tests ' are enabled or 'Enable web applications tests ' isset to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if itreceives a response code of 400, 403, 405, or 501.

Note that the check output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.

Solution:

n/a

Result:

Based on the response to an OPTIONS request : - HTTP methods GET HEAD POST OPTIONS are allowed on :/Based on tests of each method : - HTTP methods COPY DELETE GET HEAD LOCK MKCOL MOVE OPTIONS POSTPROPFIND PROPPATCH PUT UNLOCK are allowed on : /


HTTP Server Type and Version (tcp/8880)


Description:

of 120

Scan Date: 2017-01-17

This check attempts to determine the type and the vers ion of the remote web server.

Solution:

n/a

Result:

The remote web server type is :sw-cp-server




Description:



Solution:

n/a

Result:

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : OPTIONS, GET, HEAD, POSTHeaders :Connection: close Expires: Thu, 16 Feb 2017 10:40:39 GMT Cache-Control: max-age=2592000 Content-Type:text/html Content-Length: 345 Date: Tue, 17 Jan 2017 10:40:39 GMT Server: sw-cp-server




Description:




Solution:

n/a

Result:

Based on the response to an OPTIONS request : - HTTP methods GET HEAD POST OPTIONS are allowed on :/Based on tests of each method : - HTTP methods COPY DELETE GET HEAD LOCK MKCOL MOVE OPTIONS POSTPROPFIND PROPPATCH PUT UNLOCK are allowed on : /




Description:

of 120

Scan Date: 2017-01-17


Solution:

n/a

Result:

The remote web server type is :sw-cp-server


SSL Session Resume Supported (tcp/995)


Description:

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive asession ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in thesecond connection, the server maintains a cache of sessions that can be resumed.

Solution:

n/a

Result:

This port supports resuming SSLv3 sessions.


SSL Cipher Block Chaining Cipher Suites Supported (tcp/995)


Description:

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher suitesoffer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if usedimproperly.

Solution:

n/a

Result:

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) SSLv2DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 exportEXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSAEnc=DES-CBC(56) Mac=SHA1 Medium Strength Ciphers (> 64-bit and < 112-bit key) SSLv2 DES-CBC3-MD5Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168)Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128)Mac=MD5 TLSv1 AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSAEnc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:


http://www.IndusGuard.org/u?cc4a822a


of 120

Scan Date: 2017-01-17


SSL Cipher Suites Supported (tcp/995)


Description:

This script detects which SSL ciphers are supported by the remote service for encrypting communications.

Solution:

n/a

Result:

Here is the list of SSL ciphers supported by the remote server :Each group is reported per SSL Version.SSLVersion : TLSv1 Low Strength Ciphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40)Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56)Mac=SHA1 Medium Strength Ciphers (> 64-bit and < 112-bit key) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128)Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SSL Version : SSLv3 Low StrengthCiphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSAEnc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 Medium StrengthCiphers (> 64-bit and < 112-bit key) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 HighStrength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHAKx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHAKx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SSL Version : SSLv2 Low Strength Ciphers (<= 64-bit key) DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40)Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers(> 64-bit and < 112-bit key) DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 High StrengthCiphers (>= 112-bit key) RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:



SSL Certificate commonName Mismatch (tcp/995)


Description:

This service presents an SSL certificate for which the 'commonName' (CN) does not match the host name on which theservice listens.

Solution:

If the machine has several names, make sure that users connect to the service through the DNS host name thatmatches the common name in the certificate.

Result:

The host name known by IndusGuard is : rs202995.rs.hosteurope.deThe Common Name in the certificate is :parallels panel


OpenSSL Detection (tcp/995)

of 120

Scan Date: 2017-01-17


Description:

Based on its behavior, it seems that the remote service is us ing the OpenSSL library to encrypt traffic.

Note that this check can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366).

Solution:

n/a

References:

http://www.openssl.org


SSL Certificate Information (tcp/995)


Description:

This check connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution:

n/a

Result:

Subject Name: Country: USState/Province: VirginiaLocality: HerndonOrganization: ParallelsOrganization Unit:Parallels PanelCommon Name: Parallels PanelEmail Address: [email protected] Name: Country:USState/Province: VirginiaLocality: HerndonOrganization: ParallelsOrganization Unit: Parallels PanelCommonName: Parallels PanelEmail Address: [email protected] Number: 50 9C DB A6 Version: 1SignatureAlgorithm: SHA-1 With RSA EncryptionNot Valid Before: Nov 09 10:32:06 2012 GMTNot Valid After: Nov 0910:32:06 2013 GMTPublic Key Info: Algorithm: RSA EncryptionKey Length: 2048 bitsPublic Key: 00 DA 42 9A E5 3370 B0 DB DD CA 0D C5 54 08 D3 6C D9 31 79 CE 65 D1 F5 11 3A 1F 5B 9E 0C 53 14 B1 19 13 6F 4E 5C BA 6C 98 EE2B ED 60 55 E2 48 2E EA 16 9C 70 C8 E6 94 42 DC 02 71 BA 59 3D DC 7B B3 F6 D7 0C E2 CF F5 53 47 8E 2F D3AD 2B 68 1D 9D 03 95 5E B8 0C 3D 7C D2 EB B5 A3 35 A1 2D 58 ED 42 22 29 20 78 DE 1D 91 70 63 55 B7 0F B831 40 EB 43 F8 8B 03 B2 1D C9 4C BE 61 2D 3E 5E D4 B9 09 06 88 47 C9 1B 5B 9E 26 80 12 55 20 E5 D8 7E 66 44AC C2 F6 6E C9 F5 B4 B6 2A 14 B7 8A 3F D1 3D 5C 3F 7E 25 3A 48 18 E1 13 FB 9D 7E C1 E6 4D 12 1E 03 73 6C C961 B0 48 89 AD AD 4A 4F 08 26 45 44 28 4E A7 B5 2B 15 E5 9A E2 D6 B7 5D 50 9E 0B F9 7E 0A 84 E1 62 6E E3 3FEA C0 CF D8 FF B9 3D 5E 0E 2C 74 C5 D0 3E F3 16 E2 F1 E6 F5 D6 57 7F D4 92 F4 0F 8B 2E 2A 7B A0 B0 8C E5 1037 Exponent: 01 00 01 Signature Length: 256 bytes / 2048 bitsSignature: 00 22 9C F8 E3 1E 45 98 6C 25 E7 37 1912 B5 B6 F0 2C 86 E0 E0 31 FB CB 36 46 D0 7E D9 F1 F1 7B 1E 6E 82 D4 EC FD E9 9A 73 4A A1 8F 68 37 58 34 A1B1 9F 2C A3 C3 2A 40 D9 9C C2 48 E4 1F AA CD 5A A5 87 06 EF 5A 24 36 09 68 82 44 AD 39 52 FC 70 5C DE DF09 29 2C E3 B5 17 1A 61 B7 95 0E A7 21 1F F2 4B EB F6 A9 4C 3F BC A6 7F DF 59 BA FF 3C D1 B6 11 FA B7 C2 5A51 7C 6C 07 38 22 9D 34 04 CB 2C 74 52 BB 81 37 FE 70 97 49 31 7A 90 33 85 86 3C BD 0D 9C 68 BD 8F A1 A774 CE 3F F1 93 62 19 0A 32 E6 EB C4 77 AB 55 DF 16 5D 86 D9 0C 7A AE D3 A8 9E 56 92 CF 94 D1 70 F4 06 BD33 11 35 49 A4 76 74 0C 11 9C 52 3D 2F 01 9C 6E AC 64 B0 2F 92 A6 B2 45 C9 AA 30 9A 56 38 EB 52 54 11 03 0A44 86 06 BB 53 6B 1B 11 F5 40 B0 E4 C8 AC DD 39 92 CE 84 D2 AB D4 A8 F3 8A 3E 86 44 BD E9 3E Fingerprints :SHA-256 Fingerprint: A0 82 92 DA 52 55 74 E1 6B 13 7D D0 B6 C0 81 40 30 CF 3D BA A7 21 32 45 5D C3 85 DF A7F2 D9 88 SHA-1 Fingerprint: E5 6C 82 EE 62 05 DD 93 BF 17 E9 38 35 6E 70 BA A1 71 91 67 MD5 Fingerprint: 88 C17E 0F 7E 06 68 98 95 31 38 85 AE 81 43 2B


SSL / TLS Versions Supported (tcp/995)


Description:

of 120

Scan Date: 2017-01-17

This script detects which SSL and TLS vers ions are supported by the remote service for encrypting communications.

