pmb
TRANSCRIPT
SQL Injection
Reflected Cross-Site Scripting (XSS) Vulnerabilities
Reflected Cross-Site Scripting (XSS) Vulnerabilities
Reflected Cross-Site Scripting (XSS) Vulnerabilities
Path-Based Vulnerability
Path-Based Vulnerability
Path-Based Vulnerability
Path-Based Vulnerability
Path-Based Vulnerability
Connection Error Occurred During Web Application Scan
Possible Clickjacking vulnerability
Unencoded characters
Possible Clickjacking vulnerability
Unencoded characters
Possible Clickjacking vulnerability
Possible Clickjacking vulnerability
Unencoded characters
Possible Clickjacking vulnerability
Scan on 02/10/2012 10 February 2012 at 23:30
4 5 27 25
URL : http://pmb.esi.ac.ma
Summary: 36 vulnerabilities found
Page 1 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
Unencoded characters
Possible Clickjacking vulnerability
Possible Clickjacking vulnerability
Possible Clickjacking vulnerability
Possible Clickjacking vulnerability
Possible Clickjacking vulnerability
Cookies Collected
Links Crawled
Host Scan Time
External Links Discovered
Scan Diagnostics
Maximum Number of Links Reached During Crawl
DNS Host Name
DNS Host Name
Email Addresses Collected
PHP "spl_object_storage_attach" Use-After-Free Vulnerability
PHP 'popen()' Function Buffer Overflow Vulnerability
PHP Versions Prior to 5.2.12 Multiple Vulnerabilities
Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day
PHP Hashtables Denial of Service
Web Directories Listable Vulnerability
Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
PHP Versions Prior to 5.3.3/5.2.14 Multiple Vulnerabilities
PHP "strrchr()" Function Information Disclosure Vulnerability
PHP Versions Prior to 5.3.1 Multiple Vulnerabilities
Page 2 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
PHP 5.2.10 and Prior Versions Multiple Vulnerabilities
PHP Versions Prior to 5.2.13 Multiple Vulnerabilities
Web Applications and Plugins Detected
Host Uptime Based on TCP TimeStamp Option
Web Server Probed For Various URL-Encoding Schemes Supported
Expose_php Set to On in php.ini
Host Scan Time
Degree of Randomness of TCP Initial Sequence Numbers
IP ID Values Randomness
Default Web Page
DNS Host Name
Target Network Information
Traceroute
Host Names Found
HTTP method TRACE and/or TRACK Enabled
Web Server Supports HTTP Request Pipelining
Internet Service Provider
List of Web Directories
QID: 150003 CVSS Base: 10
Category: Web Application Port: -
Type: Web Application Findings
SQL Injection
CVEID: -
Threat:SQL injection enables an attacker to modify the syntax of a SQL query in order to retrieve,
corrupt or delete data. This is accomplished by manipulating query criteria in a manner that affects the query's logic. The typical causes of this vulnerability are lack of input validation and insecure construction of the SQL query.
Page 3 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150001 CVSS Base: 7.5
Category: Web Application Port: -
Queries created by concatenating strings with SQL syntax and user-supplied data are prone
to this vulnerability. If any part of the string concatenation can be modified, then the meaning of the query can be changed.
Examples:These two lines demonstrate an insecure query that is created by appending the user-
supplied data (userid):dim strQuery as String strQuery = "SELECT name,email FROM users WHERE userid=" +
Request.QueryString("userid")
If no checks are performed against the userid parameter, then the query may be arbitrarily
modified as shown in these two examples of a completed query:SELECT name,email FROM users WHERE userid=42SELECT name,email FROM users WHERE userid=42; SHUTDOWN WITH NOWAIT
Impact:The scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into the query, then the attacker has the equivalent access of a database administrator. This access could lead to theft of data, malicious corruption of data, or deletion of data.
Solution:SQL injection vulnerabilities can be addressed in three areas: input validation, query
creation, and database security.All input received from the Web client should be validated for correct content. If a value's
type or content range is known beforehand, then stricter filters should be applied. For example, an email address should be in a specific format and only contain characters that
make it a valid address; or numeric fields like a U.S. zip code should be limited to five digit values.
Prepared statements (sometimes referred to as parameterized statements) provide strong protection from SQL injection. Prepared statements are precompiled SQL queries whose parameters can be modified when the query is executed. Prepared statements enforce the
logic of the query and will fail if the query cannot be compiled correctly. Programming languages that support prepared statements provide specific functions for creating queries.
These functions are more secure than string concatenation for assigning user-supplied data to a query.Stored procedures are precompiled queries that reside in the database. Like prepared statements, they also enforce separation of query data and logic. SQL statements that call
stored procedures should not be created via string concatenation, otherwise their security benefits are negated.
SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access within the database. For example, a read-only account would prevent an attacker from modifying data, but would not prevent the user from viewing unauthorized data. Table
and row-based access controls potentially minimize the scope of a compromise, but they do not prevent exploits.
Example of a secure query created with a prepared statement:PreparedStatement ps = "SELECT name,email FROM users WHERE
userid=?"; ps.setInt(1, userid);
Results:http://pmb.esi.ac.ma/home/index.php?lang=http%3a%2f%2frfitest%2f --<br /> <b>Warning</b>: Error parsing ../EasyPHP.ini on line 11 in <b>C:\Program Files\EasyPHP5.2.10\home\i18n.inc.php</b> on line <b>5</b><br /> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <link rel="shortcut icon" href="images_easyphp/easyphp_favicon.ico" /> <title>[EasyPHP] -administration</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="styleshe
Reflected Cross-Site Scripting (XSS) Vulnerabilities
CVEID: -
Threat:XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's
name as part of a welcome message or display a home address when confirming a shipping
Page 4 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150001 CVSS Base: 7.5
Category: Web Application Port: -
destination. If the user-supplied data contain characters that are interpreted as part of an
HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In
order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
Impact:XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An
exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker
to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.
Solution:Filter all data collected from the client including user-supplied content and browser content
such as Referrer and User-Agent headers.Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results --_litteraux[i],i+terms.length,1,onoff); } } } } </script> <div id="resultatrech"><h3>Résultat de la recherche</h3> <div id="resultatrech_container"> <div id="resultatrech_see"><h3><span><EMBED SRC=//localhost/q.swf AllowScriptAccess=always></EMBED> titres trouvés pour la recherche 'John'</span></h3> </div> <div id="resultatrech_liste"><a href='javascript:expandAll()'><img class='img_plusplus' src='./images/expand_all.gif' border='0' id='expandall'></a>
Reflected Cross-Site Scripting (XSS) Vulnerabilities
CVEID: -
Threat:XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML
response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an
HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In
order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
Impact:XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker
to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of
a compromise.
Solution:Filter all data collected from the client including user-supplied content and browser content
such as Referrer and User-Agent headers.Any data collected from the client and displayed in a Web page should be HTML-encoded to
ensure the content is rendered as text instead of an HTML element or JavaScript.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- ut type="hidden" id="id_thes" name="id_thes" value=""> <input
Page 5 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150001 CVSS Base: 7.5
Category: Web Application Port: -
QID: 150004 CVSS Base: 2.1
Category: Web Application Port: -
type="hidden" name="surligne" value="0"> <input type="hidden" name="tags" value=""> <input type="hidden" name="page" value="1"><input type="hidden" name="nbexplnum_to_photo" value="\"><qss>"></form><div class='row'></div> <script type='text/javascript'> <!--function test_form(form) { if (form.page.value > 20) { alert("Numéro de page trop élevé !"); form.page.focus(); return false; } if (form.page
Reflected Cross-Site Scripting (XSS) Vulnerabilities
CVEID: -
Threat:XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping
destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received
by the victim's Web browser.The XSS payload is echoed in HTML document returned by the request. An XSS payload
may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting
the URL with the XSS payload.
Impact:XSS exploits pose a significant threat to a Web application, its users and user data. XSS
exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information.
Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of
a compromise.
Solution:Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results --onoff); } } } } </script>Aucun document trouvé<form name="form_values" action="./index.php?lvl=more_results" method="post"> <input type="hidden" name="user_query" value="John"><input type="hidden" name="mode" value="\"\'><qqs `;!--=&{()}>"><input type="hidden" name="count" value="193"> <input type="hidden" name="clause" value="where (((index_infos_global like '% john %' ))) and (notices_global_index.num_notice = notice_id and statut=id_notice_statut and ((not
Path-Based Vulnerability
CVEID: -
Threat:A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:The contents of this file or directory may disclose sensitive information.
Solution:Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.
