Professional Documents
Culture Documents
Confidential Information
The following report contains confidential information. Do not distribute, email, fax or transfer via any electric mechanism unless it has
been approved by your organization's security policy. All copies and backups of this document should be maintained on protected
storage at all times. Do not share any of the information contained within this report with anyone unless you confirm they are authorized
to view the information.
Disclaimer
This, or any other, vulnerability audit cannot and does not guarantee security. McAfee makes no warranty or claim of any kind,
whatsoever, about the accuracy or usefulness of any information provided herein. By using this information you agree that McAfee shall
be held harmless in any event. McAfee makes this information available solely under its Terms of Service Agreement published at www.
mcafeesecure.com.
Disclosure
As a systems and networks security company, McAfee produces and sells a range of products separately from services provided as an
Approved Scanning Vendor. McAfee security products include but may not be limited to the following categories: application or network
firewalls, intrusion detection/prevention, database or other encryption solutions, security audit log solutions, anti-virus solutions
Table Of Contents
Section
1 Executive Summary
3.1.1 Overview
3.1.4 Vulnerabilities
3.1.5 Resolved
McAfee has determined that 'Barretts Toy Chest' is NOT COMPLIANT with the PCI scan validation requirement.
This report was generated by PCI Approved scanning vendor, McAfee, under certificate number 3709-01-04 in the framework of the PCI
data security initiative.
As a Qualified Independent Scan Vendor McAfee is accredited by Visa, MasterCard, American Express, Discover Card and JCB to
perform network security audits conforming to the Payment Card Industry (PCI) Data Security Standards.
To earn validation of PCI compliance, network devices being audited must pass tests that probe all of the known methods hackers use to
access private information, in addition to vulnerabilities that would allow malicious software (i.e. viruses and worms) to gain access to or
disrupt the network devices being tested.
NOTE: In order to demonstrate compliance with the PCI Data Security Standard a vulnerability scan must have been completed within the
past 90 days with no vulnerabilities listed as URGENT, CRITICAL or HIGH (numerical severity ranking of 3 or higher) present on any
device within this report. Additionally, Visa and MasterCard regulations require that you configure your scanning to include all IP
addresses, domain names, DNS servers, load balancers, firewalls or external routers used by, or assigned to, your company, and that you
configure any IDS/IPS to not block access from the originating IP addresses of our scan servers.
Sites are tested and certified daily to meet all U.S. Government requirements for remote vulnerability testing as set forth by the National
Infrastructure Protection Center (NIPC). They are also certified to meet the security scanning requirements of Visa USA's Cardholder
Information Security Program (CISP), Visa International's Account Information Security (AIS) program, MasterCard Internationals's Site
Data Protection (SDP) program, American Express' CID security program, the Discover Card Information Security and Compliance (DISC)
program within the framework of the Payment Card Industry (PCI) Data Security Standard.
Scan Date
26-JUL-2010 15:51 48 6 20 0 2
All level 3, 4, and 5 vulnerabilities identified for this device must be addressed with mitigation or remediation in order to satisfy PCI
requirements.
Review all findings for this device, then for each vulnerability with level 3, 4, or 5, implement the solution described or an equivalent
solution. Regenerate and submit the report based on scan results taken after remediation is completed.
If mitigations are employed according to the compensating controls mechanism of PCI, you must provide details of compensating controls
for each level 3, 4, or 5 vulnerability that appears in this report.
Description
A directory listing was found which may be used to enumerate all the files in a directory.
CVSS Score
CVSS Fingerprint
AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution
Methods to disable directory listings vary with webserver software, however it is usually sufficient to include a blank file in the directory and
name it index.html or whatever your webserver is configured to use for default pages.
If you're using Apache, another route is to include a .htaccess file in the directory with the following line:
Options -Indexes
Modifying IIS directory listing options is more complicated. Please refer to the link below for instructions on IIS 7.
However, in either case and with most other webservers, simply including a blank index.html in the directory is sufficient.
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /img-sys/
Host=www.barrettstoychest.com
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /img-sys/
Host=www.barrettstoychest.com
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Links
References
CVE CVE-1999-0569
Description
A directory listing was found which may be used to enumerate all the files in a directory.
CVSS Score
10.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution
Methods to disable directory listings vary with webserver software, however it is usually sufficient to include a blank file in the directory and
name it index.html or whatever your webserver is configured to use for default pages.
If you're using Apache, another route is to include a .htaccess file in the directory with the following line:
Options -Indexes
Modifying IIS directory listing options is more complicated. Please refer to the link below for instructions on IIS 7.
Confidential - McAfee Security Audit Report Page 5
However, in either case and with most other webservers, simply including a blank index.html in the directory is sufficient.
Details
Path /img-sys/
Host=www.barrettstoychest.com
Headers
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Path /img-sys/
Host=www.barrettstoychest.com
Headers
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Links
References
CVE CVE-1999-0569
Description
The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of invalid
values for the 'Transfer-Encoding' HTTP header as sent by a client.
CVSS Score
6.4
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:P
Solution
Details
Synopsis :
Description :
See also :
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.30
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Solution :
Risk factor :
Plugin output :
ScanAlert was able to verify this issue using the following request :
GET / HTTP/1.1
Host: s117.n242.n6.n64.static.myhostcenter.com
Accept-Charset: iso-8859-1,utf-8
q=0.9,*
q=0.1
Pragma: no-cache
Accept-Language: en
Connection: Close
CVE : CVE-2010-2227
BID : 41544
Other references : Secunia:39574
Links
tomcat.apache.org
tomcat.apache.org
References
CVE CVE-2010-2227
BugTraq 41544
Secunia 39574
Apache Tomcat 4.x < 4.1.32 Multiple Vulnerabilities 8080/tcp Web Server
Description
According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is earlier than 4.1.32 and, as
such, may be affected by multiple vulnerabilities.
- The remote Apache Tomcat install is vulnerable to a denial of service attack. If directory listing is enabled, function calls to retrieve the
contents of large directories can degrade performance. (CVE-2005-3510)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the JSP examples are enabled. Several of these
JSP examples do not properly validate user input (CVE-2005-4838)
- The remote Apache Tomcat install allows remote users to list the contents of a directory by placing a semicolon before a filename with a
mapped extension.(CVE-2006-3835)
- If enabled, the JSP calendar example application is vulnerable to a cross-site scripting attack because user input is not properly
validated. (CVE-2006-7196)
- The remote Apache Tomcat install, in its default configuration, permits the use of insecure ciphers when using SSL. (CVE-2007-1858)
- The remote Apache Tomcat install may be vulnerable to a information disclosure attack by allowing requests from a non-permitted IP
address to gain access to a context which is protected with a valve that extends RequestFilterValve. (CVE-2008-3271)
CVSS Score
5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Details
Synopsis :
Description :
Note that ScanAlert did not actually test for the flaws but instead has
relied upon the version in Tomcat's banner or error page so this may
be a false positive.
See also :
http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.32
https://issues.apache.org/bugzilla/show_bug.cgi?id=25835
Solution :
Risk factor :
Plugin output :
issues.apache.org
tomcat.apache.org
References
CVE CVE-2005-3510
CVE CVE-2005-4838
CVE CVE-2006-3835
CVE CVE-2006-7196
CVE CVE-2007-1858
CVE CVE-2008-3271
BugTraq 15325
BugTraq 19106
BugTraq 25531
BugTraq 28482
BugTraq 31698
Secunia 13737
Secunia 17416
Secunia 32213
Apache Tomcat 4.x < 4.1.37 Multiple Vulnerabilities 8080/tcp Web Server
Description
According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is earlier than 4.1.37 and, as
such, may be affected by multiple vulnerabilities.
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack if the deprecated AJP connector processes a
client request having a non-zero Content-Length and the client disconnects before sending the request body. (CVE-2005-3164)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the JSP and Servlet examples are enabled.