Solution:

n/a

Result:

This port supports SSLv2/SSLv3/TLSv1.0.


POP Server Detection (tcp/995)


Description:

The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrievemessages from a server, possibly across a network link.

Solution:

Disable this service if you do not use it.

Result:

Remote POP server banner :+OK Hello there. <[email protected]>

References:

http://en.wikipedia.org/wiki/Post_Office_Protocol




Description:


Solution:

n/a

Result:





Description:


Solution:

n/a

Result:

of 120

Scan Date: 2017-01-17

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) SSLv2DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 exportEXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSAEnc=DES-CBC(56) Mac=SHA1 Medium Strength Ciphers (> 64-bit and < 112-bit key) SSLv2 DES-CBC3-MD5Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168)Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128)Mac=MD5 TLSv1 AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSAEnc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:







Description:


Solution:

n/a

Result:

Here is the list of SSL ciphers supported by the remote server :Each group is reported per SSL Version.SSLVersion : TLSv1 Low Strength Ciphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40)Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56)Mac=SHA1 Medium Strength Ciphers (> 64-bit and < 112-bit key) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128)Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SSL Version : SSLv3 Low StrengthCiphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSAEnc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 Medium StrengthCiphers (> 64-bit and < 112-bit key) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 HighStrength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHAKx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHAKx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SSL Version : SSLv2 Low Strength Ciphers (<= 64-bit key) DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40)Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers(> 64-bit and < 112-bit key) DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 High StrengthCiphers (>= 112-bit key) RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange}Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:



of 120

Scan Date: 2017-01-17



Description:


Solution:


Result:





Description:



Solution:

n/a

References:





Description:


Solution:

n/a

Result:

Subject Name: Country: USState/Province: VirginiaLocality: HerndonOrganization: ParallelsOrganization Unit:Parallels PanelCommon Name: Parallels PanelEmail Address: [email protected] Name: Country:USState/Province: VirginiaLocality: HerndonOrganization: ParallelsOrganization Unit: Parallels PanelCommonName: Parallels PanelEmail Address: [email protected] Number: 50 9C DB A6 Version: 1SignatureAlgorithm: SHA-1 With RSA EncryptionNot Valid Before: Nov 09 10:32:06 2012 GMTNot Valid After: Nov 0910:32:06 2013 GMTPublic Key Info: Algorithm: RSA EncryptionKey Length: 2048 bitsPublic Key: 00 DA 42 9A E5 3370 B0 DB DD CA 0D C5 54 08 D3 6C D9 31 79 CE 65 D1 F5 11 3A 1F 5B 9E 0C 53 14 B1 19 13 6F 4E 5C BA 6C 98 EE2B ED 60 55 E2 48 2E EA 16 9C 70 C8 E6 94 42 DC 02 71 BA 59 3D DC 7B B3 F6 D7 0C E2 CF F5 53 47 8E 2F D3AD 2B 68 1D 9D 03 95 5E B8 0C 3D 7C D2 EB B5 A3 35 A1 2D 58 ED 42 22 29 20 78 DE 1D 91 70 63 55 B7 0F B831 40 EB 43 F8 8B 03 B2 1D C9 4C BE 61 2D 3E 5E D4 B9 09 06 88 47 C9 1B 5B 9E 26 80 12 55 20 E5 D8 7E 66 44AC C2 F6 6E C9 F5 B4 B6 2A 14 B7 8A 3F D1 3D 5C 3F 7E 25 3A 48 18 E1 13 FB 9D 7E C1 E6 4D 12 1E 03 73 6C C961 B0 48 89 AD AD 4A 4F 08 26 45 44 28 4E A7 B5 2B 15 E5 9A E2 D6 B7 5D 50 9E 0B F9 7E 0A 84 E1 62 6E E3 3FEA C0 CF D8 FF B9 3D 5E 0E 2C 74 C5 D0 3E F3 16 E2 F1 E6 F5 D6 57 7F D4 92 F4 0F 8B 2E 2A 7B A0 B0 8C E5 10

of 120

Scan Date: 2017-01-17

37 Exponent: 01 00 01 Signature Length: 256 bytes / 2048 bitsSignature: 00 22 9C F8 E3 1E 45 98 6C 25 E7 37 1912 B5 B6 F0 2C 86 E0 E0 31 FB CB 36 46 D0 7E D9 F1 F1 7B 1E 6E 82 D4 EC FD E9 9A 73 4A A1 8F 68 37 58 34 A1B1 9F 2C A3 C3 2A 40 D9 9C C2 48 E4 1F AA CD 5A A5 87 06 EF 5A 24 36 09 68 82 44 AD 39 52 FC 70 5C DE DF09 29 2C E3 B5 17 1A 61 B7 95 0E A7 21 1F F2 4B EB F6 A9 4C 3F BC A6 7F DF 59 BA FF 3C D1 B6 11 FA B7 C2 5A51 7C 6C 07 38 22 9D 34 04 CB 2C 74 52 BB 81 37 FE 70 97 49 31 7A 90 33 85 86 3C BD 0D 9C 68 BD 8F A1 A774 CE 3F F1 93 62 19 0A 32 E6 EB C4 77 AB 55 DF 16 5D 86 D9 0C 7A AE D3 A8 9E 56 92 CF 94 D1 70 F4 06 BD33 11 35 49 A4 76 74 0C 11 9C 52 3D 2F 01 9C 6E AC 64 B0 2F 92 A6 B2 45 C9 AA 30 9A 56 38 EB 52 54 11 03 0A44 86 06 BB 53 6B 1B 11 F5 40 B0 E4 C8 AC DD 39 92 CE 84 D2 AB D4 A8 F3 8A 3E 86 44 BD E9 3E Fingerprints :SHA-256 Fingerprint: A0 82 92 DA 52 55 74 E1 6B 13 7D D0 B6 C0 81 40 30 CF 3D BA A7 21 32 45 5D C3 85 DF A7F2 D9 88 SHA-1 Fingerprint: E5 6C 82 EE 62 05 DD 93 BF 17 E9 38 35 6E 70 BA A1 71 91 67 MD5 Fingerprint: 88 C17E 0F 7E 06 68 98 95 31 38 85 AE 81 43 2B




Description:


Solution:

n/a

Result:

This port supports SSLv2/SSLv3/TLSv1.0.


IMAP Service Banner Retrieval (tcp/993)


Description:

An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.