Page 6 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150004 CVSS Base: 2.1
Category: Web Application Port: -
QID: 150004 CVSS Base: 2.1
Category: Web Application Port: -
QID: 150004 CVSS Base: 2.1
Category: Web Application Port: -
Results:http://pmb.esi.ac.ma/opac_css/includes/ -- HTTP/1.1 200 OK
Path-Based Vulnerability
CVEID: -
Threat:A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:The contents of this file or directory may disclose sensitive information.
Solution:Verify that access to this file or directory is permitted. If necessary, remove it or apply
access controls to it.
Results:http://pmb.esi.ac.ma/temp/ -- HTTP/1.1 200 OK
Path-Based Vulnerability
CVEID: -
Threat:A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:The contents of this file or directory may disclose sensitive information.
Solution:Verify that access to this file or directory is permitted. If necessary, remove it or apply
access controls to it.
Results:http://pmb.esi.ac.ma/admin/ -- HTTP/1.1 200 OK
Path-Based Vulnerability
CVEID: -
Threat:A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:The contents of this file or directory may disclose sensitive information.
Solution:Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.
Results:http://pmb.esi.ac.ma/opac_css/admin/ -- HTTP/1.1 200 OK
Path-Based Vulnerability
Page 7 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150004 CVSS Base: 2.1
Category: Web Application Port: -
QID: 150018 CVSS Base:
Category: Web Application Port: -
CVEID: -
Threat:A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:The contents of this file or directory may disclose sensitive information.
Solution:Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.
Results:http://pmb.esi.ac.ma/opac_css/temp/ -- HTTP/1.1 200 OK
Connection Error Occurred During Web Application Scan
CVEID: -
Threat:Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application.
Impact:Some of the links were not crawled or scanned. Results may be incomplete or incorrect.
Solution:Investigate the root cause of failure accessing the listed links.
Results:http://pmb.esi.ac.ma -- Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Links that timed out:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATA-user_query=John&mode=tous&count=193&clause=%3b--%20&pert=((index_infos_global%20like%20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like%20'John%')*0.2)*0.5%20as%20pert&l_typdoc=a&tri=ORDER%20BY%20pert%20DESC%2c%20index_infos_global%20&nbexplnum_to_photo=1http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATA-user_query=John&mode=tous&count=193&clause=where%20(((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20(notices_global_index.num_notice%20%3d%20notice_id%20and%20statut%3did_notice_statut%20and%20((notice_visible_opac%3d1%20and%20notice_visible_opac_abon%3d0)))&pert=%3b--%20&l_typdoc=a&tri=ORDER%20BY%20pert%20DESC%2c%20index_infos_global%20&nbexplnum_to_photo=1 http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATA-user_query=John&mode=tous&count=193&clause=where%20(((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20(notices_global_index.num_notice%20%3d%20notice_id%20and%20statut%3did_notice_statut%20and%20((notice_visible_opac%3d1%20and%20notice_visible_opac_abon%3d0)))&pert=((index_infos_global%20like%20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like%20'John%')*0.2)*0.5%20as%20pert&l_typdoc=%3b--%20&tri=ORDER%20BY%20pert%20DESC%2c%20index_infos_global%20&nbexplnum_to_photo=1http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATA-user_query=John&mode=tous&count=193&clause=where%20(((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20(notices_global_index.num_notice%20%3d%20notice_id%20and%20statut%3did_notice_statut%20and%20((notice_visible_opac%3d1%20and%
Page 8 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
20notice_visible_opac_abon%3d0)))&pert=((index_infos_global%20like%20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like%20'John%')*0.2)*0.5%20as%20pert&l_typdoc=a&tri=%3b--%20&nbexplnum_to_photo=1 http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATA-user_query=John&mode=tous&count=193&clause=where%20(((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20(notices_global_index.num_notice%20%3d%20notice_id%20and%20statut%3did_notice_statut%20and%20((notice_visible_opac%3d1%20and%20notice_visible_opac_abon%3d0)))&pert=((index_infos_global%20like%20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like%20'John%')*0.2)*0.5%20as%20pert&l_typdoc=a&tri=ORDER%20BY%20pert%20DESC%2c%20index_infos_global%20&nbexplnum_to_photo=%3b--%20http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA- typdoc=%3b--%20&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=%3b--%20&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=%3b--%20&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=%3b--%20&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=%3b--%20&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=%3b--%20&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=%3b--%20&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=%3b--%20&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=%3b--%20&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=%3b--%20&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=%3b--%20&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1
Page 9 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=%3b--%20&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=%3b--%20&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-lang_sel=%3b--%20 http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=%3b--%20&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=%3b--%20&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=%3b--%20&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=%3b--%20&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=%3b--%20&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=%3b--%20&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=%3b--%20&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercherhttp://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=%3b--%20&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase.
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original
page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:
Page 10 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150084 CVSS Base:
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/styles/light/images/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Unencoded characters
CVEID: -
Threat:The web application reflects potentially dangerous characters such as single quotes, double
quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
Impact:No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an
HTML injection (XSS) vulnerability.
Solution:Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example,
a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. ; } } } } </script>Aucun document trouvé<form name="form_values" action="./index.php?lvl=more_results" method="post"> <input type="hidden" name="user_query" value="John"><input type="hidden" name="mode" value="<IMG SRC=javascript:qss=777>"> <input type="hidden" name="count" value="193"> <input type="hidden" name="clause" value="where (((index_infos_global like '% john %' ))) and (notices_global_index.num_notice = notice_id and statut=id_notice_statut and ((not
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/opac_css/index.php -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Page 11 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150084 CVSS Base:
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
Unencoded characters
CVEID: -
Threat:The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection
attacks such as cross-site scripting (XSS).
Impact:No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
Solution:Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent
encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when
placed in the value of an href attribute.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. avig_etageres'><span>Retourner au premier écran avec les étagères virtuelles...</span></a></td></tr></table></div><!-- fermeture de #navigator --> <script>terms=new Array('script','qss','777','script'); terms_litteraux=new Array('< script a=4>qss=777< /script>'); codes=new Array(); codes['a']='[àáâãäåÀÁÂÃÄÅA]'; codes['c']='[çÇC]'; codes['e']='[éèêëÈÉÊËE]'; codes['i']='[ìíîïIÌÍÎÏ]'; codes['o']='[òóôõöOÒÓÔÕÖ]'; codes['u']='[ùúûüUÙÚÛÜ]'; codes['
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/images/tree/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Possible Clickjacking vulnerability
CVEID: -
Page 12 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150084 CVSS Base:
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/images/dtree/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Unencoded characters
CVEID: -
Threat:The web application reflects potentially dangerous characters such as single quotes, double
quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
Impact:No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an
HTML injection (XSS) vulnerability.
Solution:Review the reflected characters to ensure that they are properly handled as defined by the
web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example,
a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. obj,terms_litteraux[i],i+terms.length,1,onoff); } } } } </script> <div id="resultatrech"><h3>Résultat de la recherche</h3> <div id="resultatrech_container"> <div id="resultatrech_see"><h3><span>\"\'><<SCRIPT a=2>qss=777;//<</SCRIPT> titres trouvés pour la recherche 'John'</span></h3> </div> <div id="resultatrech_liste"><a href='javascript:expandAll()'><img class='img_plusplus' src='./images/expand_all.gif' border='0' id='expandall'></a> <a href='javas
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original
page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Page 13 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150084 CVSS Base:
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/home/index.php -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Unencoded characters
CVEID: -
Threat:The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
Impact:No exploit was determined for these reflected characters. The input parameter should be
manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
Solution:Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent
encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when
placed in the value of an href attribute.
Results:http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. ="hidden" id="id_thes" name="id_thes" value=""> <input type="hidden" name="surligne" value="0"> <input type="hidden" name="tags" value=""> <input type="hidden" name="page" value="1"> <input type="hidden" name="nbexplnum_to_photo" value="<script src=//localhost/j>"> </form><div class='row'></div><script type='text/javascript'> <!-- function test_form(form) { if (form.page.value > 20) { alert("Numéro de page trop élevé !");form.page.focus(); return false; } if
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/images/mimetype/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Page 14 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of
the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/styles/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller:
JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/images/type_param/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Page 15 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150081 CVSS Base: 10
Category: Web Application Port: -
QID: 150028 CVSS Base:
Category: Web Application Port: -
QID: 150009 CVSS Base:
Category: Web Application Port: -
Possible Clickjacking vulnerability
CVEID: -
Threat:Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact:Attacks like CSRF can be performed using Clickjacking techniques.
Solution:Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Results:http://pmb.esi.ac.ma/opac_css/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.
Cookies Collected
CVEID: -
Threat:The cookies listed in the Results section were received from the web application during the crawl phase.
Impact:Cookies may contain sensitive information about the user. Cookies sent via HTTP may be
sniffed.
Solution:Review cookie values to ensure that sensitive information such as passwords are not present within them.
Results:http://pmb.esi.ac.ma -- Total cookies: 3PHPSESSID=rriq7vmfs22p89i93ctnqs44n6; path=/; domain=pmb.esi.ac.maPhpMyBibli-LANG=fr_FR; expires=Tue Jan 22 20:14:09 2013; path=/opac_css/; domain=pmb.esi.ac.ma; max-age=29999817 PhpMyBibli-OPACDB=bibli; expires=Tue Jan 22 20:14:13 2013; path=/opac_css/; domain=pmb.esi.ac.ma; max-age=29999821
Links Crawled
CVEID: -
Threat:The list of unique links crawled by the Web application scanner appear in the Results
section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML
forms, and requests for the same link made as an anonymous and authenticated user.
Impact:N/A
Solution:N/A
Page 16 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 45038 CVSS Base:
Category: Information gathering Port: -
Results:http://pmb.esi.ac.ma -- Duration of crawl phase (seconds): 314.00Number of links: 50 (This number excludes form requests and links re-requested during authentication.) http://pmb.esi.ac.ma/http://pmb.esi.ac.ma/acquisition http://pmb.esi.ac.ma/adminhttp://pmb.esi.ac.ma/ajax http://pmb.esi.ac.ma/alerthttp://pmb.esi.ac.ma/autorites http://pmb.esi.ac.ma/cartshttp://pmb.esi.ac.ma/catalog http://pmb.esi.ac.ma/circhttp://pmb.esi.ac.ma/classes http://pmb.esi.ac.ma/classes%20-%20Copie http://pmb.esi.ac.ma/demandes http://pmb.esi.ac.ma/develhttp://pmb.esi.ac.ma/doc http://pmb.esi.ac.ma/dsihttp://pmb.esi.ac.ma/edit http://pmb.esi.ac.ma/external_serviceshttp://pmb.esi.ac.ma/fichier http://pmb.esi.ac.ma/home/fr/index.htmlhttp://pmb.esi.ac.ma/home/images_easyphp/easyphp_favicon.icohttp://pmb.esi.ac.ma/home/index.phphttp://pmb.esi.ac.ma/home/index.php?lang=enhttp://pmb.esi.ac.ma/home/index.php?lang=eshttp://pmb.esi.ac.ma/home/index.php?lang=frhttp://pmb.esi.ac.ma/home/index.php?lang=ithttp://pmb.esi.ac.ma/home/index.php?lang=nwhttp://pmb.esi.ac.ma/home/index.php?lang=pthttp://pmb.esi.ac.ma/home/index.php?lang=pt_brhttp://pmb.esi.ac.ma/home/index.php?to=change_docroothttp://pmb.esi.ac.ma/home/index.php?to=default_docroothttp://pmb.esi.ac.ma/home/licence_apache.phphttp://pmb.esi.ac.ma/home/styles.css http://pmb.esi.ac.ma/imageshttp://pmb.esi.ac.ma/images/add.pnghttp://pmb.esi.ac.ma/images/aide.gifhttp://pmb.esi.ac.ma/images/alert.gifhttp://pmb.esi.ac.ma/images/arrow_down.pnghttp://pmb.esi.ac.ma/images/arrow_up.pnghttp://pmb.esi.ac.ma/images/attachment.pnghttp://pmb.esi.ac.ma/images/autorite.gifhttp://pmb.esi.ac.ma/images/b_edit.pnghttp://pmb.esi.ac.ma/images/bandeau_edc.jpghttp://pmb.esi.ac.ma/images/bar_spacer.gifhttp://pmb.esi.ac.ma/images/basket_20x20.gifhttp://pmb.esi.ac.ma/images/basket_del.gifhttp://pmb.esi.ac.ma/images/basket_empr.gifhttp://pmb.esi.ac.ma/images/basket_empty_20x20.gifhttp://pmb.esi.ac.ma/images/basket_small.gifhttp://pmb.esi.ac.ma/images/basket_small_20x20.gifhttp://pmb.esi.ac.ma/images/bortlesorgues.png
Host Scan Time
CVEID: -
Threat:The Host Scan Time is the period of time it takes the scanning engine to perform the
vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service
to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's
Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
Impact:N/A
Solution:N/A
Results:
Page 17 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150010 CVSS Base:
Category: Web Application Port: -
QID: 150021 CVSS Base:
Category: Web Application Port: -
http://pmb.esi.ac.ma -- Scan duration: 2266 seconds Start time: Fri, Feb 10 2012, 22:51:24 GMT End time: Fri, Feb 10 2012, 23:29:10 GMT
External Links Discovered
CVEID: -
Threat:The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled.
Impact:N/A
Solution:N/A
Results:http://pmb.esi.ac.ma -- Number of links: 14 http://www.hcp.ma/http://www.creaweb.ma/ http://www.easyphp.org/ http://www.bnrm.ma/http://www.sigb.net/ http://www.alastore.ala.org/http://www.esi.ac.ma/ http://www.bnf.fr/ http://www.google.fr/http://www.php.net/ChangeLog-5.php http://www.php.net/migration53http://www.php.net/releases/5_2_10.php mailto:[email protected]://httpd.apache.org/
Scan Diagnostics
CVEID: -
Threat:This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the
target Web application.
Impact:The scan diagnostics data provides technical details about the crawler's performance and
behavior. This information does not necessarily imply problems with the Web application.
Solution:No action is required.
Results:http://pmb.esi.ac.ma -- Loaded 0 blacklist entries. HTML form authentication unavailable, no WEBAPP entry found Maximum request count reached: 50 Links remaining in queue: 400 Collected 758 links overall. Path manipulation: estimated time < 30 minutes (82 tests, 362 inputs) Path manipulation: 82 vulnsigs tests, completed 8656 requests, 305 seconds. All tests completed. Batch #0 WS enumeration: estimated time < 10 minutes (9 tests, 0 inputs) WS enumeration: 9 vulnsigs tests, completed 198 requests, 7 seconds. All tests completed. Batch #1 URI parameter manipulation: estimated time < 1 minute (37 tests, 4 inputs) Batch #1 URI parameter manipulation: 37 vulnsigs tests, completed 80 requests, 19 seconds. XSS optimization removed 68 links. Completed 80 requests of 148 estimated requests (54%). All tests completed. Batch #1 Form parameter manipulation: estimated time < 1 minute (37 tests, 13 inputs) Reached the threshold for timed-out links: 20 Batch #1 Form parameter manipulation: 37 vulnsigs tests, completed 836 requests, 1587 seconds. Module did not finish. Completed 836 requests of 333 estimated requests (251% complete). Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached
Page 18 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 150026 CVSS Base:
Category: Web Application Port: -
the threshold for timed-out links: 20 Total requests made: 10261Average server response time: 0.50 seconds Most recent links: ---http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=%3b--%20&ok=Rechercher --- http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA- lang_sel=%3b--%20 ---http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA- typdoc=%3b--%20&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher--- http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=%3b--%20&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher ---http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=%3b--%20&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher ---http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=%3b--%20&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher --- http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=%3b--%20&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher --- http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=%3b--%20&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher ---http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=%3b--%20&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher ---http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA-typdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=%3b--%20&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20
Maximum Number of Links Reached During Crawl
CVEID: -
Threat:The maximum number of links specified for this scan has been reached. The links crawled
to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled
(QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.
Impact:Some links that lead to different areas of the site's functionality may have been missed.
Page 19 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 6 CVSS Base: 0
Category: Information gathering Port: -
QID: 6 CVSS Base: 0
Category: Information gathering Port: -
QID: 150054 CVSS Base:
Category: Web Application Port: -
Solution:Increase the maximum number of links in order to ensure broader coverage of the Web
application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application.
Results:http://pmb.esi.ac.ma -- Maximum request count reached: 50 Links remaining in queue: 400
DNS Host Name
CVEID: -
Threat:The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Impact:
Solution:
Results:http://pmb.esi.ac.ma -- #table IP_address Host_name
DNS Host Name
CVEID: -
Threat:The fully qualified domain name of this host, if it was obtained from a DNS server, is
displayed in the RESULT section.
Impact:
Solution:
Results:http://pmb.esi.ac.ma -- 212.217.22.95 scanesi.esi.ac.ma
Email Addresses Collected
CVEID: -
Threat:The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase.
Impact:Email addresses may help a malicious user with brute force and phishing attacks.
Solution:Review the email list to see if they are all email addresses you want to expose.
Results:http://pmb.esi.ac.ma -- Number of emails: 14 [email protected]@apache.org [email protected] [email protected]@eye.com [email protected] [email protected] [email protected]@alumni.caltech.edu [email protected] [email protected]@nexus.yorku.ca [email protected] [email protected]
Page 20 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12378 CVSS Base:
Category: CGI Port: 0
QID: 12271 CVSS Base: 5
Category: CGI Port: 80
Type: Perimeter Findings
PHP "spl_object_storage_attach" Use-After-Free Vulnerability
CVEID: CVE-2010-2225
Threat:PHP is a general purpose scripting language that is especially suited for Web development
and can be embedded in HTML.PHP is prone to a vulnerability that is caused by a use-after-free error within the
"spl_object_storage_attach()" function, which can be exploited by inserting the same object twice.
Affected Versions:PHP 5.2 <= 5.2.13
PHP 5.3 <= 5.3.2
Impact:If this vulnerability is successfully exploited, attackers can get potentially sensitive information and compromise a vulnerable system.
Solution:The vendor has released PHP Version 5.3.3 and 5.2.14 to address these issues. It is
available for download from the PHP Download Web site.Refer to PHP 5.2.14 Change Log and PHP 5.3.3 Change Log to obtain additional details
about the issues fixed in the update.
Results:Detected on port 80 - Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
PHP 'popen()' Function Buffer Overflow Vulnerability
CVEID: CVE-2009-3294
Threat:PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The "popen" function opens a pipe to the program
specified in the command parameter.PHP is prone to a buffer overflow vulnerability that occurs in the "popen" function because it
fails to perform adequate boundary checks before copying user-supplied data to insufficiently sized memory buffers. This issue can be exploited by passing a large string to the "mode" argument of the function.
PHP Versions before 5.2.11 and Version 5.3.x before 5.3.1 are affected.
Impact:If this vulnerability is successfully exploited, a malicious user can execute arbitrary machine code in the context of the affected Web server. Failed attempts cause denial of service
attacks by crashing the Web server.
Page 21 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12318 CVSS Base: 7.5
Category: CGI Port: 80
Solution:This issue is resolved in PHP Version 5.2.11 and later or Version 5.3.1 or later. Refer to PHP 5.2.11 Release Notes and PHP 5.3.1 Release Notes to obtain additional details.
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
PHP Versions Prior to 5.2.12 Multiple Vulnerabilities
CVEID: CVE-2009-3557, CVE-2009-3558, CVE-2009-4017, CVE-2009-4142, CVE-2009-
4143
Threat:PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML.The following vulnerabilities exist in PHP:1) An error in "tempnam()" can be exploited to bypass the "safe_mode" feature.2) An error in "posix_mkfifo()" can be exploited to bypass the "open_basedir" feature.3) An error within the processing of form-based file uploads can be exploited to cause a DoS by sending specially crafted requests.4) Errors related to a insufficient protection of $_SESSION against interrupt corruption and a weak "session.save_path" check have unknown impacts.5) The "htmlspecialchars()" function does not properly sanitize certain input, which can be exploited to conduct cross-site scripting attacks.PHP versions prior to 5.2.12 and prior to 5.3.1 are affected by these vulnerabilities.
Impact:Successfully exploiting these issue may allow remote attackers to bypass certain security restrictions or to conduct cross-site scripting attacks and cause a denial of service.
Solution:The vendor has released PHP Version 5.2.12 and 5.3.1 to address these issues. It is available for download from the PHP Download Web site.
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
Page 22 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 86847 CVSS Base: 7.8
Category: Web server Port: 0
QID: 12539 CVSS Base: 5
Category: CGI Port: 80
Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day
CVEID: -
Threat:The Apache HTTP Server, commonly referred to as Apache is a freely available Web
server.Apache is vulnerable to a denial of service due to holding a connection open for partial
HTTP requests.Apache Versions 1.x and 2.x are vulnerable.
Impact:A remote attacker can cause a denial of service against the Web server which would prevent legitimate users from accessing the site.
Denial of service tools and scripts such as Slowloris takes advantage of this vulnerability.
Solution:Patch:There are no vendor-supplied patches available at this time.Workaround:
- Reverse proxies, load balancers and iptables can help to prevent this attack from occurring.
- Adjusting the TimeOut Directive can also prevent this attack from occurring.- A new module mod_reqtimeout has been introduced since Apache 2.2.15 to provide tools for mitigation against these forms of attack, however; the module is marked experimental.
Also refer to Cert Blog and Slowloris and Mitigations for Apache document for further information.
Results:Detected on port 80 - Apache 1.3
PHP Hashtables Denial of Service
CVEID: CVE-2011-4885
Threat:PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML.
PHP is exposed to remote denial of service issue due to the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision
properties in the hashing functions.Affected Versions:PHP 5.3 versions prior to 5.3.9 are affected.
Impact:By exploiting this vulnerability, remote attackers can cause a denial of service (CPU
consumption) by sending many crafted HTTP requests.
Solution:There are no official vendor-supplied patches at this time.Workaround:Update to development version of 5.3.9 or 5.4 which supports max_input_vars directive to
prevent attacks based on hash collisions. For more information, please refer to the PHP SVN site.
Another method is to reduce the CPU time that a request is allowed to take. For PHP, this can be configured using the max_input_time parameter.
Results:Detected on port 80 - Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB
Page 23 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 86445 CVSS Base: 2.3
Category: Web server Port: 80
QID: 86473 CVSS Base: 2.8
Category: Web server Port: 80
Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
Web Directories Listable Vulnerability
CVEID: -
Threat:The Web server has some listable directories. Very sensitive information can be obtained from directory listings.
Impact:A remote user may exploit this vulnerability to obtain very sensitive information on the host. The information obtained may assist in further attacks against the host.
Solution:Disable directory browsing or listing for all directories.
Results:#table cols="1" Listable_Directories /images/ /admin/ /catalog/
Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
CVEID: CVE-2004-2320, CVE-2007-3008
Threat:A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server.
Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests to a Web server that supports this Trace method.
Usually, browser security disallows access to Web sites outside of the present site's domain. Although unlikely and difficult to achieve, it's possible, in the presence of other browser
vulnerabilities, for the active HTML content to make external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the
client request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser automatically sent to the specified Web application on the specified Web server.
The significance of the Trace capability in this vulnerability is that the active component in the page visited by the victim user has no direct access to this authentication information,
but gets it after the target Web server echoes it back as its Trace response. Since this vulnerability exists as a support for a method required by the HTTP protocol specification, most common Web servers are vulnerable.The exact method(s) supported, Trace and/or Track, and their responses are in the Results
section below.
Impact:If this vulnerability is successfully exploited, users of the Web server may lose their
authentication credentials for the server and/or for the Web applications hosted by the server to an attacker. This may be the case even if the Web applications are not vulnerable
to cross site scripting attacks due to input validation errors.
Solution:Solutions for some of the common Web servers are supplied below. For other Web servers,
please check your vendor's documentation.
Page 24 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12390 CVSS Base:
Category: CGI Port: 80
Apache: Recent Apache versions have a Rewrite module that allows HTTP requests to be rewritten or handled in a specific way. Compile the Apache server with the mod_rewrite
module. You might need to uncomment the 'AddModule' and 'LoadModule' directives in the httpd.conf configuration file. Add the following lines for each virtualhost in your configuration file (Please note that, by default, Rewrite configurations are not inherited. This means that
you need to have Rewrite directives for each virtual host in which you wish to use it):<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] </IfModule>With this configuration, Apache catches all TRACE requests, and replies with a page
reporting the request as forbidden. None of the original request's contents are echoed back.A slightly tighter fix is to use:<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$ RewriteRule .* - [F] </IfModule>
Please note that RewriteEngine can be processor intensive and may impact the web server performance. The trace method can also be controlled by use of the TraceEnable directive.In the httpd.conf add or modify:
TraceEnable Off
Microsoft IIS: Microsoft released URLScan, which can be used to screen all incoming
requests based on customized rulesets. URLScan can be used to sanitize or disable the TRACE requests from the clients. Note that IIS aliases 'TRACK' to 'TRACE'. Therefore, if URLScan is used to specfically block the TRACE method, the TRACK method should also be added to the filter.
URLScan uses the 'urlscan.ini' configuration file, usually in \System32\InetSrv\URLScan directory. In that, we have two sections - AllowVerbs and DenyVerbs. The former is used if
the UseAllowVerbs variable is set to 1, else (if its set to 0), the DenyVerbs are used. Clearly, either can be used, depending on whether we want a Default-Deny-Explicit-Allow or a Default-Allow-Explicit-Deny policy. To disallow TRACE and TRACK methods through
URLScan, first remove 'TRACK', 'TRACE' methods from the 'AllowVerbs' section and add them to the 'DenyVerbs' section. With this, URLScan will disallow all 'TRACE' and 'TRACK' methods, and generate an error page for all requests using that method. To enable the changes, restart the 'World Wide Web Publishing Service' from the 'Services' Control Panel
item.
Sun ONE/iPlanet Web Server: Here are the sun recommandations to disable the trace
method.For more details about other web servers : Cert Advisory.
Results:TRACE / HTTP/1.1 Host: scanesi.esi.ac.ma Via: <script>alert('QualysXSS');</script> HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:55:51 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 Transfer-Encoding: chunked Content-Type: message/http TRACE / HTTP/1.1 Host: scanesi.esi.ac.ma Via: <script>alert('QualysXSS');</script> -CR-TRACE / HTTP/1.0 Via: <script>alert('QualysXSS');</script> HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:55:51 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 Connection: close Content-Type: message/httpTRACE / HTTP/1.0 Via: <script>alert('QualysXSS');</script>
PHP Versions Prior to 5.3.3/5.2.14 Multiple Vulnerabilities
CVEID: CVE-2010-2484, CVE-2010-2531
Threat:PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML.
PHP is prone to multiple memory corruption and buffer overflow security vulnerabilities.PHP Versions Prior to 5.3.3/5.2.14 are affected
Impact:An attacker can exploit these issues to execute arbitrary code, gain access to sensitive information, and bypass security restrictions. Other attacks are also possible.
Solution:The vendor has released PHP Version 5.3.3 and 5.2.14 to address these issues. It is
available for download from the PHP Download Web site.Refer to PHP 5.2.14 Change Log PHP 5.3.3 Change Logto obtain additional details about the issues fixed in the update.
Page 25 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12384 CVSS Base: 5
Category: CGI Port: 80
QID: 12314 CVSS Base:
Category: CGI Port: 80
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
PHP "strrchr()" Function Information Disclosure Vulnerability
CVEID: CVE-2010-2484
Threat:PHP is a general purpose scripting language that is especially suited for Web development
and can be embedded in HTML.PHP is prone to an information disclosure vulnerability. This is due to a possible memory
corruption in strrchr() function. The strrchr function allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a
userspace interruption of an internal function or handler.Affected Versions:
PHP 5.2 before 5.2.14
Impact:Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Solution:Update to PHP 5.2.14 or later to resolve this vulnerability. Refer to PHP 5.2.14 ChangeLog
to obtain more information.
Results:Detected on port 80 - Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
PHP Versions Prior to 5.3.1 Multiple Vulnerabilities
CVEID: CVE-2009-3292, CVE-2009-3557, CVE-2009-3558
Threat:
Page 26 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12299 CVSS Base: 7.5
Category: CGI Port: 80
PHP is a general purpose scripting language that is especially suited for Web development
and can be embedded into HTML.The following vulnerabilities exist in PHP:
- Input validation errors exist in the processing of exif data.-An error in "tempnam()" can be exploited to bypass the "safe_mode" feature.
-An error in "posix_mkfifo()" can be exploited to bypass the "open_basedir" feature.Versions prior to 5.3.1 are affected.
Impact:These vulnerabilities can be exploited by malicious users to bypass certain security restrictions.
Solution:The vendor has released PHP Version 5.3.1 to address these issues. It is available for download from the PHP Download Web site .
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
PHP 5.2.10 and Prior Versions Multiple Vulnerabilities
CVEID: CVE-2009-3291, CVE-2009-3292, CVE-2009-3293
Threat:PHP is a general-purpose scripting language that is especially suited for Web development
and can be embedded into HTML.The following multiple vulnerabilities exist in PHP:
1) An unspecified error exists in the certificate validation in "php_openssl_apply_verification_policy".
2) An input validation error exists related to the color index in "imagecolortransparent()".3) An input validation error exists in the processing of exif data.4) An unspecified issue related to "popen" and invalid modes exists.
These issues affect PHP 5.2.10 and prior versions.
Impact:Exploitation of the vulnerabilities may result in an unspecified impact.
Solution:The vendor has released PHP Version 5.2.11 to address these issues. It is available for
download from the PHP Download Web site.
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' />
Page 27 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12334 CVSS Base: 6.4
Category: CGI Port: 80
QID: 45114 CVSS Base:
Category: Information gathering Port: 80
<meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
PHP Versions Prior to 5.2.13 Multiple Vulnerabilities
CVEID: CVE-2010-1129
Threat:PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML.
The following vulnerabilities exist in PHP:An error in the session extension can be exploited to bypass the "safe_mode" and "open_basedir" feature.A validation error within the "tempnam()" function can be exploited to bypass the
"safe_mode" feature.PHP 5.2.12 and prior versions are affected.
Impact:Successful exploits could allow an attacker to access files in unauthorized locations or create files in any writable directory.
Solution:The vendor has released PHP Version 5.2.13 to address these issues and several other bugs. It is available for download from the PHP Download Web site.
Refer to PHP 5.2.13 Change Log to obtain additional details about the issues fixed in the update.
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
Web Applications and Plugins Detected
CVEID: -
Threat:The result section of this QID lists web applications and plugins that were detected on the target using web application fingerprinting. This technique compares static files at known locations against precomputed hashes for versions of those files in all available releases.
The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.Following applications are currently supported:
Joomla!MediaWikiWordPress
phpBBMovableType
DrupalosCommerce
Page 28 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 82063 CVSS Base:
Category: TCP/IP Port: 0
PHP-Nuke
MoodleLiferay
TikiwikiTwiki
phpmyadminSPIPConfluence(free versions)
WikkaWacko
UsemodFollowing Drupal plugins are supported:DateImageField
PathautoSpamicide
CCKFileFieldImageAPI
IMCEPrint
TagaDelicToken
ViewsFollowing WordPress plugins are supported:
AkismetBuddypressstats
WP-E-CommerceWP-Super-Cache
This QID is based on the blind elephant project.
Impact:N/A
Solution:N/A
Results:#table cols="2" usemod _1.0.5
Host Uptime Based on TCP TimeStamp Option
CVEID: -
Threat:The TCP/IP stack on the host supports the TCP TimeStamp (kind 8) option. Typically the timestamp used is the host's uptime (since last reboot) in various units (e.g., one hundredth
of second, one tenth of a second, etc.). Based on this, we can obtain the host's uptime. The result is given in the Result section below.Some operating systems (e.g., MacOS, OpenBSD) use a non-zero, probably random, initial
value for the timestamp. For these operating systems, the uptime obtained does not reflect the actual uptime of the host; the former is always larger than the latter.
Impact:N/A
Solution:N/A
Results:Based on TCP timestamps obtained via port 80, the host's uptime is 2
days, 8 hours, and 59 minutes. The TCP timestamps from the host are in units of 10 milliseconds.
Page 29 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12059 CVSS Base:
Category: CGI Port: 80
QID: 12087 CVSS Base: 1.9
Category: CGI Port: 80
Web Server Probed For Various URL-Encoding Schemes Supported
CVEID: -
Threat:The target Web server was probed for various URL-encoding schemes that it supports.
Per this paper by Daniel Roelker that was presented at Defcon 11, popular Web servers like Microsoft IIS support a variety of encoding schemes for the URLs. These include Percent-
escaped Hex Encoding, Double-percent Escaped Hex Encoding, Microsoft's %U Encoding, Percent-escaped 2-Byte UTF-8 Encoding, and Raw 2-Byte UTF-8 Encoding.For a sample HTTP GET request, GET /. HTTP/1.0, the following illustrates the encoded
URI under these schemes:Percent-escaped Hex Encoding: GET /%2e HTTP/1.0 Double-percent
Escaped Hex Encoding: GET /%252e HTTP/1.0 Percent-escaped 2-Byte UTF-8 Encoding: GET /%C0%AE HTTP/1.0 Raw 2-Byte UTF-8 Encoding: GET /
\xC0\xAE HTTP/1.0 (Actual raw 0xC0 and 0xAE bytes) Microsoft's %U
Encoding: GET /%u002e HTTP/1.0
The supported encoding schemes are listed in the Results section.
URI encoding is relevant to Web server security since, as mentioned in the paper above, attackers could launch HTTP attacks while at the same time obfuscating the URIs to evade detection by Intrusion Detection Systems that are not capable of decoding the URIs.
Impact:N/A
Solution:N/A
Results:Single-%-Escaped Hex-Encoding Supported
Expose_php Set to On in php.ini
CVEID: -
Threat:The scanner found PHP version information in the headers returned by the PHP-enabled target Web server. This likely means that the "expose_php" variable is set to "On" in the "php.ini" configuration file for the Web server.
Impact:This allows remote users to easily know that PHP is installed on the Web server. It also
provides version information of the PHP installation. This could aid an attacker in launching more targeted attacks in the future.
Solution:Locate the "php.ini" configuration file on the target host and add this setting to it: "expose_php=Off". Restart the Web server.
Results:HEAD / HTTP/1.1 Host: scanesi.esi.ac.ma Connection: Keep-Alive
HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:55:55 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Keep-
Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-
4C7B08C10000 HTTP/1.1 Host: scanesi.esi.ac.ma Connection: Keep-Alive
HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:56:01 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Keep-
Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD
XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"><html><head> <style type="text/css"> body {background-color:
#ffffff; color: #000000;} body, td, th, h1, h2 {font-family: sans-
serif;} pre {margin: 0px; font-family: monospace;} a:link {color: #000099; text-decoration: none; background-color: #ffffff;} a:hover
Page 30 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
{text-decoration: underline;} table {border-collapse: collapse;} .center {text-align: center;} .center table { margin-left: auto; margin-right: auto; text-align: left;} .center th { text-align: center !important; } td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;} h1 {font-size: 150%;} h2 {font-size: 125%;} .p {text-align: left;} .e {background-color: #ccccff; font-weight: bold; color: #000000;} .h {background-color: #9999cc; font-weight: bold; color: #000000;} .v {background-color: #cccccc; color: #000000;} .vr {background-color: #cccccc; text-align: right; color: #000000;} img {float: right; border: 0px;} hr {width: 600px; background-color: #cccccc; border: 0px; height: 1px; color: #000000;} </style> <title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head><body><div class="center"> <h1>PHP Credits</h1> <table border="0" cellpadding="3" width="600"> <tr class="h"><th>PHP Group</th></tr><tr><td class="e">Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, Andrei Zmievski </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th>Language Design & Concept</th></tr> <tr><td class="e">Andi Gutmans, Rasmus Lerdorf, Zeev Suraski </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">PHP 5 Authors</th></tr> <tr class="h"><th>Contribution</th><th>Authors</th></tr> <tr><td class="e">Zend Scripting Language Engine </td><td class="v">Andi Gutmans, Zeev Suraski </td></tr> <tr><td class="e">Extension Module API </td><td class="v">Andi Gutmans, Zeev Suraski, Andrei Zmievski </td></tr> <tr><td class="e">UNIX Build and Modularization </td><td class="v">Stig Bakken, Sascha Schumann, Jani Taskinen </td></tr><tr><td class="e">Win32 Port </td><td class="v">Shane Caraveo, Zeev Suraski, Wez Furlong </td></tr> <tr><td class="e">Server API (SAPI) Abstraction Layer </td><td class="v">Andi Gutmans, Shane Caraveo, Zeev Suraski </td></tr> <tr><td class="e">Streams Abstraction Layer </td><td class="v">Wez Furlong, Sara Golemon </td></tr> <tr><td class="e">PHP Data Objects Layer </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">SAPI Modules</th></tr> <tr class="h"><th>Contribution</th><th>Authors</th></tr> <tr><td class="e">AOLserver </td><td class="v">Sascha Schumann </td></tr><tr><td class="e">Apache 1.3 (apache_hooks) </td><td class="v">Rasmus Lerdorf, Zeev Suraski, Stig Bakken, David Sklar, George Schlossnagle, Lukas Schroeder </td></tr> <tr><td class="e">Apache 1.3 </td><td class="v">Rasmus Lerdorf, Zeev Suraski, Stig Bakken, David Sklar </td></tr> <tr><td class="e">Apache 2.0 Filter </td><td class="v">Sascha Schumann, Aaron Bannert </td></tr> <tr><td class="e">Apache 2.0 Handler </td><td class="v">Ian Holsman, Justin Erenkrantz (based on Apache 2.0 Filter code) </td></tr> <tr><td class="e">Caudium / Roxen </td><td class="v">David Hedbor </td></tr> <tr><td class="e">CGI / FastCGI </td><td class="v">Rasmus Lerdorf, Stig Bakken, Shane Caraveo, Dmitry Stogov </td></tr> <tr><td class="e">CLI </td><td class="v">Edin Kadribasic, Marcus Boerger, Johannes Schlueter </td></tr> <tr><td class="e">Continuity </td><td class="v">Alex Leigh (based on nsapi code) </td></tr> <tr><td class="e">Embed </td><td class="v">Edin Kadribasic </td></tr> <tr><td class="e">ISAPI </td><td class="v">Andi Gutmans, Zeev Suraski </td></tr> <tr><td class="e">NSAPI </td><td class="v">Jayakumar Muthukumarasamy, Uwe Schindler </td></tr> <tr><td class="e">phttpd </td><td class="v">Thies C. Arntzen </td></tr> <tr><td class="e">pi3web </td><td class="v">Holger Zimmermann </td></tr><tr><td class="e">Sendmail Milter </td><td class="v">Harald Radi </td></tr> <tr><td class="e">thttpd </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">tux </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">WebJames </td><td class="v">Alex Waugh </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">Module Authors</th></tr> <tr class="h"><th>Module</th><th>Authors</th></tr><tr><td class="e">Assert </td><td class="v">Thies C. Arntzen </td></tr> <tr><td class="e">BC Math </td><td class="v">Andi Gutmans </td></tr> <tr><td class="e">Bzip2 </td><td class="v">Sterling
Page 31 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
Hughes </td></tr> <tr><td class="e">Calendar </td><td class="v">Shane Caraveo, Colin Viebrock, Hartmut Holzgraefe, Wez Furlong </td></tr> <tr><td class="e">COM and .Net </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">ctype </td><td class="v">Hartmut Holzgraefe </td></tr> <tr><td class="e">cURL </td><td class="v">Sterling Hughes </td></tr> <tr><td class="e">Date/Time Support </td><td class="v">Derick Rethans </td></tr> <tr><td class="e">DBA </td><td class="v">Sascha Schumann, Marcus Boerger </td></tr> <tr><td class="e">dBase </td><td class="v">Jim Winstead </td></tr> <tr><td class="e">DB-LIB (MS SQL, Sybase) </td><td class="v">Wez Furlong, Frank M. Kromann </td></tr><tr><td class="e">DOM </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger </td></tr> <tr><td class="e">EXIF </td><td class="v">Rasmus Lerdorf, Marcus Boerger </td></tr> <tr><td class="e">FBSQL </td><td class="v">Frank M. Kromann </td></tr><tr><td class="e">FDF </td><td class="v">Uwe Steinmann </td></tr><tr><td class="e">Firebird/InterBase driver for PDO </td><td class="v">Ard Biesheuvel </td></tr> <tr><td class="e">FTP </td><td class="v">Stefan Esser, Andrew Skalski </td></tr> <tr><td class="e">GD imaging </td><td class="v">Rasmus Lerdorf, Stig Bakken, Jim Winstead, Jouni Ahto, Ilia Alshanetsky, Pierre-Alain Joye, Marcus Boerger </td></tr> <tr><td class="e">GetText </td><td class="v">Alex Plotnick </td></tr> <tr><td class="e">GNU GMP support </td><td class="v">Stanislav Malyshev </td></tr> <tr><td class="e">Iconv </td><td class="v">Rui Hirokawa, Stig Bakken, Moriyoshi Koizumi </td></tr> <tr><td class="e">IMAP </td><td class="v">Rex Logan, Mark Musone, Brian Wang, Kaj-Michael Lang, Antoni Pamies Olive, Rasmus Lerdorf, Andrew Skalski, Chuck Hagenbuch, Daniel R Kalowsky </td></tr> <tr><td class="e">Input Filter </td><td class="v">Rasmus Lerdorf, Derick Rethans, Pierre-Alain Joye, Ilia Alshanetsky </td></tr> <tr><td class="e">InterBase </td><td class="v">Jouni Ahto, Andrew Avdeev, Ard Biesheuvel </td></tr> <tr><td class="e">JSON </td><td class="v">Omar Kilani </td></tr> <tr><td class="e">LDAP </td><td class="v">Amitay Isaacs, Eric Warnke, Rasmus Lerdorf, Gerrit Thomson, Stig Venaas </td></tr><tr><td class="e">LIBXML </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger, Wez Furlong, Shane Caraveo </td></tr><tr><td class="e">mcrypt </td><td class="v">Sascha Schumann, Derick Rethans </td></tr> <tr><td class="e">mhash </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">mime_magic </td><td class="v">Hartmut Holzgraefe </td></tr> <tr><td class="e">MING </td><td class="v">Dave Hayden, Frank M. Kromann </td></tr> <tr><td class="e">mSQL </td><td class="v">Zeev Suraski </td></tr> <tr><td class="e">MS SQL </td><td class="v">Frank M. Kromann </td></tr><tr><td class="e">Multibyte String Functions </td><td class="v">Tsukada Takuya, Rui Hirokawa </td></tr> <tr><td class="e">mySQL driver for PDO </td><td class="v">George Schlossnagle, Wez Furlong, Ilia Alshanetsky </td></tr> <tr><td class="e">MySQLi </td><td class="v">Zak Greant, Georg Richter, Andrey Hristov, Ulf Wendel </td></tr> <tr><td class="e">MySQL </td><td class="v">Zeev Suraski, Zak Greant, Georg Richter </td></tr> <tr><td class="e">ncurses </td><td class="v">Ilia Alshanetsky, Wez Furlong, Hartmut Holzgraefe, Georg Richter </td></tr> <tr><td class="e">OCI8 </td><td class="v">Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong </td></tr> <tr><td class="e">ODBC driver for PDO </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">ODBC </td><td class="v">Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky </td></tr><tr><td class="e">OpenSSL </td><td class="v">Stig Venaas, Wez Furlong, Sascha Kettler </td></tr> <tr><td class="e">Oracle (OCI) driver for PDO </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">pcntl </td><td class="v">Jason Greene </td></tr> <tr><td class="e">Perl Compatible Regexps </td><td class="v">Andrei Zmievski </td></tr> <tr><td class="e">PHP Data Objects </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr> <tr><td class="e">PHP hash </td><td class="v">Sara Golemon, Rasmus Lerdorf, Stefan Esser, Michael Wallner </td></tr> <tr><td class="e">Posix </td><td class="v">Kristian Koehntopp </td></tr> <tr><td class="e">PostgreSQL driver for PDO </td><td class="v">Edin Kadribasic, Ilia Alshanetsky </td></tr> <tr><td class="e">PostgreSQL </td><td class="v">Jouni
Page 32 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 45038 CVSS Base:
Category: Information gathering Port: 0
Ahto, Zeev Suraski, Yasuo Ohgaki, Chris Kings-Lynne </td></tr>
<tr><td class="e">Pspell </td><td class="v">Vlad Krupin </td></tr><tr><td class="e">Readline </td><td class="v">Thies C. Arntzen
</td></tr> <tr><td class="e">Recode </td><td class="v">Kristian
Khntopp </td></tr> <tr><td class="e">Reflection </td><td
class="v">Marcus Boerger, Timm Friebe, George Schlossnagle, Andrei
Zmievski, Johannes Schlueter </td></tr> <tr><td class="e">Sessions </td><td class="v">Sascha Schumann, Andrei Zmievski </td></tr>
<tr><td class="e">Shared Memory Operations </td><td class="v">Slava
Poliakov, Ilia Alshanetsky </td></tr> <tr><td class="e">SimpleXML
</td><td class="v">Sterling Hughes, Marcus Boerger, Rob Richards
</td></tr> <tr><td class="e">SNMP </td><td class="v">Rasmus Lerdorf, Harrie Hazewinkel, Mike Jackson, Steven Lawrance, Johann Hanne
</td></tr> <tr><td class="e">SOAP </td><td class="v">Brad
Lafountain, Shane Caraveo, Dmitry Stogov </td></tr> <tr><td
class="e">Sockets </td><td class="v">Chris Vandomelen, Sterling Hughes, Daniel Beulshausen, Jason Greene </td></tr> <tr><td
class="e">SPL </td><td class="v">Marcus Boerger </td></tr> <tr><td
class="e">SQLite 3.x driver for PDO </td><td class="v">Wez Furlong
</td></tr> <tr><td class="e">SQLite </td><td class="v">Wez Furlong,
Tal Peer, Marcus Boerger, Ilia Alshanetsky </td></tr> <tr><td class="e">Sybase-CT </td><td class="v">Zeev Suraski, Tom May, Timm
Friebe </td></tr> <tr><td class="e">Sybase-DB </td><td
class="v">Zeev Suraski </td></tr> <tr><td class="e">System V Message
based IPC </td><td class="v">Wez Furlong </td></tr> <tr><td
class="e">System V Semaphores </td><td class="v">Tom May </td></tr><tr><td class="e">System V Shared Memory </td><td
class="v">Christian Cartus </td></tr> <tr><td class="e">tidy
</td><td class="v">John Coggeshall, Ilia Alshanetsky </td></tr>
<tr><td class="e">tokenizer </td><td class="v">Andrei Zmievski,
Johannes Schlueter </td></tr> <tr><td class="e">WDDX </td><td class="v">Andrei Zmievski </td></tr> <tr><td class="e">XMLReader
</td><td class="v">Rob Richards </td></tr> <tr><td class="e">xmlrpc
</td><td class="v">Dan Libby </td></tr> <tr><td class="e">XML
</td><td class="v">Stig Bakken, Thies C. Arntzen, Sterling Hughes
</td></tr> <tr><td class="e">XMLWriter </td><td class="v">Rob Richards, Pierre-Alain Joye </td></tr> <tr><td class="e">XSL
</td><td class="v">Christian Stocker, Rob Richards </td></tr>
<tr><td class="e">Zip </td><td class="v">Pierre-Alain Joye
</td></tr> <tr><td class="e">Zlib </td><td class="v">Rasmus Lerdorf,
Stefan Roehrich, Zeev Suraski, Jade Nicoletti </td></tr></table><br /> <table border="0" cellpadding="3" width="600"> <tr
class="h"><th colspan="2">PHP Documentation</th></tr> <tr><td
class="e">Authors </td><td class="v">Mehdi Achour, Friedhelm Betz,
Antony Dovgal, Nuno Lopes, Hannes Magnusson, Georg Richter, Damien
Seguy, Jakub Vrana </td></tr> <tr><td class="e">Editor </td><td class="v">Philip Olson </td></tr> <tr><td class="e">User Note
Maintainers </td><td class="v">Friedhelm Betz, Etienne Kneuss, Nuno Lopes, Hannes Magnusson, Felipe Pena, Maciek Sokolewicz </td></tr>
<tr><td class="e">Other Contributors </td><td class="v">Previously
active authors, editors and other contributors are listed in the manual. </td></tr> </table><br /> <table border="0" cellpadding="3"
width="600"> <tr class="h"><th>PHP Quality Assurance Team</th></tr><tr><td class="e">Ilia Alshanetsky, Joerg Behrens, Antony Dovgal,
Stefan Esser, Moriyoshi Koizumi, Magnus Maatta, Sebastian Nohn,
Derick Rethans, Melvyn Sopacua, Jani Taskinen </td></tr></table><br /> <table border="0" cellpadding="3" width="600"> <tr
class="h"><th>PHP Website Team</th></tr> <tr><td class="e">Rasmus Lerdorf, Hannes Magnusson, Philip Olson </td></tr> </table><br />
</div></body></html> -CR-
Host Scan Time
CVEID: -
Threat:
Page 33 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 82045 CVSS Base:
Category: TCP/IP Port: 0
QID: 82046 CVSS Base:
Category: TCP/IP Port: 0
The Host Scan Time is the period of time it takes the scanning engine to perform the
vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it
takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's
Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
Impact:N/A
Solution:N/A
Results:Scan duration: 512 seconds Start time: Fri, Feb 10 2012, 22:50:37
GMT End time: Fri, Feb 10 2012, 22:59:09 GMT
Degree of Randomness of TCP Initial Sequence Numbers
CVEID: -
Threat:TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent
ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host.
Impact:N/A
Solution:N/A
Results:Average change between subsequent TCP initial sequence numbers is
1057730495 with a standard deviation of 609671435. These TCP initial
sequence numbers were triggered by TCP SYN probes sent to the host at an average rate of 1/(9995 microseconds). The degree of
difficulty to exploit the TCP initial sequence number generation scheme is: hard.