Several of these examples do not properly validate user input. (CVE-2007-1355, CVE-2007-2449)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the Manager web application is enabled as it fails
to escape input data. (CVE-2007-2450)
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. Apache Tomcat treats the single
quote character in a cookie as a delimiter which can lead to information, such as session ID, to be disclosed. (CVE-2007-3382)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the SendMailServlet is enabled. The
SendMailServlet is a part of the examples web application and, when reporting error messages, fails to escape user provided data. (CVE-
2007-3383)
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. The previous fix for CVE-2007-
3385 was incomplete and did not account for the use of quotes or '%5C' in cookie values. (CVE-2007-3385, CVE-2007-5333)
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack via the WebDAV servlet. Certain WebDAV
requests, containing an entity with a SYSTEM tag, can result in the disclosure of arbitrary file contents. (CVE-2007-5461)
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Details
Synopsis :
Description :
Note that ScanAlert did not actually test for the flaws but instead has
relied upon the version in Tomcat's banner or error page so this may
be a false positive.
See also :
http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.37
http://www.securityfocus.com/archive/1/archive/1/469067/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/471351/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/471357/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/476442/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/474413/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/476444/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/487822/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded
Solution :
Risk factor :
Plugin output :
Links
tomcat.apache.org
www.securityfocus.com
www.securityfocus.com
www.securityfocus.com
www.securityfocus.com
www.securityfocus.com
www.securityfocus.com
www.securityfocus.com
www.securityfocus.com
References
CVE CVE-2005-3164
CVE CVE-2007-1355
CVE CVE-2007-2449
CVE CVE-2007-2450
CVE CVE-2007-3382
CVE CVE-2007-3383
CVE CVE-2007-3385
CVE CVE-2007-5333
CVE CVE-2007-5461
BugTraq 15003
BugTraq 24058
BugTraq 24475
BugTraq 24476
BugTraq 24999
BugTraq 25316
BugTraq 26070
BugTraq 27706
Secunia 25678
Secunia 26466
Secunia 27398
Secunia 28878
Apache Tomcat 4.x < 4.1.39 Multiple Vulnerabilities 8080/tcp Web Server
Description
According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is earlier than 4.1.39 and, as
such, may be affected by one or more of the following vulnerabilities :
- If the remote Apache Tomcat install is configured to use the SingleSignOn Valve, the JSESSIONIDSSO cookie does not have the
'secure' attribute set if authentication takes place over HTTPS. This allows the JSESSIONIDSSO cookie to be sent to the same server
when HTTP content is requested. (CVE-2008-0128)
- The remote Apache Tomcat install is vulnerable to a cross-site scripting attack. Improper input validation allows a remote attacker to
inject arbitrary script code or HTML into the message argument used by the HttpServletResponse.sendError method. (CVE-2008-1232)
- If the remote Apache Tomcat install contains pages using the RequestDispatcher object, a directory traversal attack may be possible.
This allows an attacker to select one or more of the input parameters and provide specific values leading to access of potentially sensitive
files. (CVE-2008-2370)
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Details
Description :
Note that ScanAlert did not actually test for the flaws but instead has
relied upon the version in Tomcat's banner or error page so this may
be a false positive.
See also :
http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.39
Solution :
Risk factor :
Plugin output :
Links
tomcat.apache.org
References
CVE CVE-2008-0128
CVE CVE-2008-1232
CVE CVE-2008-2370
BugTraq 27365
BugTraq 30494
BugTraq 30496
Secunia 28552
Secunia 31379
Apache Tomcat < 4.1.40 / 5.5.28 / 6.0.20 Multiple Vulnerabilities 8080/tcp Other
According to its self-reported version number, the Apache Tomcat listening on the remote host is earlier than Tomcat 4.1.40 / 5.5.28 /
6.0.20 and, as such, may be affected by one or more of the following vulnerabilities :
- The remote service may be vulnerable to a directory traversal attack if a RequestDispatcher obtained from a Request object is used. A
specially crafted value for a request parameter can be used to access potentially sensitive configuration files or other files, e.g., files in the
WEB-INF directory. (CVE-2008-5515)
- The remote service may be vulnerable to a denial of service attack if configured to use the Java AJP connector. An attacker can send a
malicious request with invalid headers which causes the AJP connector to be put into an error state for a short time. This behavior can be
used as a denial of service attack. (CVE-2009-0033)
- The remote service may be vulnerable to a username enumeration attack if configured to use FORM authentication along with the
'MemoryRealm', 'DataSourceRealm', or 'JDBCRealm' authentication realms. (CVE-2009-0580)
- The remote service may be affected by a script injection vulnerability if the example JSP application, 'cal2.jsp', is installed. An
unauthenticated remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be
executed within the security context of the affected site. (CVE-2009-0781)
- The remote service may be vulnerable to unauthorized modification of 'web.xml', 'context.xml', or TLD files of arbitrary web applications.
This vulnerability could allow the XML parser, used to process the XML and TLD files, to be replaced. (CVE-2009-0783)
- The Windows installer uses a blank default password for the administrative user (CVE-2009-3548)
- when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass
intended authentication requirements via HTTP requests. (CVE-2009-2901)
- Directory traversal vulnerability allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as
demonstrated by a ../../bin/catalina.bat entry (CVE-2009-2693)
- Directory traversal vulnerability allows remote attackers to delete work-directory files via directory traversal sequences in a WAR
filename, as demonstrated by the ...war filename (CVE-2009-2902)
- the server's hostname or IP address can be discovered by sending a request for a resource that requires (1) BASIC or (2) DIGEST
authentication, and then reading the realm field in the WWW-Authenticate header in the reply. (CVE-2010-1157)
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:P/I:N/A:N
Solution
Details
Synopsis :
Description :
Note that ScanAlert did not actually test for these flaws but instead has
relied upon the version in Tomcat's banner or error page so this may
be a false positive.
See also :
http://www.securityfocus.com/archive/1/504125
http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.40
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.28
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.20
Solution :
Risk factor :
Links
www.securityfocus.com
tomcat.apache.org
tomcat.apache.org
tomcat.apache.org
References
CVE CVE-2008-5515
CVE CVE-2009-0033
CVE CVE-2009-0580
CVE CVE-2009-0781
CVE CVE-2009-0783
CVE CVE-2009-2693
CVE CVE-2009-2901
CVE CVE-2009-2902
CVE CVE-2009-3548
CVE CVE-2010-1157
BugTraq 35193
BugTraq 35196
BugTraq 35263
BugTraq 35416
Secunia 35326
Secunia 35344
Apache Tomcat Default Error Page Version Detection 8080/tcp Web Server
Description
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or the Java Servlet
Specification for more information.
Details
Synopsis :
The remote web server reports its version number on error pages.
Description :
See also :
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
http://jcp.org/en/jsr/detail?id=315
Solution :
Replace the default error pages with custom error pages to hide the
version number. Refer to the Apache wiki or the Java Servlet
Specification for more information.
Risk factor :
None
Plugin output :
4.1.29
Links
wiki.apache.org
jcp.org
References
CVE CVE-2002-2007
Description
According to its self-reported version number, the remote host is running a vulnerable version of Apache Tomcat. Due to a bug in a
RequestDispatcher API, target paths are normalized before the query string is removed, which could result in directory traversal attacks.
This could allow a remote attacker to view files outside of the web application's root.
CVSS Score
5.0
CVSS Fingerprint
Solution
Upgrade to versions 6.0.20 / 5.5.SVN / 4.1.SVN or later, or apply the, patches referenced in the vendor advisory.
Details
None
Links
marc.info
tomcat.apache.org
tomcat.apache.org
tomcat.apache.org
www.fujitsu.com
References
CVE CVE-2008-5515
BugTraq 35263
Secunia 35326
Open Source Vulnerability Database 55053
Description
The remote host appears to allow sensitive form submission over unencrypted (HTTP) connections. This means that a user's personal
information is sent over the internet in clear text. An attacker may be able to uncover sensitive information such as login names and
passwords by sniffing network traffic. All web pages that transmit Card Holder Data or Personally Identifiable Information (PII)**. Examples:
- Users and/or Administrators login to the web site. - Registration forms such as user signup pages. - Updating User and/or Administrators
profile pages. - Updating User and/or Administrators shipping information pages. - Forgot password reset page. - Company "Contact Us"
pages.
** These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for
general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data
protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's
practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs
are not stored, processed, or transmitted.