Solution:

n/a

Result:

The remote imap server banner is :* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACETHREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=PLAIN IDLE ACLACL2=UNION]




Description:


Solution:

n/a

Result:

of 120

Scan Date: 2017-01-17





Description:


Solution:

n/a

Result:

Here is the list of SSL CBC ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and <112-bit key) TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 ADH-DES-CBC3-SHAKx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168)Mac=SHA1 High Strength Ciphers (>= 112-bit key) TLSv1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 ADH-AES128-SHAKx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256)Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication}Enc={symmetric encryption method} Mac={message authentication code} {export flag}

References:





SSL Perfect Forward Secrecy Cipher Suites Supported (tcp/465)


Description:

The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These ciphersuites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.

Solution:

n/a

Result:

Here is the list of SSL PFS ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers(>= 112-bit key) TLSv1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={keyexchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}{export flag}

References:


http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

of 120

Scan Date: 2017-01-17

http://en.wikipedia.org/wiki/Perfect_forward_secrecy




Description:


Solution:

n/a

Result:

Here is the list of SSL ciphers supported by the remote server :Each group is reported per SSL Version.SSLVersion : TLSv1 Medium Strength Ciphers (> 64-bit and < 112-bit key) EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSAEnc=3DES-CBC(168) Mac=SHA1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DHAu=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 AES128-SHAKx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SSLVersion : SSLv3 Medium Strength Ciphers (> 64-bit and < 112-bit key) EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSAEnc=3DES-CBC(168) Mac=SHA1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DHAu=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 AES128-SHAKx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 Thefields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetricencryption method} Mac={message authentication code} {export flag}

References:





Description:


Solution:


Result:


of 120

Scan Date: 2017-01-17




Description:



Solution:

n/a

References:





Description:


Solution:

n/a

Result:




of 120

Scan Date: 2017-01-17


Description:


Solution:

n/a

Result:

This port supports SSLv3/TLSv1.0.


SMTP Authentication Methods (tcp/465)


Description:

The remote SMTP server advertises that it supports authentication.

Solution:

Review the list of methods and whether they're available over an encrypted channel.

Result:

The following authentication methods are advertised by the SMTPserver with encryption : CRAM-MD5 DIGEST-MD5LOGIN PLAIN

References:




SMTP Server Detection (tcp/465)


Description:

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.

Solution:

Disable this service if you do not use it, or filter incoming traffic to this port.

Result:

Remote SMTP server banner :220 rs202995.rs.hosteurope.de ESMTP Postfix (Ubuntu)




Description:

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher suitesoffer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if used

of 120

Scan Date: 2017-01-17

improperly.

Solution:

n/a

Result:

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512)Au=RSA Enc=RC2-CBC(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) TLSv1 AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are :{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method}Mac={message authentication code} {export flag}

References:







Description:


Solution:

n/a

Result:

Here is the list of SSL ciphers supported by the remote server :Each group is reported per SSL Version.SSLVersion : TLSv1 Low Strength Ciphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40)Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56)Mac=SHA1 Medium Strength Ciphers (> 64-bit and < 112-bit key) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128)Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSLciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={messageauthentication code} {export flag}

References:





Description:


of 120

Scan Date: 2017-01-17

Solution:


Result:





Description:



Solution:

n/a

References:





Description:


Solution:

n/a

Result:

Subject Name: Country: USState/Province: VirginiaLocality: HerndonOrganization: ParallelsOrganization Unit:Parallels PanelCommon Name: Parallels PanelEmail Address: [email protected] Name: Country:USState/Province: VirginiaLocality: HerndonOrganization: ParallelsOrganization Unit: Parallels PanelCommonName: Parallels PanelEmail Address: [email protected] Number: 50 9C DB A6 Version: 1SignatureAlgorithm: SHA-1 With RSA EncryptionNot Valid Before: Nov 09 10:32:06 2012 GMTNot Valid After: Nov 0910:32:06 2013 GMTPublic Key Info: Algorithm: RSA EncryptionKey Length: 2048 bitsPublic Key: 00 DA 42 9A E5 3370 B0 DB DD CA 0D C5 54 08 D3 6C D9 31 79 CE 65 D1 F5 11 3A 1F 5B 9E 0C 53 14 B1 19 13 6F 4E 5C BA 6C 98 EE2B ED 60 55 E2 48 2E EA 16 9C 70 C8 E6 94 42 DC 02 71 BA 59 3D DC 7B B3 F6 D7 0C E2 CF F5 53 47 8E 2F D3AD 2B 68 1D 9D 03 95 5E B8 0C 3D 7C D2 EB B5 A3 35 A1 2D 58 ED 42 22 29 20 78 DE 1D 91 70 63 55 B7 0F B831 40 EB 43 F8 8B 03 B2 1D C9 4C BE 61 2D 3E 5E D4 B9 09 06 88 47 C9 1B 5B 9E 26 80 12 55 20 E5 D8 7E 66 44AC C2 F6 6E C9 F5 B4 B6 2A 14 B7 8A 3F D1 3D 5C 3F 7E 25 3A 48 18 E1 13 FB 9D 7E C1 E6 4D 12 1E 03 73 6C C961 B0 48 89 AD AD 4A 4F 08 26 45 44 28 4E A7 B5 2B 15 E5 9A E2 D6 B7 5D 50 9E 0B F9 7E 0A 84 E1 62 6E E3 3FEA C0 CF D8 FF B9 3D 5E 0E 2C 74 C5 D0 3E F3 16 E2 F1 E6 F5 D6 57 7F D4 92 F4 0F 8B 2E 2A 7B A0 B0 8C E5 1037 Exponent: 01 00 01 Signature Length: 256 bytes / 2048 bitsSignature: 00 22 9C F8 E3 1E 45 98 6C 25 E7 37 1912 B5 B6 F0 2C 86 E0 E0 31 FB CB 36 46 D0 7E D9 F1 F1 7B 1E 6E 82 D4 EC FD E9 9A 73 4A A1 8F 68 37 58 34 A1B1 9F 2C A3 C3 2A 40 D9 9C C2 48 E4 1F AA CD 5A A5 87 06 EF 5A 24 36 09 68 82 44 AD 39 52 FC 70 5C DE DF09 29 2C E3 B5 17 1A 61 B7 95 0E A7 21 1F F2 4B EB F6 A9 4C 3F BC A6 7F DF 59 BA FF 3C D1 B6 11 FA B7 C2 5A51 7C 6C 07 38 22 9D 34 04 CB 2C 74 52 BB 81 37 FE 70 97 49 31 7A 90 33 85 86 3C BD 0D 9C 68 BD 8F A1 A774 CE 3F F1 93 62 19 0A 32 E6 EB C4 77 AB 55 DF 16 5D 86 D9 0C 7A AE D3 A8 9E 56 92 CF 94 D1 70 F4 06 BD33 11 35 49 A4 76 74 0C 11 9C 52 3D 2F 01 9C 6E AC 64 B0 2F 92 A6 B2 45 C9 AA 30 9A 56 38 EB 52 54 11 03 0A44 86 06 BB 53 6B 1B 11 F5 40 B0 E4 C8 AC DD 39 92 CE 84 D2 AB D4 A8 F3 8A 3E 86 44 BD E9 3E Fingerprints :

of 120

Scan Date: 2017-01-17

SHA-256 Fingerprint: A0 82 92 DA 52 55 74 E1 6B 13 7D D0 B6 C0 81 40 30 CF 3D BA A7 21 32 45 5D C3 85 DF A7F2 D9 88 SHA-1 Fingerprint: E5 6C 82 EE 62 05 DD 93 BF 17 E9 38 35 6E 70 BA A1 71 91 67 MD5 Fingerprint: 88 C17E 0F 7E 06 68 98 95 31 38 85 AE 81 43 2B




Description:


Solution:

n/a

Result:

This port supports TLSv1.0.


IMAP Service STARTTLS Command Support (tcp/143)


Description:

The remote IMAP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encryptedcommunications channel.

Solution:

n/a

Result:

Here is the IMAP server's SSL certificate that IndusGuard was able tocollect after sending a 'STARTTLS' command:------------------------------ snip ------------------------------Subject Name: Country: USState/Province: VirginiaLocality:HerndonOrganization: ParallelsOrganization Unit: Parallels PanelCommon Name: Parallels PanelEmail Address:[email protected] Name: Country: USState/Province: VirginiaLocality: HerndonOrganization:ParallelsOrganization Unit: Parallels PanelCommon Name: Parallels PanelEmail Address:[email protected] Number: 50 9C DB A6 Version: 1Signature Algorithm: SHA-1 With RSA EncryptionNotValid Before: Nov 09 10:32:06 2012 GMTNot Valid After: Nov 09 10:32:06 2013 GMTPublic Key Info: Algorithm:RSA EncryptionKey Length: 2048 bitsPublic Key: 00 DA 42 9A E5 33 70 B0 DB DD CA 0D C5 54 08 D3 6C D9 31 79CE 65 D1 F5 11 3A 1F 5B 9E 0C 53 14 B1 19 13 6F 4E 5C BA 6C 98 EE 2B ED 60 55 E2 48 2E EA 16 9C 70 C8 E6 9442 DC 02 71 BA 59 3D DC 7B B3 F6 D7 0C E2 CF F5 53 47 8E 2F D3 AD 2B 68 1D 9D 03 95 5E B8 0C 3D 7C D2 EBB5 A3 35 A1 2D 58 ED 42 22 29 20 78 DE 1D 91 70 63 55 B7 0F B8 31 40 EB 43 F8 8B 03 B2 1D C9 4C BE 61 2D 3E5E D4 B9 09 06 88 47 C9 1B 5B 9E 26 80 12 55 20 E5 D8 7E 66 44 AC C2 F6 6E C9 F5 B4 B6 2A 14 B7 8A 3F D1 3D5C 3F 7E 25 3A 48 18 E1 13 FB 9D 7E C1 E6 4D 12 1E 03 73 6C C9 61 B0 48 89 AD AD 4A 4F 08 26 45 44 28 4E A7B5 2B 15 E5 9A E2 D6 B7 5D 50 9E 0B F9 7E 0A 84 E1 62 6E E3 3F EA C0 CF D8 FF B9 3D 5E 0E 2C 74 C5 D0 3E F316 E2 F1 E6 F5 D6 57 7F D4 92 F4 0F 8B 2E 2A 7B A0 B0 8C E5 10 37 Exponent: 01 00 01 Signature Length: 256bytes / 2048 bitsSignature: 00 22 9C F8 E3 1E 45 98 6C 25 E7 37 19 12 B5 B6 F0 2C 86 E0 E0 31 FB CB 36 46 D07E D9 F1 F1 7B 1E 6E 82 D4 EC FD E9 9A 73 4A A1 8F 68 37 58 34 A1 B1 9F 2C A3 C3 2A 40 D9 9C C2 48 E4 1F AACD 5A A5 87 06 EF 5A 24 36 09 68 82 44 AD 39 52 FC 70 5C DE DF 09 29 2C E3 B5 17 1A 61 B7 95 0E A7 21 1F F24B EB F6 A9 4C 3F BC A6 7F DF 59 BA FF 3C D1 B6 11 FA B7 C2 5A 51 7C 6C 07 38 22 9D 34 04 CB 2C 74 52 BB81 37 FE 70 97 49 31 7A 90 33 85 86 3C BD 0D 9C 68 BD 8F A1 A7 74 CE 3F F1 93 62 19 0A 32 E6 EB C4 77 AB 55DF 16 5D 86 D9 0C 7A AE D3 A8 9E 56 92 CF 94 D1 70 F4 06 BD 33 11 35 49 A4 76 74 0C 11 9C 52 3D 2F 01 9C6E AC 64 B0 2F 92 A6 B2 45 C9 AA 30 9A 56 38 EB 52 54 11 03 0A 44 86 06 BB 53 6B 1B 11 F5 40 B0 E4 C8 AC DD39 92 CE 84 D2 AB D4 A8 F3 8A 3E 86 44 BD E9 3E ------------------------------ snip ------------------------------

References:

http://en.wikipedia.org/wiki/STARTTLS

of 120

Scan Date: 2017-01-17



IMAP Service Banner Retrieval (tcp/143)


Description:

An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.

Solution:

n/a

Result:

The remote imap server banner is :* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACETHREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=PLAIN IDLE ACLACL2=UNION STARTTLS]




Description:


Solution:

n/a

Result:

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) TLSv1EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512)Au=RSA Enc=RC2-CBC(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) TLSv1 AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are :{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method}Mac={message authentication code} {export flag}

References:







Description:

of 120

Scan Date: 2017-01-17


Solution:

n/a

Result:

Here is the list of SSL ciphers supported by the remote server :Each group is reported per SSL Version.SSLVersion : TLSv1 Low Strength Ciphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40)Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56)Mac=SHA1 Medium Strength Ciphers (> 64-bit and < 112-bit key) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128)Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSAEnc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSLciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={messageauthentication code} {export flag}

References:





Description:


Solution:


Result:





Description:



Solution:

n/a

References:




of 120

Scan Date: 2017-01-17


Description:


Solution:

n/a

Result:





Description:


Solution:

n/a

Result:

This port supports TLSv1.0.


POP3 Service STLS Command Support (tcp/110)


Description:

The remote POP3 service supports the use of the 'STLS' command to switch from a plaintext to an encryptedcommunications channel.

of 120

Scan Date: 2017-01-17

Solution:

n/a

Result:

Here is the POP3 server's SSL certificate that IndusGuard was able tocollect after sending a 'STLS' command :------------------------------ snip ------------------------------Subject Name: Country: USState/Province: VirginiaLocality:HerndonOrganization: ParallelsOrganization Unit: Parallels PanelCommon Name: Parallels PanelEmail Address:[email protected] Name: Country: USState/Province: VirginiaLocality: HerndonOrganization:ParallelsOrganization Unit: Parallels PanelCommon Name: Parallels PanelEmail Address:[email protected] Number: 50 9C DB A6 Version: 1Signature Algorithm: SHA-1 With RSA EncryptionNotValid Before: Nov 09 10:32:06 2012 GMTNot Valid After: Nov 09 10:32:06 2013 GMTPublic Key Info: Algorithm:RSA EncryptionKey Length: 2048 bitsPublic Key: 00 DA 42 9A E5 33 70 B0 DB DD CA 0D C5 54 08 D3 6C D9 31 79CE 65 D1 F5 11 3A 1F 5B 9E 0C 53 14 B1 19 13 6F 4E 5C BA 6C 98 EE 2B ED 60 55 E2 48 2E EA 16 9C 70 C8 E6 9442 DC 02 71 BA 59 3D DC 7B B3 F6 D7 0C E2 CF F5 53 47 8E 2F D3 AD 2B 68 1D 9D 03 95 5E B8 0C 3D 7C D2 EBB5 A3 35 A1 2D 58 ED 42 22 29 20 78 DE 1D 91 70 63 55 B7 0F B8 31 40 EB 43 F8 8B 03 B2 1D C9 4C BE 61 2D 3E5E D4 B9 09 06 88 47 C9 1B 5B 9E 26 80 12 55 20 E5 D8 7E 66 44 AC C2 F6 6E C9 F5 B4 B6 2A 14 B7 8A 3F D1 3D5C 3F 7E 25 3A 48 18 E1 13 FB 9D 7E C1 E6 4D 12 1E 03 73 6C C9 61 B0 48 89 AD AD 4A 4F 08 26 45 44 28 4E A7B5 2B 15 E5 9A E2 D6 B7 5D 50 9E 0B F9 7E 0A 84 E1 62 6E E3 3F EA C0 CF D8 FF B9 3D 5E 0E 2C 74 C5 D0 3E F316 E2 F1 E6 F5 D6 57 7F D4 92 F4 0F 8B 2E 2A 7B A0 B0 8C E5 10 37 Exponent: 01 00 01 Signature Length: 256bytes / 2048 bitsSignature: 00 22 9C F8 E3 1E 45 98 6C 25 E7 37 19 12 B5 B6 F0 2C 86 E0 E0 31 FB CB 36 46 D07E D9 F1 F1 7B 1E 6E 82 D4 EC FD E9 9A 73 4A A1 8F 68 37 58 34 A1 B1 9F 2C A3 C3 2A 40 D9 9C C2 48 E4 1F AACD 5A A5 87 06 EF 5A 24 36 09 68 82 44 AD 39 52 FC 70 5C DE DF 09 29 2C E3 B5 17 1A 61 B7 95 0E A7 21 1F F24B EB F6 A9 4C 3F BC A6 7F DF 59 BA FF 3C D1 B6 11 FA B7 C2 5A 51 7C 6C 07 38 22 9D 34 04 CB 2C 74 52 BB81 37 FE 70 97 49 31 7A 90 33 85 86 3C BD 0D 9C 68 BD 8F A1 A7 74 CE 3F F1 93 62 19 0A 32 E6 EB C4 77 AB 55DF 16 5D 86 D9 0C 7A AE D3 A8 9E 56 92 CF 94 D1 70 F4 06 BD 33 11 35 49 A4 76 74 0C 11 9C 52 3D 2F 01 9C6E AC 64 B0 2F 92 A6 B2 45 C9 AA 30 9A 56 38 EB 52 54 11 03 0A 44 86 06 BB 53 6B 1B 11 F5 40 B0 E4 C8 AC DD39 92 CE 84 D2 AB D4 A8 F3 8A 3E 86 44 BD E9 3E ------------------------------ snip ------------------------------

References:

http://en.wikipedia.org/wiki/STARTTLS



POP Server Detection (tcp/110)


Description:

The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrievemessages from a server, possibly across a network link.

Solution:

Disable this service if you do not use it.

Result:

Remote POP server banner :+OK Hello there. <[email protected]>

References:

http://en.wikipedia.org/wiki/Post_Office_Protocol


CGI Generic Tests HTTP Errors (tcp/80)


of 120

Scan Date: 2017-01-17

Description:

Indus Guard ran into trouble while running its generic CGI tests against the remote web server (for example, connectionrefused, timeout, etc). When this happens, Indus Guard aborts the current test and switches to the next CGI script on thesame port or to another web server. Thus, particular plugin or test s ignature may be incomplete.

Solution:

Rescan with a longer network timeout or less parallelism for example, by changing the following options in the scanpolicy :

- Network -> Network Receive Timeout (check_read_timeout)

- Options -> Number of hosts in parallel (max_hosts)

- Options -> Number of checks in parallel (max_checks)

Result:

IndusGuard encountered : - 1 error involving blind SQL injection (time based) checks : . reading the status line:errno=1 (operation timed out)


CGI Generic Tests Timeout (tcp/80)


Description:

Some generic CGI tests ran out of time during the scan. The results may be incomplete.

Solution:

Run your run scan again with a longer timeout or less ambitious options :

- Combinations of arguments values = 'all combinations' is much s lower than 'two pairs ' or 's ingle'.

- Stop at first flaw = 'per port' is quicker.

- In 'some pairs ' or 'some combinations' mode, try reducing web_app_tests.tested_values_for_each_parameter inIndusGuardd.conf

Result:

The following tests timed out without finding any flaw :- XSS (on HTTP headers)- SQL injection (on parametersnames)- SSI injection (on HTTP headers)- SQL injection (on HTTP headers)The following tests were interruptedand did not report all possible flaws :- blind SQL injection- SQL injection


External URLs (tcp/80)


Description:

IndusGuard gathered HREF links to external s ites by crawling the remote web server.

Solution:

n/a

Result:

4 external URLs were gathered on this web server : URL... - Seenon...http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html -/hpp/http://www.acunetix.com - /http://www.acunetix.com/ - /http://www.eclectasy.com/Fractal-Explorer/index.html -/

of 120

Scan Date: 2017-01-17


HTTP X-Content-Security-Policy Response Header Usage (tcp/80)


Description:

The remote web server sets an X-Content-Security-Policy (CSP) response header in some responses.

CSP has been proposed as a way to mitigate cross-s ite scripting and clickjacking attacks.

Solution:

n/a

Result:

The following pages do not set a Content-Security-Policy response header or set a permissive policy: -http://rs202995.rs.hosteurope.de/ - http://rs202995.rs.hosteurope.de/AJAX/ -http://rs202995.rs.hosteurope.de/AJAX/index.php - http://rs202995.rs.hosteurope.de/AJAX/index.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/GET -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/POST -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/infotitle -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/styles.css -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/GET -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/POST -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/infotitle -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/styles.css -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id= -

of 120

Scan Date: 2017-01-17

http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php?id= - http://rs2029

References:

https://wiki.mozilla.org/Security/CSP/Specification

https://developer.mozilla.org/en/Introducing_Content_Security_Policy

http://people.mozilla.com/~bsterne/content-security-policy/


Web Server Harvested Email Addresses (tcp/80)


Description:

IndusGuard harvested HREF mailto: links and extracted email addresses by crawling the remote web server.

Solution:

n/a

Result:

The following email address has been gathered :- '[email protected]', referenced from : /listproducts.php?cat=1 /product.php?pic=3 /search.php /artists.php /categories.php /index.php /product.php?pic=7/Templates/main_dynamic_template.dwt.php /artists.php?artist=3 /listproducts.php?artist=2 /listproducts.php?artist=3 /listproducts.php?cat=2 /listproducts.php?cat=4 /product.php?pic=2 /artists.php?artist=1 /product.php?pic=6 /disclaimer.php /artists.php?artist=2 / /signup.php /product.php?pic=4 /listproducts.php?cat=3/listproducts.php?artist=1 /product.php?pic=5 /product.php?pic=1 /cart.php /login.php /guestbook.php


Web Server Allows Password Auto-Completion (tcp/80)


Description:

The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' isnot set to 'off'.

While this does not represent a risk to this web server per se, it does mean that users who use the affected forms mayhave their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use ashared host or their machine is compromised at some point.

Solution:

Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials .

Result:

Page : /login.phpDestination Page: /userinfo.phpPage : /signup.phpDestination Page: /secured/newuser.php


HTTP X-Frame-Options Response Header Usage (tcp/80)


of 120

Scan Date: 2017-01-17

Description:

The remote web server sets an X-Frame-Options response header in some responses.

X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and has also beenimplemented in Chrome and Safari.

Solution:

n/a

Result:

The following pages do not set a X-Frame-Options response header or set a permissive policy: -http://rs202995.rs.hosteurope.de/ - http://rs202995.rs.hosteurope.de/AJAX/ -http://rs202995.rs.hosteurope.de/AJAX/index.php - http://rs202995.rs.hosteurope.de/AJAX/index.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/GET -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/POST -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/infotitle -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/.php?id=/styles.css -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php/showxml.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/.php?id=/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/GET -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/POST -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/infotitle -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/showxml.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php/styles.css -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/ -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php/.php?id= -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php/showxml.php -http://rs202995.rs.hosteurope.de/AJAX/index.php/.php/.php?id=/.php?id=/.php?id= - http://rs202995.rs.ho

References:

of 120

Scan Date: 2017-01-17

http://en.wikipedia.org/wiki/Clickjacking

http://blogs.sans.org/appsecstreetfighter/2009/10/15/adoption-of-x-frame-options-header/


Web Application Potentially Sensitive CGI Parameter Detection (tcp/80)


Description:

According to their names, some CGI parameters may control sensitive data (e.g., ID, privileges, commands, prices,credit card data, etc.). In the course of us ing an application, these variables may disclose sensitive data or be prone totampering that could result in privilege escalation. These parameters should be examined to determine what type of datais controlled and if it poses a security risk.

** This check only reports information that may be useful for auditors** or pen-testers, not a real flaw.

Solution:

Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access toresources or privileges.

Result:

Potentially sensitive parameters for CGI/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/.php :id : Potentialhorizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/.php/.php :id : Potential horizontal or verticalprivilege escalationPotentially sensitive parameters for CGI /AJAX/index.php/.php/.php/.php/showxml.php/.php :id: Potential horizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/.php :id :Potential horizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/.php/.php :id : Potential horizontal orvertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/showxml.php/.php/showxml.php/.php :id : Potential horizontal orvertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/.php/showxml.php/showxml.php/.php :id : Potential horizontal orvertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/.php/showxml.php/showxml.php/.php/.php :id : Potential horizontal or vertical privilegeescalationPotentially sensitive parameters for CGI /AJAX/index.php/.php/showxml.php/.php/showxml.php/.php :id: Potential horizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/.php/.php/showxml.php/showxml.php/.php :id : Potential horizontal or vertical privilegeescalationPotentially sensitive parameters for CGI /AJAX/index.php/.php/.php/.php/.php :id : Potential horizontal orvertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php/.php :id : Potentialhorizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/.php/showxml.php/.php/.php :id : Potential horizontal or vertical privilege escalationPotentiallysensitive parameters for CGI /AJAX/index.php/.php/.php/showxml.php/.php :id : Potential horizontal or verticalprivilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/.php :id : Potential horizontal or verticalprivilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/.php/.php :id : Potential horizontal or vertical privilegeescalationPotentially sensitive parameters for CGI /AJAX/index.php/showxml.php/.php/showxml.php/.php :id :Potential horizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php/.php :id : Potential horizontal or vertical privilegeescalationPotentially sensitive parameters for CGI /AJAX/index.php/.php/.php :id : Potential horizontal or verticalprivilege escalationPotentially sensitive parameters for CGI /cart.php :price : Manipulating this could allow forprice modificationPotentially sensitive parameters for CGI /AJAX/.php :id : Potential horizontal or vertical privilegeescalationPotentially sensitive parameters for CGI /AJAX/index.php/.php :id : Potential horizontal or vertical

of 120

Scan Date: 2017-01-17

privilege escalationPotentially sensitive parameters for CGI /userinfo.php :pass : Possibly a clear or hashedpassword, vulnerable to sniffing or dictionary attackPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/.php :id : Potential horizontal or vertical privilege escalationPotentially sensitiveparameters for CGI /AJAX/index.php/.php/showxml.php/.php :id : Potential horizontal or vertical privilegeescalationPotentially sensitive parameters for CGI /AJAX/index.php/showxml.php/.php/.php :id : Potentialhorizontal or vertical privilege escalationPotentially sensitive parameters for CGI/AJAX/index.php/showxml.php/showxml.php


CGI Generic Tests Load Estimation (all tests) (tcp/80)


Description:

This script computes the maximum number of requests that would be done by the generic web tests, depending onmiscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.

Note that the script does not try to compute this duration based on external factors such as the network and webservers loads.

Solution:

n/a

Result:

Here are the estimated number of requests in miscellaneous modesfor one method only (GET or POST) :[Single /Some Pairs / All Pairs / Some Combinations / All Combinations]on site request forgery : S=6 SP=6 AP=6 SC=6AC=6 SQL injection : S=1824 SP=3672 AP=3672 SC=32640 AC=32640 unseen parameters : S=2660 SP=5355AP=5355 SC=47600 AC=47600 local file inclusion : S=76 SP=153 AP=153 SC=1360 AC=1360 web codeinjection : S=76 SP=153 AP=153 SC=1360 AC=1360 cookie manipulation : S=12 SP=16 AP=16 SC=16 AC=16XML injection : S=76 SP=153 AP=153 SC=1360 AC=1360 format string : S=152 SP=306 AP=306 SC=2720AC=2720 script injection : S=6 SP=6 AP=6 SC=6 AC=6 cross-site scripting (comprehensive test): S=304 SP=612AP=612 SC=5440 AC=5440 injectable parameter : S=152 SP=306 AP=306 SC=2720 AC=2720 cross-sitescripting (extended patterns) : S=36 SP=36 AP=36 SC=36 AC=36 directory traversal (write access) : S=152SP=306 AP=306 SC=2720 AC=2720 SSI injection : S=228 SP=459 AP=459 SC=4080 AC=4080 header injection: S=12 SP=12 AP=12 SC=12 AC=12 directory traversal : S=1900 SP=3825 AP=3825 SC=34000 AC=34000 HTMLinjection : S=30 SP=30 AP=30 SC=30 AC=30 cross-site scripting (quick test) : S=66 SP=88 AP=88 SC=88 AC=88arbitrary command execution (time based) : S=456 SP=918 AP=918 SC=8160 AC=8160 SQL injection (2ndorder) : S=76 SP=153 AP=153 SC=1360 AC=1360 persistent XSS : S=304 SP=612 AP=612 SC=5440 AC=5440directory traversal (extended test) : S=3876 SP=7803 AP=7803 SC=69360 AC=69360 arbitrary commandexecution : S=1216 SP=2448 AP=2448 SC=21760 AC=21760 blind SQL injection (4 requests) : S=304 SP=612AP=612 SC=5440 AC=5440 HTTP response splitting : S=54 SP=54 AP=54 SC=54 AC=54 blind SQL injection :S=912 SP=1836 AP=1836 SC=16320 AC=16320 All tests : S=14966 SP=29930 AP=29930 SC=264088AC=264088 Here are the estimated number of requests in miscellaneous modesfor both methods (GET andPOST) :[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]on site request forgery : S=12SP=12 AP=12 SC=12 AC=12 SQL injection : S=3648 SP=7344 AP=7344 SC=65280 AC=65280 unseenparameters : S=5320 SP=10710 AP=10710 SC=95200 AC=95200 local file inclusion : S=152 SP=306 AP=306SC=2720 AC=2720 web code injection : S=152 SP=306 AP=306 SC=2720 AC=2720 cookie manipulation :S=24 SP=32 AP=32 SC=32 AC=32 XML injection : S=152 SP=306 AP=306 SC=2720 AC=2720 format string


Web Site Client Access Policy File Detection (tcp/80)


Description:

of 120

Scan Date: 2017-01-17

The remote web server contains a client access policy file. This is a s imple XML file used by Microsoft Silverlight to allowaccess to services that res ide outs ide the exact web domain from which a Silverlight control originated.

Solution:

Review the contents of the policy file carefully. Improper policies, especially an unrestricted one with just '*', could allowfor cross- s ite request forgery or other attacks against the web server.

Result:

IndusGuard was able to obtain a client access policy file from theremote host at the following URL :http://rs202995.rs.hosteurope.de/clientaccesspolicy.xml

References:

http://www.IndusGuard.org/u?85a62f76


PHP Version (tcp/80)


Description:

This check attempts to determine the vers ion of PHP available on the remote web server.

Solution:

n/a

Result:

IndusGuard was able to identify the following PHP version information : Version : 5.1.6 Source :http://rs202995.rs.hosteurope.de/secured/phpinfo.php Version : 5.3.10-1~lucid+2uwsgi2 Source : X-Powered-By:PHP/5.3.10-1~lucid+2uwsgi2


Browsable Web Directories (tcp/80)


Description:

Miscellaneous IndusGuard checks identified directories on this web server that are browsable.

Solution:

Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. And useaccess restrictions or disable directory indexing for any that do.

Result:

The following directories are browsable:http://rs202995.rs.hosteurope.de/CVS/http://rs202995.rs.hosteurope.de/Templates/http://rs202995.rs.hosteurope.de/admin/http://rs202995.rs.hosteurope.de/images/

References:

http://projects.webappsec.org/Directory-Indexing


Web Site Cross-Domain Policy File Detection (tcp/80)


of 120

Scan Date: 2017-01-17

Description:

The remote web server contains a cross-domain policy file. This is a s imple XML file used by Adobe's Flash Player toallow access to data that res ides outs ide the exact web domain from which a Flash movie file originated.

Solution:

Review the contents of the policy file carefully. Improper policies, especially an unrestricted one with just '*', could allowfor cross- s ite request forgery and cross-s ite scripting attacks against the web server.

Result:

IndusGuard was able to obtain a cross-domain policy file from the remotehost using the following URL :http://rs202995.rs.hosteurope.de/crossdomain.xml

References:

http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html

http://www.adobe.com/go/tn_14213

http://www.nessus.org/u?74a6a9a5

http://www.nessus.org/u?50ee6db2




Description:



Solution:

n/a

Result:

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server:nginx/1.4.1 Date: Tue, 17 Jan 2017 10:40:38 GMT Content-Type: text/html Transfer-Encoding: chunkedConnection: keep-alive X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2




Description:




Solution:

n/a

of 120

Scan Date: 2017-01-17

Result:

Based on tests of each method : - HTTP methods ACL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKINCHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVENOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATARPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE are allowed on : /cgi-bin -HTTP methods GET HEAD POST are allowed on : / /AJAX /AJAX/index.php /AJAX/index.php/.php/AJAX/index.php/.php/.php /AJAX/index.php/.php/.php/.php /AJAX/index.php/.php/.php/showxml.php/AJAX/index.php/.php/.php/showxml.php/showxml.php /AJAX/index.php/.php/showxml.php/AJAX/index.php/.php/showxml.php/.php /AJAX/index.php/.php/showxml.php/.php/showxml.php/AJAX/index.php/.php/showxml.php/showxml.php /AJAX/index.php/.php/showxml.php/showxml.php/.php/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/showxml.php /AJAX/index.php/showxml.php/AJAX/index.php/showxml.php/.php /CVS /Templates /admin /images /secured - Invalid/unknown HTTP methodsare allowed on : /cgi-bin




Description:


Solution:

n/a

Result:

The remote web server type is :nginx/1.4.1


Web mirroring (tcp/80)


Description:

This script makes a mirror of the remote web s ite(s) and extracts the list of CGIs that are used by the remote host.

It is suggested that you change the number of pages to mirror in the 'Options' section of the client.

Solution:

n/a

Result:

Webmirror performed 2000 queries in 425s (4.0705 queries per second)The following CGIs have beendiscovered :+ CGI : /search.php Methods : POST Argument : goButton Value: go Argument : searchFor Argument :test Value: query+ CGI : /listproducts.php Methods : GET Argument : artist Value: 3 Argument : cat Value: 4+ CGI :/artists.php Methods : GET Argument : artist Value: 3+ CGI : /comment.php Methods : GET,POST Argument : SubmitValue: Submit Argument : aid Value: 3 Argument : comment Argument : name Value: <your name here>Argument : phpaction Value: echo $_POST[comment]; Argument : pid Value: 6+ CGI : /guestbook.php Methods :POST Argument : name Value: anonymous user Argument : submit Value: add message Argument : text+ CGI :/AJAX/index.php/.php Methods : GET Argument : id Value: /.php?id=/.php?id=/showxml.php/.php?id=/POST/showxml.php+ CGI : /userinfo.php Methods : POST Argument : pass Argument : uname+ CGI : /hpp/Methods : GET Argument : pp Value: 12+ CGI : /product.php Methods : GET Argument : pic Value: 6+ CGI :/showimage.php Methods : GET Argument : file Value: ./pictures/6.jpg+ CGI : /AJAX/index.php/showxml.php/.phpMethods : GET Argument : id Value: /showxml.php/showxml.php/showxml.php/showxml.php/showxml.php+ CGI :/AJAX/.php Methods : GET Argument : id+ CGI : /secured/newuser.php Methods : POST Argument : signup Value:signup Argument : uaddress Argument : ucc Argument : uemail Argument : upass Argument : upass2 Argument :

of 120

Scan Date: 2017-01-17

uphone Argument : urname Argument : uuname+ CGI : /hpp/params.php Methods : GET Argument : aaaa/Argument : p Value: valid Argument : pp Value: 12+ CGI : /cart.php Methods : POST Argument : addcart Value: 6Argument : price Value: 10000+ CGI : /AJAX/index.php/.php/.php Methods : GET Argument : id Value:/showxml.php/showxml.php/showxml.php/showxml.php/showxml.php+ CGI :/AJAX/index.php/showxml.php/showxml.php/.php Methods : GET Argument : id Value:/showxml.php/showxml.php/showxml.php/showxml.php+ CGI : /AJAX/index.php/.php/showxml.php/.php Methods: GET Argument : id Value: /showxml.php/showxml.php/showxml.php/showxml.php+ CGI :/AJAX/index.php/showxml.php/.php/.php Methods : GET Argument : id Value:/showxml.php/showxml.php/showxml.php+ CGI : /AJAX/index.php/showxml.php/showxml.php/showxml.php/.phpMethods : GET Argument : id Value: /showxml.php/showxml.php/showxml.php+ CGI :/AJAX/index.php/.php/.php/.php Methods : GET Argument : id Value: /showxml.php/showxml.php/showxml.php+CGI : /AJAX/index.php/.php/showxml.php/showxml.php/.php Methods : GET Argument : id Value:/showxml.php/showxml.php/showxml.php+ CGI : /AJAX/index.php/showxml.php/.php/showxml.php/.php Methods: GET Argument : id Value: /showxml.php/showxml.php+ CGI :/AJAX/index.php/showxml.php/showxml.php/.php/.php Methods : GET Argument : id Value:/showxml.php/showxml.php+ CGI : /AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/.phpMethods : GET Argument : id Value: /showxml.php/showxml.php+ CGI :/AJAX/index.php/.php/.php/showxml.php/.php Methods : GET Argument : id Value: /showxml.php/showxml.php+CGI : /AJAX/index.php/.php/showxml.php/.php/.php Methods : GET Argument : id Value:/showxml.php/showxml.php+ CGI : /AJAX/index.php/.php/showxml.php/showxml.php/showxml.php/.php Methods: GET Argument : id Value: /showxml.php/showxml.php+ CGI : /AJAX/index.php/showxml.php/.php/.php/.phpMethods : GET Argument : id Value: /showxml.php+ CGI :/AJAX/index.php/showxml.php/.php/showxml.php/showxml.php/.php Methods : GET Argument : id Value:/showxml.php+ CGI : /AJAX/index.php/showxml.php/showxml.php/.php/showxml.php/.php Methods : GETArgument : id Value: /showxml.php+ CGI : /AJAX/index.php/showxml.php/showxml.php/showxml.php/.php/.phpMethods : GET Argument : id Value: /showxml.php+ CGI :/AJAX/index.php/showxml.php/showxml.php/showxml.php/showxml.php/showxml


Web Server Directory Enumeration (tcp/80)


Description:

This check attempts to determine the presence of various common directories on the remote web server. By sending arequest for a directory, the web server response code indicates if it is a valid directory or not.