IP ID Values Randomness
CVEID: -
Threat:The values for the identification (ID) field in IP headers in IP packets from the host are
analyzed to determine how random they are. The changes between subsequent ID values for either the network byte ordering or the host byte ordering, whichever is smaller, are
displayed in the RESULT section along with the duration taken to send the probes. When incremental values are used, as is the case for TCP/IP implementation in many operating systems, these changes reflect the network load of the host at the time this test was
conducted.Please note that for reliability reasons only the network traffic from open TCP ports is
analyzed.
Impact:N/A
Page 34 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 12230 CVSS Base:
Category: CGI Port: 80
QID: 6 CVSS Base: 0
Category: Information gathering Port: 0
QID: 45004 CVSS Base:
Category: Information gathering Port: 0
Solution:N/A
Results:IP ID changes observed (network order) for port 80: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 3 3 3 3 Duration: 309 milli seconds
Default Web Page
CVEID: -
Threat:The Result section displays the default Web page for the Web server.
Impact:N/A
Solution:N/A
Results:Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /><meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo
DNS Host Name
CVEID: -
Threat:The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Impact:
Solution:
Results:#table IP_address Host_name 212.217.22.95 scanesi.esi.ac.ma
Target Network Information
CVEID: -
Threat:
Page 35 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 45006 CVSS Base:
Category: Information gathering Port: 0
QID: 45039 CVSS Base:
Category: Information gathering Port: 0
QID: 45033 CVSS Base:
Category: Information gathering Port: 80
This information was gathered using WHOIS service for the target network. Note that this is
not all the information that WHOIS service provides.
Impact:This information can be used by malicious users to gather more information about the
network infrastructure that may help in launching attacks against it.
Solution:
Results:The network handle is: AFRINIC-NET-TRANSFERRED-20050223 Network description: This network has been transferred to AFRINIC
Traceroute
CVEID: -
Threat:Traceroute describes the path in realtime from the scanner to the remote host being contacted. It reports the IP addresses of all the routers in between.
Impact:
Solution:
Results:#table cols="4" Hops IP Round_Trip_Time Probe 1 64.39.111.2 0.44ms
ICMP 2 64.14.1.121 1.21ms ICMP 3 216.33.4.61 0.61ms ICMP 4 204.70.200.205 0.58ms ICMP 5 204.70.200.230 3.09ms ICMP 6
204.70.192.46 44.33ms ICMP 7 204.70.196.30 42.87ms ICMP 8 204.70.204.145 43.21ms ICMP 9 208.175.175.110 96.69ms ICMP 10 94.142.126.130 82.59ms ICMP 11 84.16.12.29 164.72ms ICMP 12
213.140.43.150 155.79ms ICMP 13 213.140.36.133 181.13ms ICMP 14 81.192.222.9 200.73ms ICMP 15 212.217.3.54 202.93ms ICMP 16
81.192.222.9 204.83ms ICMP 17 212.217.7.94 210.14ms ICMP 18 212.217.22.95 207.98ms TCP
Host Names Found
CVEID: -
Threat:The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query.
Impact:N/A
Solution:N/A
Results:#table cols="2" Host_Name Source scanesi.esi.ac.ma FQDN
HTTP method TRACE and/or TRACK Enabled
CVEID: -
Threat:
Page 36 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 86565 CVSS Base:
Category: Web server Port: 80
The target Web server supports the TRACE and/or TRACK HTTP methods. These methods
allow debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back
the information sent to it by the client unmodified and unfiltered. Microsoft IIS Web server uses an alias TRACK for the TRACE method, and is functionally the same.
The exact method(s) used are shown in the Results section.
Impact:N/A
Solution:N/A
Results:TRACE method enabled on / directory
Web Server Supports HTTP Request Pipelining
CVEID: -
Threat:Version 1.1 of the HTTP protocol supports URL-Request Pipelining. This means that instead
of using the "Keep-Alive" method to keep the TCP connection alive over multiple requests, the protocol allows multiple HTTP URL requests to be made in the same TCP packet. Any
Web server which is HTTP 1.1 compliant should then process all the URLs requested in the single TCP packet and respond as usual.
The target Web server was found to support this functionality of the HTTP 1.1 protocol.
Impact:Support for URL-Request Pipelining has interesting consequences. For example, as
explained in this paper by Daniel Roelker, it can be used for evading detection by Intrusion Detection Systems. Also, it can be used in HTTP Response-Spliting style attacks.
Solution:N/A
Results:GET / HTTP/1.1 Host:212.217.22.95:80 GET /Q_Evasive/ HTTP/1.1Host:212.217.22.95:80 HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:53:40 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'><head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m_E9diath_E8que' /> <meta name='keywords' content='logiciel, gestion, biblioth_E8que, m_E9diath_E8que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='no-cache' /> <meta http-equiv='Cache-Control' content='no-cache' /> <meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colonnes.css ' title='lefttoright' /> <link rel='stylesheet' type='text/css' href='styles/light/dtree.css ' title='lefttoright' /> <link rel='stylesheet' type='text/css' href='styles/light/layout.css ' title='lefttoright' /> <link rel='stylesheet' type='text/css' href='styles/light/rub_colours.css ' title='lefttoright' /> <link rel="SHORTCUT ICON" href="images/favicon.ico"> </head> <body class='index'> <div id='navbar'> <h3> </h3> <ul> <li id='navbar-index' class='current'><a title='Gestion' class='current' href='./' accesskey='8'>Gestion</a> </li> <li id='navbar-opac'> <a title='Ouvrir le catalogue public dans une nouvelle fen_C3_AAtre' href='./opac_css/' accesskey='7'>OPAC</a> </li> </ul> </div> <div id='extra'>Base de donn_C3_A9es : bibli / 10807 notice(s) </div><div id='noconteneur'> <div id='nomenu'> </div> <div id='nocontenu'><div id='login-box'> <h1>Identification</h1> <form class='form-
Page 37 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
QID: 45005 CVSS Base:
Category: Information gathering Port: 0
QID: 86672 CVSS Base:
Category: Web server Port: 80
index' id='login' method='post' action='./main.php'> <div class='form-contenu'><div class='row'> <label class='etiquette' for='user'>Utilisateur :</label> </div> <div class='row'> <input class='saisie-20em' type='text' name='user' id='user' value='' size='15'/> </div> <div class='row'> <label class='etiquette' for='password'>Mot de passe :</label> </div> <div class='row'><input class='saisie-20em' type='password' name='password' id='password' value='' size='15'/> </div> <input type='hidden' name='database' value='bibli'> </div> <!-- Bouton d'envoi --> <div class='row'> <input type='submit' class='bouton' value='Connexion' /> </div> </form> <div class='row'> </div></div><script type='text/javascript'>document.forms['login'].elements['user'].focus();</script> </div> <div id='footer'> <hr /> <a title='PMB : http://www.sigb.net/' href='http://www.sigb.net/'>PMB</a> (</b>3.4.12</b> - v4.96) © 2002~8 <a title='PMB Group : http://www.sigb.net/' href='http://www.sigb.net/'>PMB Group</a> </div> </div> </body></html> HTTP/1.1 404 Not Found Date: Fri, 10 Feb 2012 22:53:40 GMTServer: Apache/2.2.13 (Win32) PHP/5.2.10 Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en 1e <?xml version="1.0" encoding=" a ISO-8859-1 a8 "?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" e en" xml:lang=" 15 en"><head> <title> 39 Object not found!</title> <link rev="made" href="mailto: 112 admin@localhost" /> <style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;}span {font-size: smaller;} /*]]>*/--></style> </head>
Internet Service Provider
CVEID: -
Threat:This information was gathered using the WHOIS service for the network and is believed to be the ISP of the target network.
Impact:This information can be used by malicious users to gather more information about the network infrastructure that may aid in launching further attacks against it.
Solution:
Results:The ISP network handle is: TDATANET ISP Network description:Telefonica International Wholesale Network
List of Web Directories
CVEID: -
Threat:Based largely on the HTTP reply code, the following directories are most likely present on
the host.
Impact:
Solution:
Results:
Page 38 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...
#table cols="2" Directory Source /cgi-bin/ brute_force /doc/ brute_force /images/ brute_force /admin/ brute_force /catalog/ brute_force /error/ brute_force /doc/ web_page /catalog/ web_page /images__easyphp/ web_page /home/ web_page /admin/ web_page /icons/ web_page /styles/ web_page /styles/light/ web_page /images/ web_page /home/images__easyphp/ web_page /home/fr/ web_page /home/en/ web_page /home/es/ web_page /home/it/ web_page /home/nw/ web_page /home/pt/ web_page /home/pt__br/ web_page
Page 39 sur 39Qualys Freescan
10/02/2012https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig...