Professional Documents
Culture Documents
Report
Acunetix Security Audit
19 March 2020
Generated by Acunetix
Selected vulnerabilities
Scan details
Scan information
Start url acunetix.cloud.eramba.org
Host http://acunetix.cloud.eramba.org/
Threat level
Alerts distribution
Classification
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Affected items Variation
443/tcp 2
Classification
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
Web Server 2
Classification
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
/.git/config 1
/.git/FETCH_HEAD 1
/.gitattributes 1
/.gitignore 1
/app/Plugin/CakePdf/Test/test_app/Plugin/MyPlugin/View/Layouts/pdf/default.ctp 1
/app/upgrade/plugins/PhinxBake/src/Template/Bake/Seed/seed.ctp 1
/build.properties 1
/CHANGE.log 1
/CONTRIBUTORS 1
/lib/Cake/Console/Templates/skel/Test/Case/Controller/Component/empty 1
/lib/Cake/Console/Templates/skel/View/Layouts/Emails/html/default.ctp 1
/lib/Cake/Test/test_app/Plugin/TestPlugin/View/Layouts/Emails/text/plug_default.ctp 1
/lib/Cake/Test/test_app/View/Themed/TestTheme/Plugin/TestPlugin/Emails/text/test_
1
plugin_tpl.ctp
/plugins/empty 1
/vendors/empty 1
/VERSION 1
Alerts details
Severity Informational
Reported by module Network Scan
Description
The configured 'cgi_path' within the 'Scanner Preferences' of the scan config in use
The configured 'Enable CGI scanning', 'Enable generic web application scanning' and 'Add historic /scripts and /cgi-bin to
directories for CGI scanning' within the 'Global variable settings' of the scan config in use
If you think any of this information is wrong please report it to the referenced community portal.
Impact
None
Recommendation
References
https://community.greenbone.net/c/vulnerability-tests (https://community.greenbone.net/c/vulnerability-tests)
Affected items
443/tcp
Details
Generic web application scanning is disabled for this host via the "Enable generic web application scanning" option within the
"Global variable settings" of the scan config in use.
The User-Agent "Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3)" was used to access the remote host.
Historic /scripts and /cgi-bin are not added to the directories used for CGI scanning. You can enable this again with the "Add
historic /scripts and /cgi-bin to directories for CGI scanning" option within the "Global variable settings" of the scan config in
use.
https://ec2-35-157-27-21.eu-central-1.compute.amazonaws.com/ (https://ec2-35-157-27-21.eu-central-
1.compute.amazonaws.com/)
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance
with company security standards
Request headers
443/tcp
Details
The Hostname/IP "ec2-52-29-79-93.eu-central-1.compute.amazonaws.com" was used to access the remote host.
Generic web application scanning is disabled for this host via the "Enable generic web application scanning" option within the
"Global variable settings" of the scan config in use.
The User-Agent "Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3)" was used to access the remote host.
Historic /scripts and /cgi-bin are not added to the directories used for CGI scanning. You can enable this again with the "Add
historic /scripts and /cgi-bin to directories for CGI scanning" option within the "Global variable settings" of the scan config in
use.
https://ec2-52-29-79-93.eu-central-1.compute.amazonaws.com/ (https://ec2-52-29-79-93.eu-central-
1.compute.amazonaws.com/)
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance
with company security standards
Request headers
Severity Informational
Reported by module /httpdata/CSP_not_implemented.js
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including
Cross Site Scripting (XSS) and data injection attacks.
Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a
string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of
allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to
load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look
like the following:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://code.jquery.com;
It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the
response. It's recommended to implement Content Security Policy (CSP) into your web application.
Impact
CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks,
attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks,
and others.
Recommendation
It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy
involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user
agent is allowed to load for that page.
References
Affected items
Web Server
Details
Request headers
GET / HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D;Eramba=75an30kksah6t8lnm59ojnp0s7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
Web Server
Details
Request headers
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
Severity Informational
Reported by module /RPA/Content_Type_Missing.js
Description
This page does not set a Content-Type header value. This value informs the browser what kind of data to expect. If this header is
missing, the browser may incorrectly handle the data. This could lead to security problems.
Impact
None
Recommendation
Affected items
/app/Plugin/CakePdf/Test/test_app/Plugin/MyPlugin/View/Layouts/pdf/default.ctp
Verified vulnerability
Details
Request headers
GET /app/Plugin/CakePdf/Test/test_app/Plugin/MyPlugin/View/Layouts/pdf/default.ctp HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/app/upgrade/plugins/PhinxBake/src/Template/Bake/Seed/seed.ctp
Verified vulnerability
Details
Request headers
GET /app/upgrade/plugins/PhinxBake/src/Template/Bake/Seed/seed.ctp HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/build.properties
Verified vulnerability
Details
Request headers
GET /build.properties HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/CHANGE.log
Verified vulnerability
Details
Request headers
GET /CHANGE.log HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/CONTRIBUTORS
Verified vulnerability
Details
Request headers
GET /CONTRIBUTORS HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/.gitattributes
Verified vulnerability
Details
Request headers
GET /.gitattributes HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/.git/config
Verified vulnerability
Details
Request headers
GET /.git/config HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/.git/FETCH_HEAD
Verified vulnerability
Details
Request headers
GET /.git/FETCH_HEAD HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/.gitignore
Verified vulnerability
Details
Request headers
GET /.gitignore HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/lib/Cake/Console/Templates/skel/Test/Case/Controller/Component/empty
Verified vulnerability
Details
Request headers
GET /lib/Cake/Console/Templates/skel/Test/Case/Controller/Component/empty HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/lib/Cake/Console/Templates/skel/View/Layouts/Emails/html/default.ctp
Verified vulnerability
Details
Request headers
GET /lib/Cake/Console/Templates/skel/View/Layouts/Emails/html/default.ctp HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/lib/Cake/Test/test_app/Plugin/TestPlugin/View/Layouts/Emails/text/plug_default.ctp
Verified vulnerability
Details
Request headers
GET /lib/Cake/Test/test_app/Plugin/TestPlugin/View/Layouts/Emails/text/plug_default.ctp HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/lib/Cake/Test/test_app/View/Themed/TestTheme/Plugin/TestPlugin/Emails/text/test_plugin_tpl.ctp
Verified vulnerability
Details
Request headers
GET /lib/Cake/Test/test_app/View/Themed/TestTheme/Plugin/TestPlugin/Emails/text/test_plugin_tpl.ctp
HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/plugins/empty
Verified vulnerability
Details
Request headers
GET /plugins/empty HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/vendors/empty
Verified vulnerability
Details
Request headers
GET /vendors/empty HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
/VERSION
Verified vulnerability
Details
Request headers
GET /VERSION HTTP/1.1
Referer: http://acunetix.cloud.eramba.org/
Cookie: Eramba=6098m4fjqkvk8ddb82ssvkt1ls;ErambaCookie[Config]=Q2FrZQ%3D%3D.VFkUD3Byour1NiCqhGyfgdaN6WY%3D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: acunetix.cloud.eramba.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
Scanned items (coverage report)
35.157.27.21:443/tcp
52.29.79.93:443/tcp
http://acunetix.cloud.eramba.org/
http://acunetix.cloud.eramba.org/app/Plugin/CakePdf/Test/test_app/Plugin/MyPlugin/View/Layouts/pdf/default.ctp
http://acunetix.cloud.eramba.org/app/upgrade/plugins/PhinxBake/src/Template/Bake/Seed/seed.ctp
http://acunetix.cloud.eramba.org/build.properties
http://acunetix.cloud.eramba.org/CHANGE.log
http://acunetix.cloud.eramba.org/CONTRIBUTORS
http://acunetix.cloud.eramba.org/.gitattributes
http://acunetix.cloud.eramba.org/.git/config
http://acunetix.cloud.eramba.org/.git/FETCH_HEAD
http://acunetix.cloud.eramba.org/.gitignore
http://acunetix.cloud.eramba.org/lib/Cake/Console/Templates/skel/Test/Case/Controller/Component/empty
http://acunetix.cloud.eramba.org/lib/Cake/Console/Templates/skel/View/Layouts/Emails/html/default.ctp
http://acunetix.cloud.eramba.org/lib/Cake/Test/test_app/Plugin/TestPlugin/View/Layouts/Emails/text/plug_default.ctp
http://acunetix.cloud.eramba.org/lib/Cake/Test/test_app/View/Themed/TestTheme/Plugin/TestPlugin/Emails/text/test_plugin_tpl.ctp
http://acunetix.cloud.eramba.org/plugins/empty
http://acunetix.cloud.eramba.org/vendors/empty
http://acunetix.cloud.eramba.org/VERSION
https://acunetix.cloud.eramba.org/