Solution:

n/a

Result:

The following directories were discovered:/admin, /cgi-bin, /secured, /CVS, /Templates, /imagesWhile this is not,in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance withcompanysecurity standards

References:

http://projects.webappsec.org/Predictable-Resource-Location


DNS Server Fingerprinting (udp/53)


Description:

This script attempts to identify the remote DNS server type and vers ion by sending various invalid requests to theremote DNS server and analyzing the error codes returned.

of 120

Scan Date: 2017-01-17

Solution:

n/a

Result:

IndusGuard was not able to reliably identify the remote DNS server type.It might be : ISC BIND 9.4.2-P2-W2Thefingerprint differs from these known signatures on 2 points.If you know the type and version of the remote DNSserver, please sendthe following signature to [email protected] :4q:5:5:1q:1:1q:t:t:t:5:0AAX:5:5:5Z0:5:5:4q:4q:4q:5:5:5:0AAXD:

References:

http://cr.yp.to/surveys/dns1.html


DNS Server hostname.bind Map Hostname Disclosure (udp/53)


Description:

It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOSdomain.

Solution:

It may be possible to disable this feature. Consult the vendor's documentation for more information.

Result:

The remote host name is :rs202995


DNS Server Detection (udp/53)


Description:

The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IPaddresses.

Solution:

Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.

References:

http://en.wikipedia.org/wiki/Domain_Name_System


DNS Server Version Detection (tcp/53)


Description:

IndusGuard was able to obtain vers ion information by sending a special TXT record query to the remote host.

Note that this vers ion is not necessarily accurate and could even be forged, as some DNS servers send the informationbased on a configuration file.

Solution:

of 120

Scan Date: 2017-01-17

n/a

Result:

DNS server answer for "version.bind" (over TCP) : none


DNS Server Detection (tcp/53)


Description:

The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IPaddresses.

Solution:

Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.

References:

http://en.wikipedia.org/wiki/Domain_Name_System


SMTP Authentication Methods (tcp/25)


Description:

The remote SMTP server advertises that it supports authentication.

Solution:

Review the list of methods and whether they're available over an encrypted channel.

Result:

The following authentication methods are advertised by the SMTPserver without encryption : CRAM-MD5 DIGEST-MD5 LOGIN PLAIN

References:




SMTP Server Detection (tcp/25)


Description:

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.

Solution:

Disable this service if you do not use it, or filter incoming traffic to this port.

Result:

Remote SMTP server banner :220 ************************************************

of 120

Scan Date: 2017-01-17


Service Detection: 3 ASCII Digit Code Responses (tcp/25)


Description:

This check is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie: FTP,SMTP, NNTP, ...)

Solution:

n/a

Result:

A SMTP server is running on this port


SSH Algorithms and Languages Supported (tcp/22)


Description:

This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.

Solution:

n/a

Result:

IndusGuard negotiated the following encryption algorithm with the server : aes128-cbcThe server supports thefollowing options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1The server supports the following options forserver_host_key_algorithms : ssh-dss ssh-rsaThe server supports the following options forencryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbcaes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] server supportsthe following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbcaes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] server supports the following options for mac_algorithms_client_to_server : hmac-md5hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] server supports the following options for mac_algorithms_server_to_client : hmac-md5hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] server supports the following options for compression_algorithms_client_to_server : [email protected] server supports the following options for compression_algorithms_server_to_client : [email protected]


SSH Protocol Versions Supported (tcp/22)


Description:

This check determines the vers ions of the SSH protocol supported by the remote SSH daemon.

Solution:

n/a

of 120

Scan Date: 2017-01-17

Result:

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0SSHv2 host keyfingerprint : a1:7d:bd:2c:5d:9f:02:26:da:52:91:c0:2d:20:2f:3c


SSH Server Type and Version Information (tcp/22)


Description:

It is possible to obtain information about the remote SSH server by sending an empty authentication request.

Solution:

n/a

Result:

SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1SSH supported authentication : publickey,password


FTP Server Detection (tcp/21)


Description:

It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Solution:

N/A

Result:

The remote FTP banner is :220 ProFTPD 1.3.3e Server (ProFTPD) [176.28.50.165]


Patch Report (tcp/0)


Description:

The remote host is miss ing one or several security patches.This check lists the newest vers ion of each patch to install to make sure the remote host is up-to-date.

Solution:

Install the patches listed below

Result:

. You need to take the following 5 actions :[ OpenSSH < 7.4 Multiple Vulnerabilities (96151) ]+ Action to take :Upgrade to OpenSSH version 7.4 or later.+Impact : Taking this action will resolve 17 different vulnerabilities(CVEs).[ OpenSSL 'ChangeCipherSpec' MiTM Potential Vulnerability (74326) ]+ Action to take : OpenSSL 0.9.8SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/orserver) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to1.0.1h.+Impact : Taking this action will resolve 7 different vulnerabilities (CVEs).[ PHP 5.3.x < 5.3.29 MultipleVulnerabilities (77285) ]+ Action to take : Upgrade to PHP version 5.3.29 or later.+Impact : Taking this action willresolve 131 different vulnerabilities (CVEs).[ ProFTPD FTP Command Handling Symlink Arbitrary File Overwrite(66970) ]+ Action to take : Upgrade to 1.3.4c / 1.3.5rc1 or apply the patch from the vendor.[ nginx < 1.6.2 / 1.7.5SSL Session Reuse (78386) ]+ Action to take : Upgrade to nginx 1.6.2 / 1.7.5 or later.+Impact : Taking this action

of 120

Scan Date: 2017-01-17

will resolve 3 different vulnerabilities (CVEs).


Common Platform Enumeration (CPE) (tcp/0)


Description:

By using information obtained from a IndusGuard scan, this check reports CPE (Common Platform Enumeration)matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this check computes the best possible CPE based on theinformation available from the scan.

Solution:

n/a

Result:

The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:10.04Followingapplication CPE's matched on the remote system : cpe:/a:openbsd:openssh:5.3 -> OpenBSD OpenSSH 5.3cpe:/a:php:php:5.3.10 -> PHP 5.3.10 cpe:/a:igor_sysoev:nginx:1.4.1

References:

http://cpe.mitre.org/


Device Type (tcp/0)


Description:

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router,general-purpose computer, etc).

Solution:

n/a

Result:

Remote device type : general-purposeConfidence level : 95


TCP/IP Timestamps Supported (tcp/0)


Description:

The remote host implements TCP timestamps, as defined by RFC1323. A s ide effect of this feature is that the uptime ofthe remote host can sometimes be computed.

Solution:

n/a

References:

http://www.ietf.org/rfc/rfc1323.txt

of 120

Scan Date: 2017-01-17

of 120

Scan Date: 2017-01-17

vulnerability assessment report - indusface.com€¦ · this, or any other, security audit cannot...

Documents