CVSS Score
6.4
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:P/A:N
Solution
Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing sensitive information to the web
server, use HTTPS (SSLv3, TLS 1) instead of HTTP.
Details
Protocol http Port 8080 Read Timeout 10000 Method POST Demo
Path /servlet/psoft.masonry.Builder
Referer=http%3A%2F%2Fwww.barrettstoychest.com%3A8080%2Fservlet%2Fpsoft.masonry.Builder
Headers
Content-Type=application%2Fx-www-form-urlencoded
action=useraction
useraction=login
requestURL=/servlet/psoft.masonry.Builder?
login=
Body
password=
_language_=ru_RU_CP1251|windows-1251
action.x=0
action.y=0
References
None
Description
The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is
vulnerable if it displays user-submitted content without sanitizing user input.
The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly
sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that
websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.
The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload
onto their computer via browser.
To identify what parts of your application are susceptible to cross-site scripting, click on "Detail" under the "Found On" section.
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:P/I:N/A:N
Solution
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the
client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with <
Remove > input and replace with >
Remove ' input and replace with '
Remove " input and replace with "
Remove ) input and replace with )
Remove ( input and replace with (
Details
Protocol http Port 8080 Read Timeout 10000 Method POST Demo
Path /servlet/psoft.masonry.Builder
Referer=http%3A%2F%2Fwww.barrettstoychest.com%3A8080%2Fservlet%2Fpsoft.masonry.Builder
Headers
Content-Type=application%2Fx-www-form-urlencoded
action=useraction
useraction=login
requestURL=>"></title></iframe></script></form></td></tr><br><iFraMe src
login=0
Body
password=0
_language_=ru_RU_CP1251|windows-1251
action.x=0
action.y=0
Protocol http Port 8080 Read Timeout 10000 Method POST Demo
Path /servlet/psoft.masonry.Builder
action=useraction
Body useraction=login
requestURL=>"></title></iframe></script></form></td></tr><br><iFraMe src
Links
CWE-79
www.cert.org/tech_tips/malicious_code_FAQ.html
www.technicalinfo.net/papers/CSS.html
Apache: Cross Site Scripting Info
XSS Prevention Cheat Sheet
OWASP XSS Description and Solution
sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html
OWASP XSS
The Cross Site Scripting FAQ
www.owasp.org/documentation/guide
Top sites vulnerable to hackers
The Cross-Site Scripting Vulnerability
References
CERT CA-2000-02
Description
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Details
Synopsis :
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
Confidential - McAfee Security Audit Report Page 18
3.0 or TLS 1.0 instead.
Risk factor :
Links
www.linux4beginners.info
www.schneier.com
www.schneier.com/paper-ssl.html
Disable SSLv2 In IIS
support.microsoft.com
Disable SSL v2 in IIS7
IE Blog
References
None
Description
According to its banner, the remote host is using a version of OpenSSL older than 0.9.6j or 0.9.7b. This version is vulnerable to a timing
based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the
private RSA key of the server. An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of
it, as well as impersonate your server and perform man in the middle attacks.
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:P/I:N/A:N
Solution
Details
None
Links
www.openssl.org
lasecwww.epfl.ch
eprint.iacr.org
www.openssl.org
References
CVE CVE-2003-0078
CVE CVE-2003-0131
CVE CVE-2003-0147
BugTraq 6884
BugTraq 7148
Open Source Vulnerability Database 3945
Open Source Vulnerability Database 3946
Open Source Vulnerability Database 3947
Open Source Vulnerability Database 3948
Other SUSE-SA:2003:024
Other RHSA-2003:101-01
The remote web server appears to be running with the Frontpage extensions.
Frontpage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical
scenario on an internal local area network, the Frontpage extensions should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network).
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
IMPORTANT: Be sure to remove FrontPage if you are not using it. Frontpage is often installed by default.
If there is a business need to run FrontPage on the web server, then remove all anonymous access to all FrontPage extensions (such as
_vti_bin) which may be mapped on your website as a virtual directory.
If default IIS files were found, remove them from the web server.
Delete all default virtual directories (icon w/ world on top of folder) and application roots (icon w/ green ball in box)
Delete iisadmin
Delete iissamples
Delete msadc.
Delete iishelp
Delete scripts
Delete printers
Delete ALL default content.
Delete %systemdirectory%\inetsrv\iisadmin
Delete %systemdirectory%\inetsrv\iisadmpwd
Delete inetpub\wwwroot (or \ftproot or \smtproot)
Delete inetpub\scripts
Delete inetpub\iissamples
Delete inetpub\adminscripts
Delete %systemroot%\help\iishelp\iis
Delete %systemroot%\web\printers
Delete %systemdrive%\program files\common files\system\msadc. Only websites that integrate with Microsoft Access databases need
msadc.
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /_vti_bin/shtml.dll
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /postinfo.html
Links
References
CVE CVE-2000-0114
Open Source Vulnerability Database 67
Description
Confidential - McAfee Security Audit Report Page 20
The remote host appears to allow sensitive form submission over unencrypted (HTTP) connections. This means that a user's personal
information is sent over the internet in clear text. An attacker may be able to uncover sensitive information such as login names and
passwords by sniffing network traffic. All web pages that transmit Card Holder Data or Personally Identifiable Information (PII)**. Examples:
- Users and/or Administrators login to the web site. - Registration forms such as user signup pages. - Updating User and/or Administrators
profile pages. - Updating User and/or Administrators shipping information pages. - Forgot password reset page. - Company "Contact Us"
pages.
** These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for
general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data
protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's
practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs
are not stored, processed, or transmitted.
CVSS Score
6.4
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:P/A:N
Solution
Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing sensitive information to the web
server, use HTTPS (SSLv3, TLS 1) instead of HTTP.
Details
Path /mailman/admin/mailman
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Headers
Content-Type=application%2Fx-www-form-urlencoded
adminpw=
Body
admlogin=Let me in...
Path /mailman/admin/mailman
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Headers
Content-Type=application%2Fx-www-form-urlencoded
adminpw=p455w0rd
Body
admlogin=Let me in...
Path /cgi-bin/cartconfig.cgi
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
Headers bin%2Fcartconfig.cgi%3Flogin%3Daction
Content-Type=application%2Fx-www-form-urlencoded
modulename=/cgi-bin/cartconfig.cgi
securemodulename=/cgi-bin/cartconfig.cgi
tstatus=%DF%BA%E1%AC%3A%3C%49%7D%5C%6E%61%5F%7E%48%38%39%40%7A%51%
6B%64%54%78%45
Body
user=
pw=
pass=Log in
displayinframes=action
Path /cgi-bin/cartconfig.cgi
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
Headers bin%2Fcartconfig.cgi%3Flogin%3Daction
Content-Type=application%2Fx-www-form-urlencoded
modulename=/cgi-bin/cartconfig.cgi
securemodulename=/cgi-bin/cartconfig.cgi
tstatus=%DF%BA%E1%AC%3A%3C%49%7D%5C%6E%61%5F%7E%48%38%39%40%7A%51%
Confidential - McAfee Security Audit Report Page 21
6B%64%54%78%45
Body
user=webappscanner@mcafeesecure.com
pw=p455w0rd
pass=Log in
displayinframes=action
Links
References
None
Description
According to its banner, the remote host is using a version of OpenSSL older than 0.9.6j or 0.9.7b. This version is vulnerable to a timing
based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the
private RSA key of the server. An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of
it, as well as impersonate your server and perform man in the middle attacks.
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:P/I:N/A:N
Solution
Details
None
Links
www.openssl.org
lasecwww.epfl.ch
eprint.iacr.org
www.openssl.org
References
CVE CVE-2003-0078
CVE CVE-2003-0131
CVE CVE-2003-0147
BugTraq 6884
BugTraq 7148
Open Source Vulnerability Database 3945
Open Source Vulnerability Database 3946
Open Source Vulnerability Database 3947
Open Source Vulnerability Database 3948
Other SUSE-SA:2003:024
Other RHSA-2003:101-01
Description
Your Web server appears to support the TRACE and/or TRACK methods. These are debug methods that are enabled by default on web
servers, allowing them to echo back any input a user has entered via command line.
Since many technologies are capable of performing specially crafted HTTP requests, it maybe possible for an attacker to steal sensitive
information such as cookies and authentication data.
To test if your server supports the TRACE method, use a similar command line example to craft a request (Note: this example shows
TRACE method enabled):
$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: localhost
X-Header: This server supports the Trace Method.
HTTP/1.1 200 OK
Date: Sun, 12 Oct 2008 01:56:54 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http
45
TRACE / HTTP/1.1
Host: localhost
X-Header: This server supports the TRACE Method.
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:P/I:N/A:N
Solution
Disable the TRACE and/or TRACK method from the Web server.
IIS:
Use the URLScan tool to deny HTTP TRACE requests. The default configurations of Urlscan 2.5 (both baseline and SRP) only permit GET
and HEAD methods.
For Apache web servers < 1.3.34/2.0.55:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
NOTE: Shared server environments require these directives to be placed in each <VirtualHost> container.
Example:
<VirtualHost x.x.x.x> ServerAdmin webmaster@foo.com
DocumentRoot /home/foo/public_html
ServerName foo.com
ServerALias foo.com www.foo.com
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
<VirtualHost x.x.x.x>
ServerAdmin webmaster@foo2.com
DocumentRoot /home/foo2/public_html
ServerName foo2.com
ServerALias foo2.com www.foo2.com
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
Restart Apache for configuration changes to take effect. To test your changes, use telnet to craft a request similar to the following (NOTE:
This example shows TRACE method disabled in the response):
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: localhost
X-Header: Server will return a 403 if TRACE Method is disabled.
You should see a 403 response in the header. If you have the ErrorDocument directive set to use a custom error page for a 403, you will
see a 302 response.
Details
Path /erpoiuh2vi4r23E2f.html
TRACKTRACE=%3Chtml%3E%3Cbody%3EMcafeeSecure%2FTRACKTRACE+%3Cscript%3Ealert%
Head
28%27TRACK%2FTRACE%27%29%3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E
ers
Cookie=
Links
lwn.net/Articles/20975/
www.kb.cert.org/vuls/id/867593
Cross-site Tracing Whitepaper (PDF file)
www.kb.cert.org
archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Microsoft IIS 6.0
www.apacheweek.com
Microsoft UrlScan Security Tool
References
CVE CVE-2003-1567
CVE CVE-2004-2320
BugTraq 11604
BugTraq 33374
BugTraq 9506
BugTraq 9561
Open Source Vulnerability Database 3726
Open Source Vulnerability Database 50485
Open Source Vulnerability Database 5648
Open Source Vulnerability Database 877
Description
The remote web server appears to be running with the Frontpage extensions.
Frontpage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical
scenario on an internal local area network, the Frontpage extensions should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network).
CVSS Score
5.0
CVSS Fingerprint
Solution
IMPORTANT: Be sure to remove FrontPage if you are not using it. Frontpage is often installed by default.
If there is a business need to run FrontPage on the web server, then remove all anonymous access to all FrontPage extensions (such as
_vti_bin) which may be mapped on your website as a virtual directory.
If default IIS files were found, remove them from the web server.
Delete all default virtual directories (icon w/ world on top of folder) and application roots (icon w/ green ball in box)
Delete iisadmin
Delete iissamples
Delete msadc.
Delete iishelp
Delete scripts
Delete printers
Delete ALL default content.
Delete %systemdirectory%\inetsrv\iisadmin
Delete %systemdirectory%\inetsrv\iisadmpwd
Delete inetpub\wwwroot (or \ftproot or \smtproot)
Delete inetpub\scripts
Delete inetpub\iissamples
Delete inetpub\adminscripts
Delete %systemroot%\help\iishelp\iis
Delete %systemroot%\web\printers
Delete %systemdrive%\program files\common files\system\msadc. Only websites that integrate with Microsoft Access databases need
msadc.
Details
Path /_vti_bin/shtml.dll
Path /postinfo.html
Links
References
CVE CVE-2000-0114
Open Source Vulnerability Database 67
Description
The remote Apache server can be used to guess the presence of a given user name on the remote host.
An information leak occurs, due to a configuration error, on Apache based web servers whenever the UserDir module is enabled.
Requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. Installations
with this default misconfiguration allow remote users to determine whether a give username exists on the remote system.
http://www.example.com/~foo
1. If user 'foo' exists, the HTTP result code will be 200, and foo's homepage will load in the browser.
2. If user 'foo' exists, but access is restricted, the HTTP result code will be 403, with the following message from Apache: "You don't have
permission to access /~foo on this server."
Properly exploited, this information could be used to initiate specific attacks against a given system.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch
^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
Details
Links
www.securiteam.com/unixfocus/5WP0C1F5FI.html
References
CVE CVE-2001-1013
BugTraq 3335
Open Source Vulnerability Database 637
Description
The remote DNS server answers to queries for third party domains which do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts
have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they
would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more...
For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, see the links.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Restrict access to your DNS server to local users and child servers.
A Safer BIND Configuration
As a conclusion, it is interesting to note that while vulnerabilities in the BIND implementation can be blamed for the problems in the DNS
infrastructure, poor configuration also seems to widespread. The following configuration [13] is to be taken as an example to a safer BIND
configuration. These settings allow BIND to continue to be used as a cache by the networks "1.2.3.0/24" and "1.2.4.0/24", while still being
able to respond authoritatively to queries regarding the domain "mydomain.com", while ignoring all others. Only relevant configuration
Confidential - McAfee Security Audit Report Page 26
options are displayed.
options {
// to allow only specific hosts/networks to use the DNS server:
allow-query { trusted; };
// to allow only zone transfers to specific nameservers
allow-transfer { other_ns; };
};
// Host / network grouping that maps "friendly" nameservers (such as secondary
nameservers)
acl other_ns {
1.2.3.4; // secondary 1
1.2.3.5; // secondary 2
127.0.0.1; // localhost
};
// Host / network grouping that maps networks that are able to do queries to other
// records besides the au
acl trusted {
127.0.0.1;
1.2.3.0/24; // trusted net 1
1.2.4.0/24; // trusted net 2
};
// authoritative zone
zone "mydomain.com" in {
type master;
allow-query { any; }; // allow queries to be made to this zone by anyone
};
// reverse zone for the 1.2.3.0/24 network
zone "3.2.1.in-addr.arpa" in {
type master;
allow-query { any; }; // allow queries to be made to this zone by anyone
};
Details
None
Links
DNS CLIENTS
DNS SERVERS
References
None
Description
It is possible to query the remote name server for third party names. If this is your internal nameserver, then ignore this warning. If you are
probing a remote nameserver, then it allows anyone to use it to resolve third party names (such as www.nessus.org). This allows attackers
to perform cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used
to 'bounce' Denial of Service attacks against another network or system.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:P/A:N
Solution
Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8,
you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf. If you are using bind 9, you can define
a grouping of internal addresses using the 'acl' command. Then, within the options block, you can explicitly state: 'allow-recursion {
hosts_defined_in_acl }' If you are using another name server, consult its documentation.
Details
None
Confidential - McAfee Security Audit Report Page 27
Links
References
CVE CVE-1999-0024
BugTraq 136
BugTraq 678
Open Source Vulnerability Database 438
Description
Alternate SMTP ports are common due to the fact that an increasing number of ISP's and firewall configurations block outgoing mail /
SMTP connections on port 25 (the standard SMTP port), enroute to their web/email providers. These non-standard ports are open on
many web servers in order for legitimate senders to have the ability to relay through a mail server other than the one run by their ISP.
However, this can cause problems when you need use an SMTP other than the provider's (their servers may be unreliable or overly
restrictive), or if they block port 25 but do not provide SMTP service themselves.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:P/A:N
Solution
Verify whether the alternate SMTP port is part of your normal configuration. If this is the case, you will need to manually resolve this item. If
not, you will need to track down the process that's using this port and disable it. One way to identify processes and their corresponding
ports in Linux is to issue the 'netstat' command. For RedHat, Centos, and Fedora, the commandline would be 'netstat -tulp'. The output
would look similar to the following:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Notice tcpserver(qmail) is using both port 25 and 26 in this example. The number next to 'tcpserver' is the process ID. If you see an smtp
process that is not supposed to be running, you can kill it by typing: 'kill PID'. Using the example above, you would type 'kill 17713'. After
that, you can run netstat once more to check for the presence of that process. If the kill command does not remove the process, run this
command: 'kill -9 PID'. This is the force command for 'kill'.
If the rogue process persists, seek the help of a qualified administrator. At this point, you should assume that the server may have been
compromised. A full security sweep is strongly recommended.
If there is proof of a compromise, contact ScanAlert immediately. We will assist you in the remediation process.
Details
None
Links
www.icir.org
References
None
Description
permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the:
(1) web.xml
(2) context.xml
(3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.
CVSS Score
3.6
CVSS Fingerprint
AV:L/AC:L/Au:N/C:P/I:P/A:N
Solution
Mitigation:
Either upgrade to the latest version of apache tomcat
OR
Details
Synopsis :
Description :
See also :
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936
http://www.securityfocus.com/archive/1/504090
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
Solution :
Risk factor :
CVE : CVE-2009-0783
BID : 35416
Other references : Secunia:35326, Secunia:35344, OSVDB:55056
Links
None
References
CVE CVE-2009-0783
BugTraq 35416
Open Source Vulnerability Database 55056
Description
OpenSSL is prone to a denial-of-service vulnerability. A malicious server could cause a vulnerable client application to crash, effectively
denying service. http://www.securityfocus.com/bid/20246
OpenSSL is prone to a buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it
to an insufficiently sized memory buffer.Successfully exploiting this issue may result in the execution of arbitrary machine code in the
context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users. http
://www.securityfocus.com/bid/20249
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue is due to the implementation of the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option to maintain compatibility with third-party software. This issue presents itself when two
peers try to negotiate the protocol they wish to communicate with. Attackers who can intercept and modify the SSL communications may
exploit this weakness to force SSL version 2 to be chosen. The attacker may then exploit various insecurities in SSL version 2 to gain
access to or tamper with the cleartext communications between the targeted client and server. Note that the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the frequently used 'SSL_OP_ALL' option. SSL peers that are configured
to disallow SSL version 2 are not affected by this issue. http://www.securityfocus.com/bid/15071
OpenSSL is prone to a denial-of-service vulnerability because it fails to validate the lengths of public keys being used. An attacker can
exploit this issue to crash an affected server using OpenSSL. http://www.securityfocus.com/bid/20247/info
OpenSSL is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the
application to fail to verify the existence of a file before writing to it. An attacker may leverage this issue to overwrite arbitrary files with the
privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege
escalation. http://www.securityfocus.com/bid/11293/info
High-speed implementations of AES are prone to a timing attack vulnerability. The attack is based on observations of time taken to
complete certain critical AES cryptographic functions (Input dependant Table lookups). An attacker may theoretically exploit this issue to
retrieve an entire AES secret key from a target vulnerable AES implementation. http://www.securityfocus.com/bid/13785/info
CVSS Score
4.3
CVSS Fingerprint
Solution
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /
Links
None
References
CVE CVE-2006-4343
BugTraq 20246
BugTraq 20249
Description
It appears that the webserver on the remote host includes a module which is vulnerable to a denial of service attack.
The version of OpenSSL apparently installed on the apache webserver is vulnerable to a denial of service, caused by improper handling of
an ASN.1 error condition. Affected versions are 0.9.7 and 0.9.8 prior to 0.9.7l and 0.9.8d respectively.
A remote attacker could exploit this vulnerability by sending an invalid ASN.1 request to cause an infinite loop condition resulting in all
available memory resources being consumed. Another way to cause a denial of service is to use certain types of public keys to cause the
target system to take a large amount of time to process.
CVSS Score
7.8
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:C
Solution
The vendor has issued fixed versions. In order to resolve this vulnerability, you will need to upgrade to one of these versions.
Download the latest version here:
http://www.openssl.org/source/
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /
Path /
Links
References
CVE CVE-2006-2937
CVE CVE-2006-2940
CVE CVE-2006-3738
CVE CVE-2006-3894
CVE CVE-2006-4343
BugTraq 20248
Description
OpenSSL is prone to a denial-of-service vulnerability. A malicious server could cause a vulnerable client application to crash, effectively
denying service. http://www.securityfocus.com/bid/20246
OpenSSL is prone to a buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it
to an insufficiently sized memory buffer.Successfully exploiting this issue may result in the execution of arbitrary machine code in the
context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users. http
://www.securityfocus.com/bid/20249
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue is due to the implementation of the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option to maintain compatibility with third-party software. This issue presents itself when two
peers try to negotiate the protocol they wish to communicate with. Attackers who can intercept and modify the SSL communications may
exploit this weakness to force SSL version 2 to be chosen. The attacker may then exploit various insecurities in SSL version 2 to gain
access to or tamper with the cleartext communications between the targeted client and server. Note that the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the frequently used 'SSL_OP_ALL' option. SSL peers that are configured
to disallow SSL version 2 are not affected by this issue. http://www.securityfocus.com/bid/15071
OpenSSL is prone to a denial-of-service vulnerability because it fails to validate the lengths of public keys being used. An attacker can
exploit this issue to crash an affected server using OpenSSL. http://www.securityfocus.com/bid/20247/info
OpenSSL is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the
application to fail to verify the existence of a file before writing to it. An attacker may leverage this issue to overwrite arbitrary files with the
privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege
escalation. http://www.securityfocus.com/bid/11293/info
High-speed implementations of AES are prone to a timing attack vulnerability. The attack is based on observations of time taken to
complete certain critical AES cryptographic functions (Input dependant Table lookups). An attacker may theoretically exploit this issue to
retrieve an entire AES secret key from a target vulnerable AES implementation. http://www.securityfocus.com/bid/13785/info
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:N/I:N/A:P
Solution
Path /
Path /
Links
None
References
CVE CVE-2006-4343
BugTraq 20246
BugTraq 20249
Description
It appears that the webserver on the remote host includes a module which is vulnerable to a denial of service attack.
The version of OpenSSL apparently installed on the apache webserver is vulnerable to a denial of service, caused by improper handling of
an ASN.1 error condition. Affected versions are 0.9.7 and 0.9.8 prior to 0.9.7l and 0.9.8d respectively.
A remote attacker could exploit this vulnerability by sending an invalid ASN.1 request to cause an infinite loop condition resulting in all
available memory resources being consumed. Another way to cause a denial of service is to use certain types of public keys to cause the
target system to take a large amount of time to process.
CVSS Score
7.8
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:C
Solution
The vendor has issued fixed versions. In order to resolve this vulnerability, you will need to upgrade to one of these versions.
Download the latest version here:
http://www.openssl.org/source/
Details
Path /
Path /
Links
www.openssl.org/source/
References
CVE CVE-2006-2937
Description
The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer
which is bigger than the original request.
By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-
party host using the remote DNS server
CVSS Score
7.8
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:C
Solution
Restrict access to your DNS server from public network or reconfigure it to reject such queries.
Details
Synopsis :
Description :
See also :
http://isc.sans.org/diary.html?storyid=5713
Solution :
Risk factor :
None
Plugin output :
The DNS query was 17 bytes long, the answer is 316 bytes long.
Links
isc.sans.org
DNS amplification attacks explained
Explanation of DNS Amplification Attack
References
CVE CVE-2006-0988
Description
By calling the "OPTIONS" method, it is possible to determine which HTTP methods are allowed on each directory.
The response received for an OPTIONS request, lists out the supported methods in the "Allow" header field.
Various values for the "Allow" header field can include: GET, PUT, DELETE, HEAD, POST, TRACE, OPTIONS
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
This is informational, but knowing certain values of the Allow header field can help an attacker leveraged other attacks.
Details
Synopsis :
This plugin determines which HTTP methods are allowed on various CGI
directories.
Description :
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution :
n/a
Risk factor :
None
Plugin output :
Based on the response to an OPTIONS request :
Links
OWASP
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
Confidential - McAfee Security Audit Report Page 35
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
A vulnerability exists that allows an attacker to harvest sensitive information (login credentials, etc) that are thought to be SSL-secured.
Specifically, a form was found on an HTTP (unencrypted) page that sends information to an HTTPS (encrypted) page. An attacker could
leverage cache poisoning (DNS/DHCP/ARP/etc) or another vulnerability (e.g. XSS) to cause the HTTP page to send information to an
attacker-controlled website instead of the legitimate HTTPS site.
Furthermore, toolkits exist to automate the process of harvesting such credentials, connecting to the legitimate HTTPS site and
establishing the attacker as a transparent proxy between the victim and the legitimate host where the attacker sees all information in
cleartext (including login credentials, etc).
Victim<---------HTTP--------->Attacker<---------HTTPS--------->Legitimate Site
CVSS Score
2.1
CVSS Fingerprint
AV:L/AC:L/Au:N/C:P/I:N/A:N
Solution
Do not allow any information you want SSL secured to originate from an unsecured page.
Vulerable example:
http://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^
Secure example:
https://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^^
Details
Protocol http Port 8080 Read Timeout 10000 Method POST Demo
Path /servlet/psoft.masonry.Builder
Referer=http%3A%2F%2Fwww.barrettstoychest.com%3A8080%2Fservlet%2Fpsoft.masonry.Builder
Headers
Content-Type=application%2Fx-www-form-urlencoded
action=useraction
useraction=login
Confidential - McAfee Security Audit Report Page 36
requestURL=/servlet/psoft.masonry.Builder?
login=
Body
password=
_language_=ru_RU_CP1251|windows-1251
action.x=0
action.y=0
Links
References
None
Description
The remote web server contains form fields that allow for auto completion. Depending on the values entered into these fields, future users
could obtain sensitive information previously entered by past users. Fields that contain sensitive information, such as credit card and social
security numbers and passwords, must be disallowed from caching information.
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
To disable all entries in a form from being cached, the autocomplete value of the form tag must be set to "off", such as:
The autocomplete attribute can also be used on an individual form element such as:
Details
Protocol http Port 8080 Read Timeout 10000 Method POST Demo
Path /servlet/psoft.masonry.Builder
Referer=http%3A%2F%2Fwww.barrettstoychest.com%3A8080%2Fservlet%2Fpsoft.masonry.Builder
Headers
Content-Type=application%2Fx-www-form-urlencoded
action=useraction
useraction=login
requestURL=/servlet/psoft.masonry.Builder?
login=
Body
password=
_language_=ru_RU_CP1251|windows-1251
action.x=0
action.y=0
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
We were able to determine which versions of the SSH protocol the remote SSH daemon supports.
This gives potential attackers additional information about the system they are attacking.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:M/C:N/I:N/A:N
Solution
You are advised to check the versions of SSH that are currently being supported by the SSH daemon on your server for the following:
- the version is not outdated. Cipher versions are outdated for a reason ... cryptographic flaws
- non-compliance with your organizational security policies. Also review your security policies to see if it explicitly states that some versions
are not to be used
- it is advisable to look up industry standard best practices and use what the industry uses as a whole. This helps to get support if any
problems arise in the future.
Modifying the configuration file (sshd.conf; depends which SSH daemon is used) for the SSH daemon to include those protocols that are
secure/supported is always a good idea.
Details
- 1.99
- 2.0
www.openssh.org
OpenSSH QuickRef (pdf)
Example SSHd Config File
Modify SSH Config To Maximize Security
References
None
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
None
Details
Synopsis :
Description :
Solution :
n/a
Risk factor :
None
Plugin output :
Links
www.openssh.org
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
None
References
None
Description
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Details
Links
Microsoft
Sendmail
References
None
Description
By calling the "OPTIONS" method, it is possible to determine which HTTP methods are allowed on each directory.
The response received for an OPTIONS request, lists out the supported methods in the "Allow" header field.
Various values for the "Allow" header field can include: GET, PUT, DELETE, HEAD, POST, TRACE, OPTIONS
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
This is informational, but knowing certain values of the Allow header field can help an attacker leveraged other attacks.
Details
This plugin determines which HTTP methods are allowed on various CGI
directories.
Description :
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution :
n/a
Risk factor :
None
Plugin output :
Based on the response to an OPTIONS request :
Links
OWASP
References
None
Description
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
None
Details
%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-
8%22+standalone%3D%22no%22%3F%3E%3Csslreport%3E%3Ccertificate+expired%3D%22false%22%3E%3
Csubject%3ECN%3Dwww.barrettstoychest.com%2C+OU%3DDomain+Control+Validated%2C+O%3Dwww.barr
ettstoychest.com%3C%2Fsubject%3E%3Cissuer%3ESERIALNUMBER%3D07969287%2C+CN%3DGo+Daddy
+Secure+Certification+Authority%2C+OU%3Dhttp%3A%2F%2Fcertificates.godaddy.com%2Frepository%2C+O
%3D%22GoDaddy.com%2C+Inc.%22%2C+L%3DScottsdale%2C+ST%3DArizona%2C+C%3DUS%3C%2Fissu
er%3E%3Cserial_number%3E4577517%3C%2Fserial_number%3E%3Csignature_algorithm%3ESHA1withRSA
%3C%2Fsignature_algorithm%3E%3Cfrom_date%3EFri+Jul+11+13%3A08%3A35+PDT+2008%3C%2Ffrom_d
ate%3E%3Cto_date%3EMon+Jul+11+13%3A08%3A35+PDT+2011%3C%2Fto_date%3E%3Cversion%3E2%3
C%2Fversion%3E%3Cpublic_key%3ESun+RSA+public+key%2C+1024+bits%3C%2Fpublic_key%3E%3C%2Fc
Links
None
References
None
Description
The remote web server contains web pages that are protected by 'Basic' authentication over plain text.
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /_private/
Headers Host=www.barrettstoychest.com
Path /_private/
Confidential - McAfee Security Audit Report Page 46
WWW-Authenticate : Basic realm="www.barrettstoychest.com"
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /_private/
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
The remote web server contains form fields that allow for auto completion. Depending on the values entered into these fields, future users
could obtain sensitive information previously entered by past users. Fields that contain sensitive information, such as credit card and social
security numbers and passwords, must be disallowed from caching information.
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
To disable all entries in a form from being cached, the autocomplete value of the form tag must be set to "off", such as:
The autocomplete attribute can also be used on an individual form element such as:
Details
Protocol https Port 443 Read Timeout 10000 Method POST Demo
Path /mailman/admin/mailman
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Headers
Content-Type=application%2Fx-www-form-urlencoded
adminpw=
Body
admlogin=Let me in...
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /mailman/admin/mailman
Protocol https Port 443 Read Timeout 10000 Method POST Demo
Path /cgi-bin/cartconfig.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
Headers bin%2Fcartconfig.cgi%3Flogin%3Daction
Content-Type=application%2Fx-www-form-urlencoded
modulename=/cgi-bin/cartconfig.cgi
securemodulename=/cgi-bin/cartconfig.cgi
tstatus=%DF%BA%E1%AC%30%3C%49%7D%50%6E%62%5F%71%48%38%39%40%7A%51%6
B%64%54%78%45
Body
user=
pw=
pass=Log in
displayinframes=action
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /cgi-bin/cartconfig.cgi
Query login=action
Host=www.barrettstoychest.com
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Links
None
References
None
Missing Secure Attribute in an Encrypted Session (SSL) Cookie 443/tcp Web Application
Description
The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the
secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack,
an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.
CVSS Score
2.1
CVSS Fingerprint
AV:L/AC:L/Au:N/C:P/I:N/A:N
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /cgi-bin/cartconfig.cgi
Query login=http%3A%2F%2Fwww.scanalert.com%2Fhelp%2Fscanner%2F5%2Frfi%3F
Headers Referer=https%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Path /cgi-bin/cartconfig.cgi
Query login=http%3A%2F%2Fwww.scanalert.com%2Fhelp%2Fscanner%2F5%2Frfi%3F
Headers Referer=https%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%3A443%2Fcgi-
Hea bin%2Fshopper.cgi%3Fpreadd%3Dhttp%253A%252F%252Fwww.scanalert.com%252Fhelp%252Fsca
ders nner%252F5%252Frfi%253F%26key%3D10672A
Content-Type=application%2Fx-www-form-urlencoded
key=10672A
qty=1
realtimeprice=http://www.scanalert.com/help/scanner/5/rfi?
Body
add=Add To Cart
reference=http://www.barrettstoychest.com
return=Shop some more
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%3A443%2Fcgi-
Hea bin%2Fshopper.cgi%3Fpreadd%3Dhttp%253A%252F%252Fwww.scanalert.com%252Fhelp%252Fsca
ders nner%252F5%252Frfi%253F%26key%3D10672A
Content-Type=application%2Fx-www-form-urlencoded
key=10672A
qty=1
realtimeprice=http://www.scanalert.com/help/scanner/5/rfi?$4.99
Body
add=Add To Cart
reference=http://www.barrettstoychest.com
return=Shop some more
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%3A443%2Fcgi-
Hea bin%2Fshopper.cgi%3Fpreadd%3Dhttp%253A%252F%252Fwww.scanalert.com%252Fhelp%252Fsca
ders nner%252F5%252Frfi%253F%26key%3D10672A
Content-Type=application%2Fx-www-form-urlencoded
key=10672A
qty=1
realtimeprice=$http://www.scanalert.com/help/scanner/5/rfi?.99
Body
add=Add To Cart
reference=http://www.barrettstoychest.com
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%3A443%2Fcgi-
Hea bin%2Fshopper.cgi%3Fpreadd%3Dhttp%253A%252F%252Fwww.scanalert.com%252Fhelp%252Fsca
ders nner%252F5%252Frfi%253F%26key%3D10672A
Content-Type=application%2Fx-www-form-urlencoded
key=10672A
qty=1
realtimeprice=$4.http://www.scanalert.com/help/scanner/5/rfi?
Body
add=Add To Cart
reference=http://www.barrettstoychest.com
return=Shop some more
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%3A443%2Fcgi-
Hea bin%2Fshopper.cgi%3Fpreadd%3Dhttp%253A%252F%252Fwww.scanalert.com%252Fhelp%252Fsca
ders nner%252F5%252Frfi%253F%26key%3D10672A
Content-Type=application%2Fx-www-form-urlencoded
key=10672A
qty=1
realtimeprice=$4.99
Body
add=http://www.scanalert.com/help/scanner/5/rfi?
reference=http://www.barrettstoychest.com
return=Shop some more
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-bin%2Fshopper.cgi
Headers
Content-Type=application%2Fx-www-form-urlencoded
reference=http://www.barrettstoychest.com
defaction=recalc
qty0=1
Body
remove.0=Remove
removeall=Empty the cart
recalc=Recalculate the total
Path: /cgi-bin/shopper.cgi --> No "Secure" Attribute on Secure Channel (https) : basket=x; expires=Monday, 1-
Jan-90 00:00:00 GMT; path=/;
Protocol https Port 443 Read Timeout 10000 Method POST Demo
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-bin%2Fshopper.cgi
Headers
Content-Type=application%2Fx-www-form-urlencoded
reference=http://www.barrettstoychest.com
defaction=recalc
qty0=(test 1)
Body
remove.0=Remove
removeall=Empty the cart
recalc=Recalculate the total
Path: /cgi-bin/shopper.cgi --> No "Secure" Attribute on Secure Channel (https) : basket=x; expires=Monday, 1-
Jan-90 00:00:00 GMT; path=/;
Protocol https Port 443 Read Timeout 10000 Method POST Demo
Path /cgi-bin/shopper.cgi
reference=http://www.barrettstoychest.com
defaction=recalc
qty0=-1
Body
remove.0=Remove
removeall=Empty the cart
recalc=Recalculate the total
Path: /cgi-bin/shopper.cgi --> No "Secure" Attribute on Secure Channel (https) : basket=x; expires=Monday, 1-
Jan-90 00:00:00 GMT; path=/;
Links
owasp
RFC 2109 - HTTP State Management Mechanism
Persistent Client State HTTP Cookies
References
CVE CVE-2004-0462
Open Source Vulnerability Database 19183
Description
This may point to one or both of: an insecure webserver configuration or an overly detailed error / debug message produced by your web
application. The disclosure may be triggered by and displayed to remote users.
Users may be able to use directory information contained in full paths to obtain sensitive data such as usernames from the remote server.
Access to such information may allow an attacker to tailor attacks to your web application.
Example:
A request to a URI such as: http://www.yourwebsite.com/foo/bar.html may cause your webserver to serve a file located at /usr/home/httpu
ser/html/foo/bar.html
The full path to that remote file should never be displayed to the user because it leaks information about the remote server. If the full path
is displayed to the user, this condition is considered a Full Path Disclosure and this vulnerability is marked.
In the above example, information that may be gleaned includes a valid user (httpuser) as well as a strong indication of the underlying
operating system (Unix variant).
Typical triggers that may cause this form of information disclosure include invalid requests (requests that have parameters populated with
unexpected and unhandled input), making requests directly to files that were intended to be included by other files rather than accessed
directly and excessive custom error output to remote users by web applications.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Solutions to this problem will vary depending on your webserver's configuration and software stack.
Information on how to mitigate this problem for popular setups are linked below.
If using PHP and require error output for debugging purposes, limit this output to developers by employing conditional statements and
something like PHP's error_reporting() function to modify runtime configuration of the error reporting level. Pseudocode: if
$_SERVER['REMOTE_ADDR'] == (development IP address here), then error_reporting(E_ALL) else error_reporting(0). Of course this
would allow anyone with your development IP to view this output, which may represent a vulnerability. A better solution would be to limit
error reporting to specific user(s) if your web application supports the idea of users or based on some secret (e.g. requiring a long &
seemingly random variable to be passed as a GET parameter before displaying debug output
This vulnerability may indicate a problem in the webserver software itself and may not be directly caused by your web application. In this
Check your webserver configuration files & settings to make sure that they do not permit divulging full path information to a remote user.
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /images/
Host=www.barrettstoychest.com
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fimages%2F
Links
References
None
Description
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
n/a
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /_private/
/_private/
Links
projects.webappsec.org
References
OWASP OWASP-CM-006
Description
This plugin connects to every port and attempts to extract the banner
Confidential - McAfee Security Audit Report Page 52
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
CVSS Score
0.0
Confidential - McAfee Security Audit Report Page 53
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Please review
Details
Links
None
References
None
Description
By calling the "OPTIONS" method, it is possible to determine which HTTP methods are allowed on each directory.
The response received for an OPTIONS request, lists out the supported methods in the "Allow" header field.
Various values for the "Allow" header field can include: GET, PUT, DELETE, HEAD, POST, TRACE, OPTIONS
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
This is informational, but knowing certain values of the Allow header field can help an attacker leveraged other attacks.
Details
Synopsis :
This plugin determines which HTTP methods are allowed on various CGI
directories.
Description :
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution :
n/a
Risk factor :
None
Links
OWASP
References
None
Description
The remote web server contains web pages that are protected by 'Basic' authentication over plain text.
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
Details
Path /_private/
Headers Host=www.barrettstoychest.com
Path /_private/
Path /_private/
Links
None
References
None
Description
This plugin connects to every port and attempts to extract the banner
Confidential - McAfee Security Audit Report Page 55
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
A vulnerability exists that allows an attacker to harvest sensitive information (login credentials, etc) that are thought to be SSL-secured.
Specifically, a form was found on an HTTP (unencrypted) page that sends information to an HTTPS (encrypted) page. An attacker could
leverage cache poisoning (DNS/DHCP/ARP/etc) or another vulnerability (e.g. XSS) to cause the HTTP page to send information to an
attacker-controlled website instead of the legitimate HTTPS site.
Furthermore, toolkits exist to automate the process of harvesting such credentials, connecting to the legitimate HTTPS site and
establishing the attacker as a transparent proxy between the victim and the legitimate host where the attacker sees all information in
cleartext (including login credentials, etc).
Victim<---------HTTP--------->Attacker<---------HTTPS--------->Legitimate Site
CVSS Score
2.1
CVSS Fingerprint
AV:L/AC:L/Au:N/C:P/I:N/A:N
Solution
Do not allow any information you want SSL secured to originate from an unsecured page.
Vulerable example:
http://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^
Secure example:
https://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^^
Details
Path /mailman/admin/mailman
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Headers
Content-Type=application%2Fx-www-form-urlencoded
adminpw=
Confidential - McAfee Security Audit Report Page 56
Body
admlogin=Let me in...
Path /cgi-bin/cartconfig.cgi
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
Headers bin%2Fcartconfig.cgi%3Flogin%3Daction
Content-Type=application%2Fx-www-form-urlencoded
modulename=/cgi-bin/cartconfig.cgi
securemodulename=/cgi-bin/cartconfig.cgi
tstatus=%DF%BA%E1%AC%3A%3C%49%7D%5C%6E%61%5F%7E%48%38%39%40%7A%51%
6B%64%54%78%45
Body
user=
pw=
pass=Log in
displayinframes=action
Links
References
None
Description
The remote web server contains form fields that allow for auto completion. Depending on the values entered into these fields, future users
could obtain sensitive information previously entered by past users. Fields that contain sensitive information, such as credit card and social
security numbers and passwords, must be disallowed from caching information.
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
To disable all entries in a form from being cached, the autocomplete value of the form tag must be set to "off", such as:
The autocomplete attribute can also be used on an individual form element such as:
Details
Path /mailman/admin/mailman
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Headers
Content-Type=application%2Fx-www-form-urlencoded
adminpw=
Body
admlogin=Let me in...
Path /mailman/admin/mailman
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
Headers bin%2Fcartconfig.cgi%3Flogin%3Daction
Content-Type=application%2Fx-www-form-urlencoded
modulename=/cgi-bin/cartconfig.cgi
securemodulename=/cgi-bin/cartconfig.cgi
tstatus=%DF%BA%E1%AC%3A%3C%49%7D%5C%6E%61%5F%7E%48%38%39%40%7A%51%
6B%64%54%78%45
Body
user=
pw=
pass=Log in
displayinframes=action
Path /cgi-bin/cartconfig.cgi
Query login=action
Host=www.barrettstoychest.com
Headers
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Links
None
References
None
Description
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
n/a
Details
Path /_private/
/_private/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /_vti_bin/
/_vti_bin/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /_vti_log/
/_vti_log/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Confidential - McAfee Security Audit Report Page 58
Path /_vti_pvt/
/_vti_pvt/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /_vti_txt/
/_vti_txt/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /~root/
/~root/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /cgi-bin/
/cgi-bin/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /cgi-sys/
/cgi-sys/
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /mailman/
/mailman/
Links
projects.webappsec.org
References
OWASP OWASP-CM-006
Description
A DNS server is running on this port. Domain Name System (DNS) server provides a mapping between hostnames and IP addresses. See
the wikipedia link below for a better understanding of DNS
DNS is a potentially dangerous service that should not be running if not needed.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Details
Synopsis :
Description :
See also :
Solution :
Risk factor :
None
Links
Wikipedia
References
None
Description
The remote host is running BIND, an open-source DNS server. It is possible to extract the version number of the remote installation by
sending a special DNS request for the text 'version.bind' in the domain 'chaos'.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
It is possible to hide the version number of bind by using the 'version' directive in the 'options' section in named.conf
Details
Synopsis :
Description :
Solution :
Risk factor :
None
Plugin output :
9.2.4
Other references : OSVDB:23
Links
None
References
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Details
Links
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Details
Microsoft
Sendmail
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
None
Details
Synopsis :
Description :
Solution :
n/a
Risk factor :
None
Plugin output :
Links
www.openssh.org
References
None
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Details
Links
None
References
None
Description
The remote FTP does not encrypt its data and control connections. The
user name and password are transmitted in clear text and may be
intercepted by a network sniffer, or a man-in-the-middle attack.
CVSS Score
2.6
CVSS Fingerprint
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In
the latter case, configure the server such as data and control
connections must be encrypted.
Details
Synopsis :
Description :
The remote FTP does not encrypt its data and control connections. The
user name and password are transmitted in clear text and may be
intercepted by a network sniffer, or a man-in-the-middle attack.
Solution :
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In
the latter case, configure the server such as data and control
connections must be encrypted.
Risk factor :
Links
References
None
Description
During the scan we have identified an FTP service running. FTP is a file transfer protocol that does not encrypt files during transmission.
According to PCI-DSS 1.1.5b, this service needs to be identified and verified that it is necessary and that security features are documented
and implemented by examining firewall and router configuration standards and settings for this service.
In addition, PCI-DSS 2.2.2 states that if you allow this service to be available then it needs to be justified and documented as to the
appropriate use of it's service.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
As with all insecure protocols, if this service is not being used, it should be disabled.
If this service is being used, then a business justification should be given and documented.
Details
Links
None
References
None
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host
can sometimes be computed.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
n/a
Details
Synopsis :
Description :
See also :
http://www.ietf.org/rfc/rfc1323.txt
Solution :
n/a
Risk factor :
None
Links
www.ietf.org/rfc/rfc1323.txt
References
None
Description
The most recent port scan reveals that the remote host has 10 or more open ports. This may be an indication of a potential problem on a
particular host. Typically, a high number of ports could indicate the absence of a firewall, or that the firewall has been mis-configured in
some way.
A high number of ports could indicate the absence of a firewall, or that the firewall has been mis-configured. However, many
hosts actually require the number of ports to exceed 10 due to the popular use of Web-based control panels like H-Sphere, Plesk,
and cPanel.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
Given the plethora of attacks available against different systems, it is imperative that a good firewall policy be in place, as it will prevent
most exploits from taking place. If a firewall is in place, review all open ports and the services running on them to ensure they are valid.
After verifying the open ports, you can mark this vulnerability as resolved - it can only be done manually, unless the number of open ports
drops below 10.
If you do not have a firewall installed, you will not be able to satisfy PCI requirements.
Windows:
For an immediate software based solution install a basic firewall from a vendor such as ZoneLabs or Symantec.
Average or higher traffic sites should consider a hardware based firewall from a vendor like Netscreen, Cisco, Watchguard, or SonicWall.
Windows 2000
Install and configure IP Security Policies. See the Microsoft URL.
Linux:
Depending on kernel configuration ipchains or iptables should be enabled and port filtering configured to allow public access only to ports
requiring it.
Details
None
Links
www.sonicwall.com/
www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7D40460C-A069-412E-A015-A2AB904B7361
www.watchguard.com/
www.tldp.org/HOWTO/Firewall-HOWTO.html
www.netscreen.com/
Microsoft
References
None
Description
This allows an attacker to obtain date and local time information set on your machine. This information could be useful in finding a way to
circumvent your time based authentication protocols.
CVSS Score
0.0
AV:L/AC:L/Au:N/C:N/I:N/A:N
Solution
Filter out the ICMP timestamp requests (ICMP type 13), the outgoing ICMP timestamp replies (ICMP type 14), the address mask request
(ICMP type 17), and the address mask reply (ICMP type 18).
Details
CVE : CVE-1999-0524
Other references : OSVDB:94
Links
References
CVE CVE-1999-0524
Open Source Vulnerability Database 94
Port 80
This issue was fixed in RHSA-2006:0680-4; we are using newer RPM openssl-0.9.7a-43.17.el4_6.1 retrieved from
Reason
RHN for RHEL 4 which also resolves other issues.
Port 443
This issue was fixed in RHSA-2006:0680-4; we are using newer RPM openssl-0.9.7a-43.17.el4_6.1 retrieved from
Reason
RHN for RHEL 4 which also resolves other issues.
Port 80
PHP 5.2.5 is installed: PHP 5.2.5 (cli) (built: Jun 21 2008 15:19:18) Copyright (c) 1997-2007 The PHP Group Zend
Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with the ionCube PHP Loader v3.1.33, Copyright (c)
Reason
2002-2007, by ionCube Ltd., and with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend
Technologies with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies
Port 443
Confidential - McAfee Security Audit Report Page 68
PHP 5.2.5 is installed: PHP 5.2.5 (cli) (built: Jun 21 2008 15:19:18) Copyright (c) 1997-2007 The PHP Group Zend
Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with the ionCube PHP Loader v3.1.33, Copyright (c)
Reason
2002-2007, by ionCube Ltd., and with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend
Technologies with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies