Pcireport

PCI Security Report
Barretts Toy Chest
Report Generation Date:26-JUL-2010 16:29
Confidential Information
The following report contains confidential information. Do not distribute, email, fax or transfer via any electric mechanism unless it has
been approved by your organization's security policy. All copies and backups of this document should be maintained on protected
storage at all times. Do not share any of the information contained within this report with anyone unless you confirm they are authorized
to view the information.
Disclaimer
This, or any other, vulnerability audit cannot and does not guarantee security. McAfee makes no warranty or claim of any kind,
whatsoever, about the accuracy or usefulness of any information provided herein. By using this information you agree that McAfee shall
be held harmless in any event. McAfee makes this information available solely under its Terms of Service Agreement published at www.
mcafeesecure.com.
Disclosure
As a systems and networks security company, McAfee produces and sells a range of products separately from services provided as an
Approved Scanning Vendor. McAfee security products include but may not be limited to the following categories: application or network
firewalls, intrusion detection/prevention, database or other encryption solutions, security audit log solutions, anti-virus solutions
Table Of Contents
Section
1 Executive Summary
2 Certification of Regulatory Compliance
3.1 Device: www.barrettstoychest.com (64.6.242.117)
3.1.1 Overview
3.1.2 Open Ports
3.1.3 Consolidated Solution
3.1.4 Vulnerabilities
3.1.5 Resolved
Confidential - McAfee Security Audit Report Page 2

Executive Summary
McAfee has determined that 'Barretts Toy Chest' is NOT COMPLIANT with the PCI scan validation requirement.
This report was generated by PCI Approved scanning vendor, McAfee, under certificate number 3709-01-04 in the framework of the PCI
data security initiative.
As a Qualified Independent Scan Vendor McAfee is accredited by Visa, MasterCard, American Express, Discover Card and JCB to
perform network security audits conforming to the Payment Card Industry (PCI) Data Security Standards.
To earn validation of PCI compliance, network devices being audited must pass tests that probe all of the known methods hackers use to
access private information, in addition to vulnerabilities that would allow malicious software (i.e. viruses and worms) to gain access to or
disrupt the network devices being tested.
NOTE: In order to demonstrate compliance with the PCI Data Security Standard a vulnerability scan must have been completed within the
past 90 days with no vulnerabilities listed as URGENT, CRITICAL or HIGH (numerical severity ranking of 3 or higher) present on any
device within this report. Additionally, Visa and MasterCard regulations require that you configure your scanning to include all IP
addresses, domain names, DNS servers, load balancers, firewalls or external routers used by, or assigned to, your company, and that you
configure any IDS/IPS to not block access from the originating IP addresses of our scan servers.
Certification of Regulatory Compliance
Sites are tested and certified daily to meet all U.S. Government requirements for remote vulnerability testing as set forth by the National
Infrastructure Protection Center (NIPC). They are also certified to meet the security scanning requirements of Visa USA's Cardholder
Information Security Program (CISP), Visa International's Account Information Security (AIS) program, MasterCard Internationals's Site
Data Protection (SDP) program, American Express' CID security program, the Discover Card Information Security and Compliance (DISC)
program within the framework of the Payment Card Industry (PCI) Data Security Standard.

3.1.1 - Overview: www.barrettstoychest.com (64.6.242.117)
Scan Date
26-JUL-2010 15:51 48 6 20 0 2
3.1.2 - Open Ports: www.barrettstoychest.com (64.6.242.117)
Port Protocol Service Banner
21 tcp ftp ftp
22 tcp ssh ssh
25 tcp smtp smtp
26 tcp Unknown unknown
53 udp domain domain
80 tcp http http
110 tcp pop-3 pop3
143 tcp imap2 imap
443 tcp https https
465 tcp smtps urd
993 tcp imaps imaps
995 tcp pop3s pop3s
2082 tcp Unknown infowave
2083 tcp Unknown radsec
2086 tcp Unknown gnunet
2087 tcp Unknown eli
2095 tcp Unknown nbx-ser
2096 tcp Unknown nbx-dir
3297 tcp Unknown cytel-lm
8009 tcp ajp13 ajp13
8080 tcp http-proxy http-alt
3.1.3 - Consolidated Solution: www.barrettstoychest.com (64.6.242.117)
All level 3, 4, and 5 vulnerabilities identified for this device must be addressed with mitigation or remediation in order to satisfy PCI
requirements.
Review all findings for this device, then for each vulnerability with level 3, 4, or 5, implement the solution described or an equivalent
solution. Regenerate and submit the report based on scan results taken after remediation is completed.
If mitigations are employed according to the compensating controls mechanism of PCI, you must provide details of compensating controls
for each level 3, 4, or 5 vulnerability that appears in this report.
3.1.4 - Vulnerabilities: www.barrettstoychest.com (64.6.242.117)
Severity Name Port Category
Website Directory Listing 443/tcp Web Server
Description
A directory listing was found which may be used to enumerate all the files in a directory.
More often than not, this is representative of unintentional information disclosure.
CVSS Score

10.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution
If directory listing is not required, disable this feature.
Methods to disable directory listings vary with webserver software, however it is usually sufficient to include a blank file in the directory and
name it index.html or whatever your webserver is configured to use for default pages.
If you're using Apache, another route is to include a .htaccess file in the directory with the following line:
Options -Indexes
Modifying IIS directory listing options is more complicated. Please refer to the link below for instructions on IIS 7.
However, in either case and with most other webservers, simply including a blank index.html in the directory is sufficient.
Details
Protocol https Port 443 Read Timeout 10000 Method GET Demo
Path /img-sys/
Host=www.barrettstoychest.com
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Path /img-sys/
Headers
Links
Directory Listing in IIS 7

Directory Listing in Apache
References
CVE CVE-1999-0569
Website Directory Listing 80/tcp Web Server
Description
A directory listing was found which may be used to enumerate all the files in a directory.
More often than not, this is representative of unintentional information disclosure.
CVSS Score
10.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution
If directory listing is not required, disable this feature.
Methods to disable directory listings vary with webserver software, however it is usually sufficient to include a blank file in the directory and
name it index.html or whatever your webserver is configured to use for default pages.
If you're using Apache, another route is to include a .htaccess file in the directory with the following line:
Options -Indexes
Modifying IIS directory listing options is more complicated. Please refer to the link below for instructions on IIS 7.
However, in either case and with most other webservers, simply including a blank index.html in the directory is sufficient.
Details
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /img-sys/
Headers
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fmailman%2Fadmin%2Fmailman
Path /img-sys/
Headers
Links
Directory Listing in IIS 7

Directory Listing in Apache
References
CVE CVE-1999-0569
Apache Tomcat Transfer-encoding Header Vulnerability 8080/tcp Other
Description
The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of invalid
values for the 'Transfer-Encoding' HTTP header as sent by a client.
CVSS Score
6.4
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:P
Solution
Upgrade to version 5.5.30 / 6.0.28 or greater.
Details
Synopsis :
The remote Apache tomcat service is vulnerable to information

disclosure or a denial of service attack.
Description :
The remote Apache Tomcat service is vulnerable to information

disclosure or a denial of service attack due to a mishandling of
invalid values for the 'Transfer-Encoding' HTTP header as sent by a
client.
See also :
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.30
Solution :
Upgrade to version 5.5.30 / 6.0.28 or greater.
Risk factor :
Medium / CVSS Base Score : 6.4

(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
Plugin output :
ScanAlert was able to verify this issue using the following request :
GET / HTTP/1.1
Host: s117.n242.n6.n64.static.myhostcenter.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Date: Mon, 26 Jul 2010 20:40:49 GMT
User-Agent: Mozilla/4.0 (compatible

MSIE 8.0
Windows NT 5.1
Trident/4.0)
Accept-Charset: iso-8859-1,utf-8
q=0.9,*
q=0.1
Pragma: no-cache
Transfer-Encoding: McAfee SECURE
Accept-Language: en
Connection: Close
CVE : CVE-2010-2227
BID : 41544
Other references : Secunia:39574
Links
tomcat.apache.org
tomcat.apache.org
References
CVE CVE-2010-2227
BugTraq 41544
Secunia 39574
Apache Tomcat 4.x < 4.1.32 Multiple Vulnerabilities 8080/tcp Web Server
Description
According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is earlier than 4.1.32 and, as
such, may be affected by multiple vulnerabilities.
- The remote Apache Tomcat install is vulnerable to a denial of service attack. If directory listing is enabled, function calls to retrieve the
contents of large directories can degrade performance. (CVE-2005-3510)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the JSP examples are enabled. Several of these
JSP examples do not properly validate user input (CVE-2005-4838)
- The remote Apache Tomcat install allows remote users to list the contents of a directory by placing a semicolon before a filename with a
mapped extension.(CVE-2006-3835)
- If enabled, the JSP calendar example application is vulnerable to a cross-site scripting attack because user input is not properly
validated. (CVE-2006-7196)
- The remote Apache Tomcat install, in its default configuration, permits the use of insecure ciphers when using SSL. (CVE-2007-1858)
- The remote Apache Tomcat install may be vulnerable to a information disclosure attack by allowing requests from a non-permitted IP
address to gain access to a context which is protected with a valve that extends RequestFilterValve. (CVE-2008-3271)
CVSS Score
5.0

CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution
Update to Apache Tomcat version 4.1.32 or later.
Details
Synopsis :
The remote Apache Tomcat service may be affected by multiple

vulnerabilities.
Description :
According to its self-reported version number, the instance of Apache

Tomcat 4.x listening on the remote host is earlier than 4.1.32 and, as
- The remote Apache Tomcat install is vulnerable to a

denial of service attack. If directory listing is
enabled, function calls to retrieve the contents of
large directories can degrade performance.
(CVE-2005-3510)
- The remote Apache Tomcat install may be vulnerable to

a cross-site scripting attack if the JSP examples are
enabled. Several of these JSP examples do not properly
validate user input. (CVE-2005-4838)
- The remote Apache Tomcat install allows remote users

to list the contents of a directory by placing a
semicolon before a filename with a mapped extension.
(CVE-2006-3835)
- If enabled, the JSP calendar example application is

vulnerable to a cross-site scripting attack because
user input is not properly validated. (CVE-2006-7196)
- The remote Apache Tomcat install, in its default

configuration, permits the use of insecure ciphers when
using SSL. (CVE-2007-1858)
- The remote Apache Tomcat install may be vulnerable to a

information disclosure attack by allowing requests from
a non-permitted IP address to gain access to a context
which is protected with a valve that extends
RequestFilterValve. (CVE-2008-3271)
Note that ScanAlert did not actually test for the flaws but instead has
relied upon the version in Tomcat's banner or error page so this may
be a false positive.
See also :
https://issues.apache.org/bugzilla/show_bug.cgi?id=25835
Solution :
Risk factor :

(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output :
Installed version : 4.1.29

Fixed version : 4.1.32
CVE : CVE-2005-3510, CVE-2005-4838, CVE-2006-3835, CVE-2006-7196, CVE-2007-1858, CVE-2008-3271

BID : 15325, 19106, 25531, 28482, 31698
Other references : Secunia:13737, Secunia:17416, Secunia:32213, OSVDB:12721, OSVDB:20439,
OSVDB:32723, OSVDB:34878, OSVDB:34879, OSVDB:34882, OSVDB:34888, OSVDB:49062
Links
issues.apache.org
tomcat.apache.org
References
CVE CVE-2005-3510
CVE CVE-2005-4838
CVE CVE-2006-3835
CVE CVE-2006-7196
CVE CVE-2007-1858
CVE CVE-2008-3271
BugTraq 15325
BugTraq 19106
BugTraq 25531
BugTraq 28482
BugTraq 31698
Secunia 13737
Secunia 17416
Secunia 32213
Description
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack if the deprecated AJP connector processes a
client request having a non-zero Content-Length and the client disconnects before sending the request body. (CVE-2005-3164)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the JSP and Servlet examples are enabled.
Several of these examples do not properly validate user input. (CVE-2007-1355, CVE-2007-2449)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the Manager web application is enabled as it fails
to escape input data. (CVE-2007-2450)
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. Apache Tomcat treats the single
quote character in a cookie as a delimiter which can lead to information, such as session ID, to be disclosed. (CVE-2007-3382)
- The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the SendMailServlet is enabled. The
SendMailServlet is a part of the examples web application and, when reporting error messages, fails to escape user provided data. (CVE-
2007-3383)
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. The previous fix for CVE-2007-
3385 was incomplete and did not account for the use of quotes or '%5C' in cookie values. (CVE-2007-3385, CVE-2007-5333)
- The remote Apache Tomcat install may be vulnerable to an information disclosure attack via the WebDAV servlet. Certain WebDAV
requests, containing an entity with a SYSTEM tag, can result in the disclosure of arbitrary file contents. (CVE-2007-5461)
CVSS Score
5.0
CVSS Fingerprint
Solution
Details
Synopsis :

vulnerabilities.
Description :

- The remote Apache Tomcat install may be vulnerable to an

information disclosure attack if the deprecated AJP
connector processes a client request having a non-zero
Content-Length and the client disconnects before
sending the request body. (CVE-2005-3164)

a cross-site scripting attack if the JSP and Servlet
examples are enabled. Several of these examples do
not properly validate user input.
(CVE-2007-1355, CVE-2007-2449)

a cross-site scripting attack if the Manager web
application is enabled as it fails to escape input
data. (CVE-2007-2450)

information disclosure attack via cookies. Apache Tomcat
treats the single quote character in a cookie as a
delimiter which can lead to information, such as session
ID, to be disclosed. (CVE-2007-3382)

a cross-site scripting attack if the SendMailServlet is
enabled. The SendMailServlet is a part of the examples
web application and, when reporting error messages,
fails to escape user provided data. (CVE-2007-3383)

information disclosure attack via cookies. The previous
fix for CVE-2007-3385 was incomplete and did not account
for the use of quotes or '%5C' in cookie values.
(CVE-2007-3385, CVE-2007-5333)

information disclosure attack via the WebDAV servlet.
Certain WebDAV requests, containing an entity with a
SYSTEM tag, can result in the disclosure of arbitrary
file contents. (CVE-2007-5461)
See also :
http://www.securityfocus.com/archive/1/archive/1/469067/100/0/threaded
Solution :
Risk factor :

Plugin output :

CVE : CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383,

CVE-2007-3385, CVE-2007-5333, CVE-2007-5461
BID : 15003, 24058, 24475, 24476, 24999, 25316, 26070, 27706
Other references : Secunia:25678, Secunia:26466, Secunia:28878, Secunia:27398, OSVDB:19821,
OSVDB:34875, OSVDB:36079, OSVDB:36080, OSVDB:37070, OSVDB:37071, OSVDB:38187, OSVDB:39000,
OSVDB:41435
Links
tomcat.apache.org
www.securityfocus.com
References
CVE CVE-2005-3164
CVE CVE-2007-1355
CVE CVE-2007-2449
CVE CVE-2007-2450
CVE CVE-2007-3382
CVE CVE-2007-3383
CVE CVE-2007-3385
CVE CVE-2007-5333
CVE CVE-2007-5461
BugTraq 15003
BugTraq 24058
BugTraq 24475
BugTraq 24476
BugTraq 24999
BugTraq 25316
BugTraq 26070
BugTraq 27706
Secunia 25678
Secunia 26466
Secunia 27398
Secunia 28878
Description
such, may be affected by one or more of the following vulnerabilities :
- If the remote Apache Tomcat install is configured to use the SingleSignOn Valve, the JSESSIONIDSSO cookie does not have the
'secure' attribute set if authentication takes place over HTTPS. This allows the JSESSIONIDSSO cookie to be sent to the same server
when HTTP content is requested. (CVE-2008-0128)
- The remote Apache Tomcat install is vulnerable to a cross-site scripting attack. Improper input validation allows a remote attacker to
inject arbitrary script code or HTML into the message argument used by the HttpServletResponse.sendError method. (CVE-2008-1232)
- If the remote Apache Tomcat install contains pages using the RequestDispatcher object, a directory traversal attack may be possible.
This allows an attacker to select one or more of the input parameters and provide specific values leading to access of potentially sensitive
files. (CVE-2008-2370)
CVSS Score
5.0
CVSS Fingerprint
Solution
Update Apache Tomcat to version 4.1.39 or later.
Details

Synopsis :
The remote web server may be affected by multiple vulnerabilities
Description :

such, may be affected by one or more of the following
vulnerabilities :
- If the remote Apache Tomcat install is configured to use

the SingleSignOn Valve, the JSESSIONIDSSO cookie does
not have the 'secure' attribute set if authentication
takes place over HTTPS. This allows the JSESSIONIDSSO
cookie to be sent to the same server when HTTP content
is requested. (CVE-2008-0128)
- The remote Apache Tomcat install is vulnerable to a

cross-site scripting attack. Improper input validation
allows a remote attacker to inject arbitrary script
code or HTML into the message argument used by the
HttpServletResponse.sendError method. (CVE-2008-1232)
- If the remote Apache Tomcat install contains pages

using the RequestDispatcher object, a directory
traversal attack may be possible. This allows an
attacker to select one or more of the input parameters
and provide specific values leading to access of
potentially sensitive files. (CVE-2008-2370)
See also :
Solution :
Update Apache Tomcat to version 4.1.39 or later.
Risk factor :

Plugin output :

CVE : CVE-2008-0128, CVE-2008-1232, CVE-2008-2370

BID : 27365, 30496, 30494
Other references : OSVDB:40853, OSVDB:47462, OSVDB:47463, Secunia:28552, Secunia:31379
Links
tomcat.apache.org
References
CVE CVE-2008-0128
CVE CVE-2008-1232
CVE CVE-2008-2370
BugTraq 27365
BugTraq 30494
BugTraq 30496
Secunia 28552
Secunia 31379
Apache Tomcat < 4.1.40 / 5.5.28 / 6.0.20 Multiple Vulnerabilities 8080/tcp Other

Description
According to its self-reported version number, the Apache Tomcat listening on the remote host is earlier than Tomcat 4.1.40 / 5.5.28 /
6.0.20 and, as such, may be affected by one or more of the following vulnerabilities :
- The remote service may be vulnerable to a directory traversal attack if a RequestDispatcher obtained from a Request object is used. A
specially crafted value for a request parameter can be used to access potentially sensitive configuration files or other files, e.g., files in the
WEB-INF directory. (CVE-2008-5515)
- The remote service may be vulnerable to a denial of service attack if configured to use the Java AJP connector. An attacker can send a
malicious request with invalid headers which causes the AJP connector to be put into an error state for a short time. This behavior can be
used as a denial of service attack. (CVE-2009-0033)
- The remote service may be vulnerable to a username enumeration attack if configured to use FORM authentication along with the
'MemoryRealm', 'DataSourceRealm', or 'JDBCRealm' authentication realms. (CVE-2009-0580)
- The remote service may be affected by a script injection vulnerability if the example JSP application, 'cal2.jsp', is installed. An
unauthenticated remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be
executed within the security context of the affected site. (CVE-2009-0781)
- The remote service may be vulnerable to unauthorized modification of 'web.xml', 'context.xml', or TLD files of arbitrary web applications.
This vulnerability could allow the XML parser, used to process the XML and TLD files, to be replaced. (CVE-2009-0783)
- The Windows installer uses a blank default password for the administrative user (CVE-2009-3548)
- when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass
intended authentication requirements via HTTP requests. (CVE-2009-2901)
- Directory traversal vulnerability allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as
demonstrated by a ../../bin/catalina.bat entry (CVE-2009-2693)
- Directory traversal vulnerability allows remote attackers to delete work-directory files via directory traversal sequences in a WAR
filename, as demonstrated by the ...war filename (CVE-2009-2902)
- the server's hostname or IP address can be discovered by sending a request for a resource that requires (1) BASIC or (2) DIGEST
authentication, and then reading the realm field in the WWW-Authenticate header in the reply. (CVE-2010-1157)
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:P/I:N/A:N
Solution
Update Apache Tomcat to version 4.1.40 / 5.5.28 / 6.0.20 or later.
Details
Synopsis :

vulnerabilities.
Description :
According to its self-reported version number, the Apache Tomcat

listening on the remote host is earlier than Tomcat 4.1.40 / 5.5.28 /
6.0.20 and, as such, may be affected by one or more of the following
vulnerabilities :
- The remote service may be vulnerable to a directory

traversal attack if a RequestDispatcher obtained from a
Request object is used. A specially crafted value for a
request parameter can be used to access potentially
sensitive configuration files or other files, e.g.,
files in the WEB-INF directory. (CVE-2008-5515)
- The remote service may be vulnerable to a denial of

service attack if configured to use the Java AJP
connector. An attacker can send a malicious request with
invalid headers which causes the AJP connector to be put
into an error state for a short time. This behavior can
be used as a denial of service attack. (CVE-2009-0033)
- The remote service may be vulnerable to a username

enumeration attack if configured to use FORM
authentication along with the 'MemoryRealm',
'DataSourceRealm', or 'JDBCRealm' authentication realms.
(CVE-2009-0580)
- The remote service may be affected by a script injection

vulnerability if the example JSP application,
'cal2.jsp', is installed. An unauthenticated remote
attacker may be able to leverage this issue to inject
arbitrary HTML or script code into a user's browser to
be executed within the security context of the affected
site. (CVE-2009-0781)
- The remote service may be vulnerable to unauthorized

modification of 'web.xml', 'context.xml', or TLD files
of arbitrary web applications. This vulnerability could
allow the XML parser, used to process the XML and TLD
files, to be replaced. (CVE-2009-0783)
Note that ScanAlert did not actually test for these flaws but instead has
See also :
http://www.securityfocus.com/archive/1/504125
Solution :
Update Apache Tomcat to version 4.1.40 / 5.5.28 / 6.0.20 or later.
Risk factor :

(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE : CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783

BID : 35193, 35196, 35263, 35416
Other references : OSVDB:52899, OSVDB:55053, OSVDB:55054, OSVDB:55055, OSVDB:55056,
Secunia:35326, Secunia:35344
Links
tomcat.apache.org
tomcat.apache.org
tomcat.apache.org
References
CVE CVE-2008-5515
CVE CVE-2009-0033
CVE CVE-2009-0580
CVE CVE-2009-0781
CVE CVE-2009-0783
CVE CVE-2009-2693
CVE CVE-2009-2901
CVE CVE-2009-2902
CVE CVE-2009-3548
CVE CVE-2010-1157
BugTraq 35193
BugTraq 35196
BugTraq 35263
BugTraq 35416
Secunia 35326
Secunia 35344
Apache Tomcat Default Error Page Version Detection 8080/tcp Web Server
Description

Apache Tomcat appears to be running on the remote host and reporting its version number on the default error pages. A remote attacker
could use this information to mount further attacks.
CVSS Score
5.0
CVSS Fingerprint
Solution
Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or the Java Servlet
Specification for more information.
Details
Synopsis :
The remote web server reports its version number on error pages.
Description :
Apache Tomcat appears to be running on the remote host and reporting

its version number on the default error pages. A remote attacker
could use this information to mount further attacks.
See also :
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
http://jcp.org/en/jsr/detail?id=315
Solution :
Replace the default error pages with custom error pages to hide the
version number. Refer to the Apache wiki or the Java Servlet
Specification for more information.
Risk factor :
None
Plugin output :
ScanAlert found the following version number on an Apache Tomcat

404 page :
4.1.29
Links
wiki.apache.org
jcp.org
References
CVE CVE-2002-2007
Apache Tomcat Requestdispatcher Directory Traversal Vulnerability 8080/tcp SNMP
Description
According to its self-reported version number, the remote host is running a vulnerable version of Apache Tomcat. Due to a bug in a
RequestDispatcher API, target paths are normalized before the query string is removed, which could result in directory traversal attacks.
This could allow a remote attacker to view files outside of the web application's root.
CVSS Score
5.0
CVSS Fingerprint

Solution
Upgrade to versions 6.0.20 / 5.5.SVN / 4.1.SVN or later, or apply the, patches referenced in the vendor advisory.
Details
None
Links
marc.info
tomcat.apache.org
tomcat.apache.org
tomcat.apache.org
www.fujitsu.com
References
CVE CVE-2008-5515
BugTraq 35263
Secunia 35326
Open Source Vulnerability Database 55053
Unencrypted Sensitive Form Detected 8080/tcp Web Application
Description
The remote host appears to allow sensitive form submission over unencrypted (HTTP) connections. This means that a user's personal
information is sent over the internet in clear text. An attacker may be able to uncover sensitive information such as login names and
passwords by sniffing network traffic. All web pages that transmit Card Holder Data or Personally Identifiable Information (PII)**. Examples:
- Users and/or Administrators login to the web site. - Registration forms such as user signup pages. - Updating User and/or Administrators
profile pages. - Updating User and/or Administrators shipping information pages. - Forgot password reset page. - Company "Contact Us"
pages.
** These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for
general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data
protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's
practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs
are not stored, processed, or transmitted.
CVSS Score
6.4
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:P/A:N
Solution
Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing sensitive information to the web
server, use HTTPS (SSLv3, TLS 1) instead of HTTP.
Details
Protocol http Port 8080 Read Timeout 10000 Method POST Demo
Path /servlet/psoft.masonry.Builder
Referer=http%3A%2F%2Fwww.barrettstoychest.com%3A8080%2Fservlet%2Fpsoft.masonry.Builder
Headers
Content-Type=application%2Fx-www-form-urlencoded
action=useraction
useraction=login
requestURL=/servlet/psoft.masonry.Builder?
login=
Body
password=
_language_=ru_RU_CP1251|windows-1251
action.x=0
action.y=0

Links
Information on man-in-the-middle attacks

Example software used to audit man-in-the-middle vulnerabilities
Information on ARP poisoning
References
None
Web Application Cross Site Scripting 8080/tcp Web Application
Description
The remote web application appears to be vulnerable to cross-site scripting (XSS).
The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is
vulnerable if it displays user-submitted content without sanitizing user input.
The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly
sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that
websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.
The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload
onto their computer via browser.
To identify what parts of your application are susceptible to cross-site scripting, click on "Detail" under the "Found On" section.
CVSS Score
4.3
CVSS Fingerprint
Solution
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the
client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with <
Remove > input and replace with >
Remove ' input and replace with '
Remove " input and replace with "
Remove ) input and replace with )
Remove ( input and replace with (
Details
Headers
action=useraction
useraction=login
requestURL=>"></title></iframe></script></form></td></tr><br><iFraMe src
login=0
Body
password=0
action.x=0
action.y=0

Headers
action=useraction
Body useraction=login
requestURL=>"></title></iframe></script></form></td></tr><br><iFraMe src
Links
CWE-79
www.cert.org/tech_tips/malicious_code_FAQ.html
www.technicalinfo.net/papers/CSS.html
Apache: Cross Site Scripting Info
XSS Prevention Cheat Sheet
OWASP XSS Description and Solution
sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html
OWASP XSS
The Cross Site Scripting FAQ
www.owasp.org/documentation/guide
Top sites vulnerable to hackers
The Cross-Site Scripting Vulnerability
References
CERT CA-2000-02
Ssl Version 2 (v2) Protocol Detection 443/tcp Web Application
Description
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
CVSS Score
5.0
CVSS Fingerprint
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Details
Synopsis :
The remote service encrypts traffic using a protocol with known

weaknesses.
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Risk factor :

Links
www.linux4beginners.info
www.schneier.com
www.schneier.com/paper-ssl.html
Disable SSLv2 In IIS
support.microsoft.com
Disable SSL v2 in IIS7
IE Blog
References
None
Openssl < 0.9.6j / 0.9.7b Multiple Vulnerabilities 443/tcp Web Server
Description
According to its banner, the remote host is using a version of OpenSSL older than 0.9.6j or 0.9.7b. This version is vulnerable to a timing
based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the
private RSA key of the server. An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of
it, as well as impersonate your server and perform man in the middle attacks.
CVSS Score
4.3
CVSS Fingerprint
Solution
Upgrade to version 0.9.6j (0.9.7b) or newer.
Details
None
Links
www.openssl.org
lasecwww.epfl.ch
eprint.iacr.org
www.openssl.org
References
CVE CVE-2003-0078
CVE CVE-2003-0131
CVE CVE-2003-0147
BugTraq 6884
BugTraq 7148
Other SUSE-SA:2003:024
Other RHSA-2003:101-01
Microsoft Frontpage Extensions Check 443/tcp Other

Description
The remote web server appears to be running with the Frontpage extensions.
Frontpage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical
scenario on an internal local area network, the Frontpage extensions should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network).
CVSS Score
5.0
CVSS Fingerprint
Solution
IMPORTANT: Be sure to remove FrontPage if you are not using it. Frontpage is often installed by default.
If there is a business need to run FrontPage on the web server, then remove all anonymous access to all FrontPage extensions (such as
_vti_bin) which may be mapped on your website as a virtual directory.
If default IIS files were found, remove them from the web server.
Delete all default virtual directories (icon w/ world on top of folder) and application roots (icon w/ green ball in box)
Delete iisadmin
Delete iissamples
Delete msadc.
Delete iishelp
Delete scripts
Delete printers
Delete ALL default content.
Delete %systemdirectory%\inetsrv\iisadmin
Delete %systemdirectory%\inetsrv\iisadmpwd
Delete inetpub\wwwroot (or \ftproot or \smtproot)
Delete inetpub\scripts
Delete inetpub\iissamples
Delete inetpub\adminscripts
Delete %systemroot%\help\iishelp\iis
Delete %systemroot%\web\printers
Delete %systemdrive%\program files\common files\system\msadc. Only websites that integrate with Microsoft Access databases need
msadc.
Run IIS Lockdown Tool Download here:

http://www.microsoft.com/technet/security/tools/locktool.mspx
Details
Path /_vti_bin/shtml.dll
Path /postinfo.html
Links
IIS Security Checklist

Insecure.org
Security Patch for FrontPage Personal Web Server
CPanel
References
CVE CVE-2000-0114
Unencrypted Sensitive Form Detected 80/tcp Web Application
Description
The remote host appears to allow sensitive form submission over unencrypted (HTTP) connections. This means that a user's personal
information is sent over the internet in clear text. An attacker may be able to uncover sensitive information such as login names and
passwords by sniffing network traffic. All web pages that transmit Card Holder Data or Personally Identifiable Information (PII)**. Examples:
- Users and/or Administrators login to the web site. - Registration forms such as user signup pages. - Updating User and/or Administrators
profile pages. - Updating User and/or Administrators shipping information pages. - Forgot password reset page. - Company "Contact Us"
pages.
** These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for
general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data
protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's
practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs
are not stored, processed, or transmitted.
CVSS Score
6.4
CVSS Fingerprint
AV:N/AC:L/Au:N/C:P/I:P/A:N
Solution
Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing sensitive information to the web
server, use HTTPS (SSLv3, TLS 1) instead of HTTP.
Details
Path /mailman/admin/mailman
Headers
adminpw=
Body
admlogin=Let me in...
Headers
adminpw=p455w0rd
Body
Path /cgi-bin/cartconfig.cgi
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
Headers bin%2Fcartconfig.cgi%3Flogin%3Daction
modulename=/cgi-bin/cartconfig.cgi
securemodulename=/cgi-bin/cartconfig.cgi
tstatus=%DF%BA%E1%AC%3A%3C%49%7D%5C%6E%61%5F%7E%48%38%39%40%7A%51%
6B%64%54%78%45
Body
user=
pw=
pass=Log in
displayinframes=action
6B%64%54%78%45
Body
user=webappscanner@mcafeesecure.com
pw=p455w0rd
pass=Log in
Links
Information on man-in-the-middle attacks

Example software used to audit man-in-the-middle vulnerabilities
Information on ARP poisoning
References
None
Openssl < 0.9.6j / 0.9.7b Multiple Vulnerabilities 80/tcp Web Server
Description
According to its banner, the remote host is using a version of OpenSSL older than 0.9.6j or 0.9.7b. This version is vulnerable to a timing
based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the
private RSA key of the server. An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of
it, as well as impersonate your server and perform man in the middle attacks.
CVSS Score
4.3
CVSS Fingerprint
Solution
Upgrade to version 0.9.6j (0.9.7b) or newer.
Details
None
Links
www.openssl.org
lasecwww.epfl.ch
eprint.iacr.org
www.openssl.org
References
CVE CVE-2003-0078
CVE CVE-2003-0131
CVE CVE-2003-0147
BugTraq 6884
BugTraq 7148
Other SUSE-SA:2003:024
Other RHSA-2003:101-01
Http Trace / Track Methods Allowed 80/tcp Web Server
Description
Your Web server appears to support the TRACE and/or TRACK methods. These are debug methods that are enabled by default on web
servers, allowing them to echo back any input a user has entered via command line.

Impact: It has been shown that servers supporting these methods are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-
Tracing'.
Since many technologies are capable of performing specially crafted HTTP requests, it maybe possible for an attacker to steal sensitive
information such as cookies and authentication data.
To test if your server supports the TRACE method, use a similar command line example to craft a request (Note: this example shows
TRACE method enabled):
$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: localhost
X-Header: This server supports the Trace Method.
HTTP/1.1 200 OK
Date: Sun, 12 Oct 2008 01:56:54 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http
45
TRACE / HTTP/1.1
Host: localhost
X-Header: This server supports the TRACE Method.
Connection closed by foreign host.
CVSS Score
4.3
CVSS Fingerprint
Solution
Disable the TRACE and/or TRACK method from the Web server.
IIS:
Use the URLScan tool to deny HTTP TRACE requests. The default configurations of Urlscan 2.5 (both baseline and SRP) only permit GET
and HEAD methods.
For Apache web servers < 1.3.34/2.0.55:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
NOTE: Shared server environments require these directives to be placed in each <VirtualHost> container.
Example:
<VirtualHost x.x.x.x> ServerAdmin webmaster@foo.com
DocumentRoot /home/foo/public_html
ServerName foo.com
ServerALias foo.com www.foo.com
RewriteEngine On
</VirtualHost>
<VirtualHost x.x.x.x>
ServerAdmin webmaster@foo2.com
DocumentRoot /home/foo2/public_html
ServerName foo2.com
ServerALias foo2.com www.foo2.com
RewriteEngine On
</VirtualHost>

For Apache web servers >= 1.3.34/2.0.55 add the following directive to the global configuration:
TraceEnable Off
Restart Apache for configuration changes to take effect. To test your changes, use telnet to craft a request similar to the following (NOTE:
This example shows TRACE method disabled in the response):
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: localhost
X-Header: Server will return a 403 if TRACE Method is disabled.
HTTP/1.1 403 Forbidden

Date: Sun, 12 Oct 2008 02:04:24 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 276
Connection: close
You should see a 403 response in the header. If you have the ErrorDocument directive set to use a custom error page for a 403, you will
see a 302 response.
Details
Protocol http Port 80 Read Timeout 10000 Method TRACE Demo
Path /erpoiuh2vi4r23E2f.html
TRACKTRACE=%3Chtml%3E%3Cbody%3EMcafeeSecure%2FTRACKTRACE+%3Cscript%3Ealert%
Head
28%27TRACK%2FTRACE%27%29%3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E
ers
Cookie=
Links
lwn.net/Articles/20975/
www.kb.cert.org/vuls/id/867593
Cross-site Tracing Whitepaper (PDF file)
www.kb.cert.org
archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Microsoft IIS 6.0
www.apacheweek.com
Microsoft UrlScan Security Tool
References
CVE CVE-2003-1567
CVE CVE-2004-2320
BugTraq 11604
BugTraq 33374
BugTraq 9506
BugTraq 9561
Microsoft Frontpage Extensions Check 80/tcp Other
Description
The remote web server appears to be running with the Frontpage extensions.
Frontpage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical
scenario on an internal local area network, the Frontpage extensions should not be available to anonymous users via the Internet (or any
other untrusted 3rd party network).
CVSS Score
5.0
CVSS Fingerprint

Solution
IMPORTANT: Be sure to remove FrontPage if you are not using it. Frontpage is often installed by default.
If there is a business need to run FrontPage on the web server, then remove all anonymous access to all FrontPage extensions (such as
_vti_bin) which may be mapped on your website as a virtual directory.
If default IIS files were found, remove them from the web server.
Delete all default virtual directories (icon w/ world on top of folder) and application roots (icon w/ green ball in box)
Delete iisadmin
Delete iissamples
Delete msadc.
Delete iishelp
Delete scripts
Delete printers
Delete ALL default content.
Delete %systemdirectory%\inetsrv\iisadmin
Delete %systemdirectory%\inetsrv\iisadmpwd
Delete inetpub\wwwroot (or \ftproot or \smtproot)
Delete inetpub\scripts
Delete inetpub\iissamples
Delete inetpub\adminscripts
Delete %systemroot%\help\iishelp\iis
Delete %systemroot%\web\printers
Delete %systemdrive%\program files\common files\system\msadc. Only websites that integrate with Microsoft Access databases need
msadc.
Run IIS Lockdown Tool Download here:

http://www.microsoft.com/technet/security/tools/locktool.mspx
Details
Path /_vti_bin/shtml.dll
Path /postinfo.html
Links
IIS Security Checklist

Insecure.org
Security Patch for FrontPage Personal Web Server
CPanel
References
CVE CVE-2000-0114
Apache Userdir Directive Username Enumeration 80/tcp Web Server
Description
The remote Apache server can be used to guess the presence of a given user name on the remote host.
An information leak occurs, due to a configuration error, on Apache based web servers whenever the UserDir module is enabled.
Requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. Installations
with this default misconfiguration allow remote users to determine whether a give username exists on the remote system.
The following example is proof of concept:
http://www.example.com/~foo
1. If user 'foo' exists, the HTTP result code will be 200, and foo's homepage will load in the browser.
2. If user 'foo' exists, but access is restricted, the HTTP result code will be 403, with the following message from Apache: "You don't have
permission to access /~foo on this server."

3. If 'foo' does not exist, the HTTP result code will be 404, with the following message from Apache: "The requested URL /~foo was not
found on this server".
Properly exploited, this information could be used to initiate specific attacks against a given system.
CVSS Score
5.0
CVSS Fingerprint
Solution
1) Disable this feature by changing 'UserDir public_html' to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch
^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:

ErrorDocument 404 http://servername.com/sample.html
ErrorDocument 403 http://servername.com/sample.html
NOTE: You need to use a FQDN inside the URL for it to work properly.
Details
Request:StatusCode ---> /~root : 403 ; /~admin : 404 ; /~ScanAlert1234567890 : 404
Links
www.securiteam.com/unixfocus/5WP0C1F5FI.html
References
CVE CVE-2001-1013
BugTraq 3335
Dns Server Cache Snooping Information Disclosure 53/udp Other
Description
The remote DNS server answers to queries for third party domains which do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts
have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they
would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more...
For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, see the links.
CVSS Score
5.0
CVSS Fingerprint
Solution
Restrict access to your DNS server to local users and child servers.
A Safer BIND Configuration
As a conclusion, it is interesting to note that while vulnerabilities in the BIND implementation can be blamed for the problems in the DNS
infrastructure, poor configuration also seems to widespread. The following configuration [13] is to be taken as an example to a safer BIND
configuration. These settings allow BIND to continue to be used as a cache by the networks "1.2.3.0/24" and "1.2.4.0/24", while still being
able to respond authoritatively to queries regarding the domain "mydomain.com", while ignoring all others. Only relevant configuration
options are displayed.
options {
// to allow only specific hosts/networks to use the DNS server:
allow-query { trusted; };
// to allow only zone transfers to specific nameservers
allow-transfer { other_ns; };
};
// Host / network grouping that maps "friendly" nameservers (such as secondary
nameservers)
acl other_ns {
1.2.3.4; // secondary 1
1.2.3.5; // secondary 2
127.0.0.1; // localhost
};
// Host / network grouping that maps networks that are able to do queries to other
// records besides the au
acl trusted {
127.0.0.1;
1.2.3.0/24; // trusted net 1
1.2.4.0/24; // trusted net 2
};
// authoritative zone
zone "mydomain.com" in {
type master;
allow-query { any; }; // allow queries to be made to this zone by anyone
};
// reverse zone for the 1.2.3.0/24 network
zone "3.2.1.in-addr.arpa" in {
type master;
allow-query { any; }; // allow queries to be made to this zone by anyone
};
Details
None
Links
DNS CLIENTS
DNS SERVERS
References
None
Dns Server Recursive Query Cache Poisoning Weakness 53/udp DNS
Description
It is possible to query the remote name server for third party names. If this is your internal nameserver, then ignore this warning. If you are
probing a remote nameserver, then it allows anyone to use it to resolve third party names (such as www.nessus.org). This allows attackers
to perform cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used
to 'bounce' Denial of Service attacks against another network or system.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:P/A:N
Solution
Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8,
you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf. If you are using bind 9, you can define
a grouping of internal addresses using the 'acl' command. Then, within the options block, you can explicitly state: 'allow-recursion {
hosts_defined_in_acl }' If you are using another name server, consult its documentation.
Details
None
Links
Preventing Cache Poisoning

www.oreilly.com/catalog/dns4/chapter/ch11.html#10959
technet.microsoft.com
Configuring Windows for DNS
www.cert.org/advisories/CA-1997-22.html
XForce ISS Database: bind
www.iss.net/security_center/search.php?type=3&type=3&pattern=bind
References
CVE CVE-1999-0024
BugTraq 136
BugTraq 678
SMTP Server Detected on Non-standard Port 26/tcp Backdoors / Trojans
Description
This SMTP server appears to be running on a non-standard port.
Alternate SMTP ports are common due to the fact that an increasing number of ISP's and firewall configurations block outgoing mail /
SMTP connections on port 25 (the standard SMTP port), enroute to their web/email providers. These non-standard ports are open on
many web servers in order for legitimate senders to have the ability to relay through a mail server other than the one run by their ISP.
However, this can cause problems when you need use an SMTP other than the provider's (their servers may be unreliable or overly
restrictive), or if they block port 25 but do not provide SMTP service themselves.
CVSS Score
5.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:P/A:N
Solution
Verify whether the alternate SMTP port is part of your normal configuration. If this is the case, you will need to manually resolve this item. If
not, you will need to track down the process that's using this port and disable it. One way to identify processes and their corresponding
ports in Linux is to issue the 'netstat' command. For RedHat, Centos, and Fedora, the commandline would be 'netstat -tulp'. The output
would look similar to the following:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:smtp *:* LISTEN 17648/tcpserver

tcp 0 0 *:26 *:* LISTEN 17713/tcpserver
Notice tcpserver(qmail) is using both port 25 and 26 in this example. The number next to 'tcpserver' is the process ID. If you see an smtp
process that is not supposed to be running, you can kill it by typing: 'kill PID'. Using the example above, you would type 'kill 17713'. After
that, you can run netstat once more to check for the presence of that process. If the kill command does not remove the process, run this
command: 'kill -9 PID'. This is the force command for 'kill'.
If the rogue process persists, seek the help of a qualified administrator. At this point, you should assume that the server may have been
compromised. A full security sweep is strongly recommended.
If there is proof of a compromise, contact ScanAlert immediately. We will assist you in the remediation process.
Details
None
Links
www.icir.org
References
None

Apache Tomcat Cross-application File Manipulation 8080/tcp SNMP
Description
The following versions of Apache Tomcat:

4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18
permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the:
(1) web.xml
(2) context.xml
(3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.
CVSS Score
3.6
CVSS Fingerprint
AV:L/AC:L/Au:N/C:P/I:P/A:N
Solution
Mitigation:
Either upgrade to the latest version of apache tomcat
OR
6.0.x users should do one of the following:

- upgrade to 6.0.20
- apply these patches
- http://svn.apache.org/viewvc?rev=739522&view=rev

- upgrade to 5.5.28 when released
- apply these patches

- upgrade to 4.1.40 when released
- apply this patch http://svn.apache.org/viewvc?rev=781708&view=rev
Details
Synopsis :
The web server running on the remote host has an information

disclosure vulnerability.
Description :
According to its self-reported version number, the remote host is

running a vulnerable version of Apache Tomcat. Affected versions
permit a web application to replace the XML parser used to process
the XML and TLD files of other applications. This could allow a
malicious web app to read or modify 'web.xml', 'context.xml', or TLD
files of arbitrary web applications.
See also :
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936
http://www.securityfocus.com/archive/1/504090
http://tomcat.apache.org/security-6.html
Solution :
Upgrade to versions 6.0.20 / 5.5.SVN / 4.1.SVN or later, or apply the

patches referenced in the vendor advisory.
Risk factor :

Low / CVSS Base Score : 3.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N)
CVE : CVE-2009-0783
BID : 35416
Other references : Secunia:35326, Secunia:35344, OSVDB:55056
Links
None
References
CVE CVE-2009-0783
BugTraq 35416
OpenSSL Multiple Vulnerabilities < 0.9.8d 443/tcp Other
Description
1. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
OpenSSL is prone to a denial-of-service vulnerability. A malicious server could cause a vulnerable client application to crash, effectively
denying service. http://www.securityfocus.com/bid/20246
2. OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
OpenSSL is prone to a buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it
to an insufficiently sized memory buffer.Successfully exploiting this issue may result in the execution of arbitrary machine code in the
context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users. http
://www.securityfocus.com/bid/20249
3. OpenSSL Insecure Protocol Negotiation Weakness
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue is due to the implementation of the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option to maintain compatibility with third-party software. This issue presents itself when two
peers try to negotiate the protocol they wish to communicate with. Attackers who can intercept and modify the SSL communications may
exploit this weakness to force SSL version 2 to be chosen. The attacker may then exploit various insecurities in SSL version 2 to gain
access to or tamper with the cleartext communications between the targeted client and server. Note that the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the frequently used 'SSL_OP_ALL' option. SSL peers that are configured
to disallow SSL version 2 are not affected by this issue. http://www.securityfocus.com/bid/15071
4. OpenSSL Public Key Processing Denial of Service Vulnerability
OpenSSL is prone to a denial-of-service vulnerability because it fails to validate the lengths of public keys being used. An attacker can
exploit this issue to crash an affected server using OpenSSL. http://www.securityfocus.com/bid/20247/info
5. OpenSSL DER_CHOP Insecure Temporary File Creation Vulnerability
OpenSSL is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the
application to fail to verify the existence of a file before writing to it. An attacker may leverage this issue to overwrite arbitrary files with the
privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege
escalation. http://www.securityfocus.com/bid/11293/info
6. Advanced Encryption Standard Cache Timing Key Disclosure Vulnerability
High-speed implementations of AES are prone to a timing attack vulnerability. The attack is based on observations of time taken to
complete certain critical AES cryptographic functions (Input dependant Table lookups). An attacker may theoretically exploit this issue to
retrieve an entire AES secret key from a target vulnerable AES implementation. http://www.securityfocus.com/bid/13785/info
CVSS2# 5, CVE-2005-2969, (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS2# 7.5, CVE-2006-4343, (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS2# 5, CVE-2006-2940, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Score
4.3
CVSS Fingerprint

AV:N/AC:M/Au:N/C:N/I:N/A:P
Solution
Update to latest version of OpenSSL here:

http://www.openssl.org/source/
Details
Path /
Path /
Links
None
References
CVE CVE-2006-4343
BugTraq 20246
BugTraq 20249
OpenSSL ASN.1 Error Denial of Service 443/tcp Web Application
Description
It appears that the webserver on the remote host includes a module which is vulnerable to a denial of service attack.
The version of OpenSSL apparently installed on the apache webserver is vulnerable to a denial of service, caused by improper handling of
an ASN.1 error condition. Affected versions are 0.9.7 and 0.9.8 prior to 0.9.7l and 0.9.8d respectively.
A remote attacker could exploit this vulnerability by sending an invalid ASN.1 request to cause an infinite loop condition resulting in all
available memory resources being consumed. Another way to cause a denial of service is to use certain types of public keys to cause the
target system to take a large amount of time to process.
CVSS Score
7.8
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:C
Solution
The vendor has issued fixed versions. In order to resolve this vulnerability, you will need to upgrade to one of these versions.
Download the latest version here:
Details
Path /
apache/2.2.15 (unix) mod_ssl/2.2.15 openssl/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4

frontpage/5.0.2.2635 php/5.2.13
Path /

frontpage/5.0.2.2635 php/5.2.13
Links

www.openssl.org/source/
References
CVE CVE-2006-2937
CVE CVE-2006-2940
CVE CVE-2006-3738
CVE CVE-2006-3894
CVE CVE-2006-4343
BugTraq 20248
OpenSSL Multiple Vulnerabilities < 0.9.8d 80/tcp Other
Description
1. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
OpenSSL is prone to a denial-of-service vulnerability. A malicious server could cause a vulnerable client application to crash, effectively
denying service. http://www.securityfocus.com/bid/20246
2. OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
OpenSSL is prone to a buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it
to an insufficiently sized memory buffer.Successfully exploiting this issue may result in the execution of arbitrary machine code in the
context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users. http
://www.securityfocus.com/bid/20249
3. OpenSSL Insecure Protocol Negotiation Weakness
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue is due to the implementation of the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option to maintain compatibility with third-party software. This issue presents itself when two
peers try to negotiate the protocol they wish to communicate with. Attackers who can intercept and modify the SSL communications may
exploit this weakness to force SSL version 2 to be chosen. The attacker may then exploit various insecurities in SSL version 2 to gain
access to or tamper with the cleartext communications between the targeted client and server. Note that the
'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the frequently used 'SSL_OP_ALL' option. SSL peers that are configured
to disallow SSL version 2 are not affected by this issue. http://www.securityfocus.com/bid/15071
4. OpenSSL Public Key Processing Denial of Service Vulnerability
OpenSSL is prone to a denial-of-service vulnerability because it fails to validate the lengths of public keys being used. An attacker can
exploit this issue to crash an affected server using OpenSSL. http://www.securityfocus.com/bid/20247/info
5. OpenSSL DER_CHOP Insecure Temporary File Creation Vulnerability
OpenSSL is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the
application to fail to verify the existence of a file before writing to it. An attacker may leverage this issue to overwrite arbitrary files with the
privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege
escalation. http://www.securityfocus.com/bid/11293/info
6. Advanced Encryption Standard Cache Timing Key Disclosure Vulnerability
High-speed implementations of AES are prone to a timing attack vulnerability. The attack is based on observations of time taken to
complete certain critical AES cryptographic functions (Input dependant Table lookups). An attacker may theoretically exploit this issue to
retrieve an entire AES secret key from a target vulnerable AES implementation. http://www.securityfocus.com/bid/13785/info
CVSS2# 5, CVE-2005-2969, (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS2# 5, CVE-2006-2940, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Score
4.3
CVSS Fingerprint
AV:N/AC:M/Au:N/C:N/I:N/A:P
Solution
Update to latest version of OpenSSL here:

Details
Path /
Path /
Links
None
References
CVE CVE-2006-4343
BugTraq 20246
BugTraq 20249
OpenSSL ASN.1 Error Denial of Service 80/tcp Web Application
Description
It appears that the webserver on the remote host includes a module which is vulnerable to a denial of service attack.
The version of OpenSSL apparently installed on the apache webserver is vulnerable to a denial of service, caused by improper handling of
an ASN.1 error condition. Affected versions are 0.9.7 and 0.9.8 prior to 0.9.7l and 0.9.8d respectively.
A remote attacker could exploit this vulnerability by sending an invalid ASN.1 request to cause an infinite loop condition resulting in all
available memory resources being consumed. Another way to cause a denial of service is to use certain types of public keys to cause the
target system to take a large amount of time to process.
CVSS Score
7.8
CVSS Fingerprint
Solution
The vendor has issued fixed versions. In order to resolve this vulnerability, you will need to upgrade to one of these versions.
Download the latest version here:
Details
Path /

frontpage/5.0.2.2635 php/5.2.13
Path /

frontpage/5.0.2.2635 php/5.2.13
Links
www.openssl.org/source/
References
CVE CVE-2006-2937

CVE CVE-2006-2940
CVE CVE-2006-3738
CVE CVE-2006-3894
CVE CVE-2006-4343
BugTraq 20248
Dns Amplification 53/udp DNS
Description
The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer
which is bigger than the original request.
By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-
party host using the remote DNS server
CVSS Score
7.8
CVSS Fingerprint
Solution
Restrict access to your DNS server from public network or reconfigure it to reject such queries.
Details
Synopsis :
The remote DNS server could be used in a distributed denial of service

attack.
Description :
The remote DNS server answers to any request. It is possible to query

the name servers (NS) of the root zone ('.') and get an answer which
is bigger than the original request. By spoofing the source IP
address, a remote attacker can leverage this 'amplification' to launch
a denial of service attack against a third-party host using the remote
DNS server.
See also :
http://isc.sans.org/diary.html?storyid=5713
Solution :
Restrict access to your DNS server from public network or reconfigure

it to reject such queries.
Risk factor :
None
Plugin output :
The DNS query was 17 bytes long, the answer is 316 bytes long.
Links
isc.sans.org
DNS amplification attacks explained
Explanation of DNS Amplification Attack
References
CVE CVE-2006-0988

HTTP Methods Detected 8080/tcp Web Server
Description
By calling the "OPTIONS" method, it is possible to determine which HTTP methods are allowed on each directory.
The response received for an OPTIONS request, lists out the supported methods in the "Allow" header field.
Various values for the "Allow" header field can include: GET, PUT, DELETE, HEAD, POST, TRACE, OPTIONS
CVSS Score
2.6
CVSS Fingerprint
AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution
This is informational, but knowing certain values of the Allow header field can help an attacker leveraged other attacks.
Details
Synopsis :
This plugin determines which HTTP methods are allowed on various CGI
directories.
Description :
By calling the OPTIONS method, it is possible to determine which HTTP

methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough

tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution :
n/a
Risk factor :
None
Plugin output :
Based on the response to an OPTIONS request :
- HTTP methods DELETE HEAD OPTIONS POST PUT TRACE GET

are allowed on :
Links
OWASP
References
None
Service Detection 8080/tcp Other
Description
This plugin connects to every port and attempts to extract the banner
of the service running on each, and whether the port is SSL-related or
not.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:N/C:N/I:N/A:N
Solution
Review services discovered and close unnecessary ones.
Details
A web server is running on this port.
Links
None
References
None
Sensitive Form Begins at an Unencrypted Page 8080/tcp Web Application
Description
A vulnerability exists that allows an attacker to harvest sensitive information (login credentials, etc) that are thought to be SSL-secured.
Specifically, a form was found on an HTTP (unencrypted) page that sends information to an HTTPS (encrypted) page. An attacker could
leverage cache poisoning (DNS/DHCP/ARP/etc) or another vulnerability (e.g. XSS) to cause the HTTP page to send information to an
attacker-controlled website instead of the legitimate HTTPS site.
Furthermore, toolkits exist to automate the process of harvesting such credentials, connecting to the legitimate HTTPS site and
establishing the attacker as a transparent proxy between the victim and the legitimate host where the attacker sees all information in
cleartext (including login credentials, etc).
Victim<---------HTTP--------->Attacker<---------HTTPS--------->Legitimate Site
CVSS Score
2.1
CVSS Fingerprint
AV:L/AC:L/Au:N/C:P/I:N/A:N
Solution
Do not allow any information you want SSL secured to originate from an unsecured page.
Vulerable example:
http://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^
Secure example:
https://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^^
Details
Headers
action=useraction
useraction=login
login=
Body
password=
action.x=0
action.y=0
Links
OWASP Description of Vulnerability

Coverage of Example Toolkit
References
None
AutoComplete attribute is missing 8080/tcp Information Gathering
Description
The remote web server contains form fields that allow for auto completion. Depending on the values entered into these fields, future users
could obtain sensitive information previously entered by past users. Fields that contain sensitive information, such as credit card and social
security numbers and passwords, must be disallowed from caching information.
CVSS Score
2.6
CVSS Fingerprint
Solution
To disable all entries in a form from being cached, the autocomplete value of the form tag must be set to "off", such as:
<form method="POST" action="handlepayment.asp" autocomplete="off">
The autocomplete attribute can also be used on an individual form element such as:
<input type="password" autocomplete="off" name="password">
Details
Headers
action=useraction
useraction=login
login=
Body
password=
action.x=0
action.y=0
Links
None
References
None

Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An SSH server is running on this port.
Links
None
References
None
SSH Protocol Versions Supported 3297/tcp Other
Description
We were able to determine which versions of the SSH protocol the remote SSH daemon supports.
This gives potential attackers additional information about the system they are attacking.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:H/Au:M/C:N/I:N/A:N
Solution
You are advised to check the versions of SSH that are currently being supported by the SSH daemon on your server for the following:
- the version is not outdated. Cipher versions are outdated for a reason ... cryptographic flaws
- non-compliance with your organizational security policies. Also review your security policies to see if it explicitly states that some versions
are not to be used
- it is advisable to look up industry standard best practices and use what the industry uses as a whole. This helps to get support if any
problems arise in the future.
Modifying the configuration file (sshd.conf; depends which SSH daemon is used) for the SSH daemon to include those protocols that are
secure/supported is always a good idea.
Details
The remote SSH daemon supports the following versions of the

SSH protocol :
- 1.99
- 2.0
SSHv2 host key fingerprint : 1c:d9:e3:ea:0e:59:8a:75:a8:f6:c8:d4:f6:cf:f3:6d

Links
www.openssh.org
OpenSSH QuickRef (pdf)
Example SSHd Config File
Modify SSH Config To Maximize Security
References
None
SSH Server Type and Version Information 3297/tcp Other
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
CVSS Score
0.0
CVSS Fingerprint
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution
None
Details
Synopsis :
An SSH server is listening on this port.
Description :
It is possible to obtain information about the remote SSH

server by sending an empty authentication request.
Solution :
n/a
Risk factor :
None
Plugin output :
SSH version : SSH-2.0-OpenSSH_3.9p1

SSH supported authentication : publickey,gssapi-with-mic,password
Links
www.openssh.org
References
None
Description
not.

CVSS Score
0.0
CVSS Fingerprint
Solution
Details
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
Links
None
References
None
Description
not.
CVSS Score
0.0

CVSS Fingerprint
Solution
Details
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint

Solution
Details
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution

Details
A TLSv1 server answered on this port.
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An IMAP server is running on this port through TLSv1.
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
A TLSv1 server answered on this port.

Links
None
References
None
SMTP Banner 465/tcp Mail Services
Description
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
CVSS Score
0.0
CVSS Fingerprint
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Details
Remote SMTP server banner :
220-barrettstoychest.com ESMTP Exim 4.69 #1 Mon, 26 Jul 2010 16:28:35 -0400
220- We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
Links
Microsoft
Sendmail
References
None
Description
CVSS Score
2.6
CVSS Fingerprint
Solution
Details

Synopsis :
directories.
Description :


403, 405, or 501.
Solution :
n/a
Risk factor :
None
Plugin output :
- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :
Links
OWASP
References
None
SSL Cert Info 443/tcp Web Server
Description
This test attempts to provide details pertaining to your SSL certificate.
CVSS Score
0.0
CVSS Fingerprint
Solution
None
Details
%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-
8%22+standalone%3D%22no%22%3F%3E%3Csslreport%3E%3Ccertificate+expired%3D%22false%22%3E%3
Csubject%3ECN%3Dwww.barrettstoychest.com%2C+OU%3DDomain+Control+Validated%2C+O%3Dwww.barr
ettstoychest.com%3C%2Fsubject%3E%3Cissuer%3ESERIALNUMBER%3D07969287%2C+CN%3DGo+Daddy
+Secure+Certification+Authority%2C+OU%3Dhttp%3A%2F%2Fcertificates.godaddy.com%2Frepository%2C+O
%3D%22GoDaddy.com%2C+Inc.%22%2C+L%3DScottsdale%2C+ST%3DArizona%2C+C%3DUS%3C%2Fissu
er%3E%3Cserial_number%3E4577517%3C%2Fserial_number%3E%3Csignature_algorithm%3ESHA1withRSA
%3C%2Fsignature_algorithm%3E%3Cfrom_date%3EFri+Jul+11+13%3A08%3A35+PDT+2008%3C%2Ffrom_d
ate%3E%3Cto_date%3EMon+Jul+11+13%3A08%3A35+PDT+2011%3C%2Fto_date%3E%3Cversion%3E2%3
C%2Fversion%3E%3Cpublic_key%3ESun+RSA+public+key%2C+1024+bits%3C%2Fpublic_key%3E%3C%2Fc

ertificate%3E%3Ccertificate+expired%3D%22false%22%3E%3Csubject%3ESERIALNUMBER%3D07969287%2
C+CN%3DGo+Daddy+Secure+Certification+Authority%2C+OU%3Dhttp%3A%2F%2Fcertificates.godaddy.com
%2Frepository%2C+O%3D%22GoDaddy.com%2C+Inc.%22%2C+L%3DScottsdale%2C+ST%3DArizona%2C+
C%3DUS%3C%2Fsubject%3E%3Cissuer%3EOU%3DGo+Daddy+Class+2+Certification+Authority%2C+O%3D
%22The+Go+Daddy+Group%2C+Inc.%22%2C+C%3DUS%3C%2Fissuer%3E%3Cserial_number%3E769%3C
%2Fserial_number%3E%3Csignature_algorithm%3ESHA1withRSA%3C%2Fsignature_algorithm%3E%3Cfrom_
date%3EWed+Nov+15+17%3A54%3A37+PST+2006%3C%2Ffrom_date%3E%3Cto_date%3ESun+Nov+15+17
%3A54%3A37+PST+2026%3C%2Fto_date%3E%3Cversion%3E2%3C%2Fversion%3E%3Cpublic_key%3ESun
+RSA+public+key%2C+2048+bits%3C%2Fpublic_key%3E%3C%2Fcertificate%3E%3Ccertificate+expired%3D
%22false%22%3E%3Csubject%3EOU%3DGo+Daddy+Class+2+Certification+Authority%2C+O%3D%22The+G
o+Daddy+Group%2C+Inc.%22%2C+C%3DUS%3C%2Fsubject%3E%3Cissuer%3EEMAILADDRESS%3Dinfo%
40valicert.com%2C+CN%3Dhttp%3A%2F%2Fwww.valicert.com%2F%2C+OU%3DValiCert+Class+2+Policy+Val
idation+Authority%2C+O%3D%22ValiCert%2C+Inc.%22%2C+L%3DValiCert+Validation+Network%3C%2Fissue
r%3E%3Cserial_number%3E269%3C%2Fserial_number%3E%3Csignature_algorithm%3ESHA1withRSA%3C%
2Fsignature_algorithm%3E%3Cfrom_date%3ETue+Jun+29+10%3A06%3A20+PDT+2004%3C%2Ffrom_date%
3E%3Cto_date%3ESat+Jun+29+10%3A06%3A20+PDT+2024%3C%2Fto_date%3E%3Cversion%3E2%3C%2F
version%3E%3Cpublic_key%3ESun+RSA+public+key%2C+2048+bits%3C%2Fpublic_key%3E%3C%2Fcertifica
te%3E%3Ccertificate+expired%3D%22false%22%3E%3Csubject%3EEMAILADDRESS%3Dinfo%40valicert.co
m%2C+CN%3Dhttp%3A%2F%2Fwww.valicert.com%2F%2C+OU%3DValiCert+Class+2+Policy+Validation+Auth
ority%2C+O%3D%22ValiCert%2C+Inc.%22%2C+L%3DValiCert+Validation+Network%3C%2Fsubject%3E%3Ci
ssuer%3EEMAILADDRESS%3Dinfo%40valicert.com%2C+CN%3Dhttp%3A%2F%2Fwww.valicert.com%2F%2C
+OU%3DValiCert+Class+2+Policy+Validation+Authority%2C+O%3D%22ValiCert%2C+Inc.%22%2C+L%3DVali
Cert+Validation+Network%3C%2Fissuer%3E%3Cserial_number%3E1%3C%2Fserial_number%3E%3Csignatur
e_algorithm%3ESHA1withRSA%3C%2Fsignature_algorithm%3E%3Cfrom_date%3EFri+Jun+25+17%3A19%3A
54+PDT+1999%3C%2Ffrom_date%3E%3Cto_date%3ETue+Jun+25+17%3A19%3A54+PDT+2019%3C%2Fto_
date%3E%3Cversion%3E0%3C%2Fversion%3E%3Cpublic_key%3ESun+RSA+public+key%2C+1024+bits%3C
%2Fpublic_key%3E%3C%2Fcertificate%3E%3Cssl_cert_mismatch%3Efalse%3C%2Fssl_cert_mismatch%3E%
3Cssl_cert_self_signed%3Efalse%3C%2Fssl_cert_self_signed%3E%3Cnegotiated_protocol%3ETLSv1%3C%2
Fnegotiated_protocol%3E%3Cnegotiated_cipher%3ESSL_RSA_WITH_RC4_128_MD5%3C%2Fnegotiated_cip
her%3E%3Cserver_enabled_cipher%3ESSL_RSA_WITH_RC4_128_MD5%3C%2Fserver_enabled_cipher%3E
%3C%2Fsslreport%3E
Links
None
References
None
Web Server Uses Basic Authentication 443/tcp Web Server
Description
The remote web server contains web pages that are protected by 'Basic' authentication over plain text.
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.
CVSS Score
2.6
CVSS Fingerprint
Solution
Make sure that HTTP authentication is transmitted over HTTPS.
Details
Path /_private/
Headers Host=www.barrettstoychest.com
WWW-Authenticate : Basic realm="www.barrettstoychest.com"

Path /_private/
Path /_private/
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
A web server is running on this port through SSLv2.
Links
None
References
None
Description
CVSS Score
2.6
CVSS Fingerprint
Solution

Details
Protocol https Port 443 Read Timeout 10000 Method POST Demo
Headers
adminpw=
Body
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-
tstatus=%DF%BA%E1%AC%30%3C%49%7D%50%6E%62%5F%71%48%38%39%40%7A%51%6
B%64%54%78%45
Body
user=
pw=
pass=Log in
Query login=action
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Links
None
References
None
Missing Secure Attribute in an Encrypted Session (SSL) Cookie 443/tcp Web Application
Description
The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the
secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack,
an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.
CVSS Score
2.1
CVSS Fingerprint

Solution
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.
Details
Query login=http%3A%2F%2Fwww.scanalert.com%2Fhelp%2Fscanner%2F5%2Frfi%3F
Headers Referer=https%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Path: /cgi-bin/cartconfig.cgi --> No "Secure" Attribute on Secure Channel (https) :

pdgroot=/home/tvissxma/public_html/PDGImages; path=/;
Query login=http%3A%2F%2Fwww.scanalert.com%2Fhelp%2Fscanner%2F5%2Frfi%3F
Headers Referer=https%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Path: /cgi-bin/cartconfig.cgi --> No "Secure" Attribute on Secure Channel (https) :

pdgconfig=/home/tvissxma/public_html/cgi-bin/PDG_Cart/ConfigPW; path=/;
Path /cgi-bin/shopper.cgi
Referer=https%3A%2F%2Fwww.barrettstoychest.com%3A443%2Fcgi-
Hea bin%2Fshopper.cgi%3Fpreadd%3Dhttp%253A%252F%252Fwww.scanalert.com%252Fhelp%252Fsca
ders nner%252F5%252Frfi%253F%26key%3D10672A
key=10672A
qty=1
realtimeprice=http://www.scanalert.com/help/scanner/5/rfi?
Body
add=Add To Cart
reference=http://www.barrettstoychest.com
return=Shop some more
Path: /cgi-bin/shopper.cgi --> No "Secure" Attribute on Secure Channel (https) : basket=|10672A,1;

expires=Monday, 30-Aug-10 20:44:19 GMT; path=/;
key=10672A
qty=1
realtimeprice=http://www.scanalert.com/help/scanner/5/rfi?$4.99
Body
add=Add To Cart

key=10672A
qty=1
realtimeprice=$http://www.scanalert.com/help/scanner/5/rfi?.99
Body
add=Add To Cart


key=10672A
qty=1
realtimeprice=$4.http://www.scanalert.com/help/scanner/5/rfi?
Body
add=Add To Cart

key=10672A
qty=1
realtimeprice=$4.99
Body
add=http://www.scanalert.com/help/scanner/5/rfi?

Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fcgi-bin%2Fshopper.cgi
Headers
defaction=recalc
qty0=1
Body
remove.0=Remove
removeall=Empty the cart
recalc=Recalculate the total
Path: /cgi-bin/shopper.cgi --> No "Secure" Attribute on Secure Channel (https) : basket=x; expires=Monday, 1-
Jan-90 00:00:00 GMT; path=/;
Headers
defaction=recalc
qty0=(test 1)
Body
remove.0=Remove
Jan-90 00:00:00 GMT; path=/;

Headers
defaction=recalc
qty0=-1
Body
remove.0=Remove
Jan-90 00:00:00 GMT; path=/;
Links
owasp
RFC 2109 - HTTP State Management Mechanism
Persistent Client State HTTP Cookies
References
CVE CVE-2004-0462
Full Path Disclosure 443/tcp Web Server
Description
The remote webserver appears to display full paths of remote files.
This may point to one or both of: an insecure webserver configuration or an overly detailed error / debug message produced by your web
application. The disclosure may be triggered by and displayed to remote users.
Users may be able to use directory information contained in full paths to obtain sensitive data such as usernames from the remote server.
Access to such information may allow an attacker to tailor attacks to your web application.
Example:
A request to a URI such as: http://www.yourwebsite.com/foo/bar.html may cause your webserver to serve a file located at /usr/home/httpu
ser/html/foo/bar.html
The full path to that remote file should never be displayed to the user because it leaks information about the remote server. If the full path
is displayed to the user, this condition is considered a Full Path Disclosure and this vulnerability is marked.
In the above example, information that may be gleaned includes a valid user (httpuser) as well as a strong indication of the underlying
operating system (Unix variant).
Typical triggers that may cause this form of information disclosure include invalid requests (requests that have parameters populated with
unexpected and unhandled input), making requests directly to files that were intended to be included by other files rather than accessed
directly and excessive custom error output to remote users by web applications.
CVSS Score
0.0
CVSS Fingerprint
Solution
Solutions to this problem will vary depending on your webserver's configuration and software stack.
Information on how to mitigate this problem for popular setups are linked below.
Items of note from information linked below:
If using PHP and require error output for debugging purposes, limit this output to developers by employing conditional statements and
something like PHP's error_reporting() function to modify runtime configuration of the error reporting level. Pseudocode: if
$_SERVER['REMOTE_ADDR'] == (development IP address here), then error_reporting(E_ALL) else error_reporting(0). Of course this
would allow anyone with your development IP to view this output, which may represent a vulnerability. A better solution would be to limit
error reporting to specific user(s) if your web application supports the idea of users or based on some secret (e.g. requiring a long &
seemingly random variable to be passed as a GET parameter before displaying debug output
This vulnerability may indicate a problem in the webserver software itself and may not be directly caused by your web application. In this

case, it may be necessary to update the concerned software.
Check your webserver configuration files & settings to make sure that they do not permit divulging full path information to a remote user.
Details
Path /images/
Headers
Referer=https%3A%2F%2Fwww.barrettstoychest.com%2Fimages%2F
Links
OWASP Entry on Full Path Disclosure

PHP's error_reporting Function
Creating Custom Error Pages in IIS6
Example IIS Full Path Disclosure Vulnerability
Example Apache Tomcat Full Path Disclosure Vulnerability
References
None
Web Server Directory Enumeration 443/tcp Web Application
Description
This plugin attempts to determine the presence of various common

directories on the remote web server. By sending a request for a
directory, the web server response code indicates if it is a valid
directory or not.
CVSS Score
0.0
CVSS Fingerprint
Solution
n/a
Details
Path /_private/
/_private/
Links
projects.webappsec.org
References
OWASP OWASP-CM-006
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An IMAP server is running on this port.
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
A POP3 server is running on this port.
Links
None
References
None
EmailID(s) Found 80/tcp Web Application
Description
Scanner found email address(es) on your website.
CVSS Score
0.0
CVSS Fingerprint
Solution
Please review
Details
/mailman/admin/mailman: --> mailman-owner@cp27.myhostcenter.com,

/cgi-bin/shopper.cgi: --> maximus@nsimail.com,
/: --> sales@barrettstoychest.com, Sales@BarrettsToyChest.com,
Links
None
References
None
Description
CVSS Score
2.6
CVSS Fingerprint
Solution
Details
Synopsis :
directories.
Description :


403, 405, or 501.
Solution :
n/a
Risk factor :
None

Plugin output :
- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :
Links
OWASP
References
None
Web Server Uses Basic Authentication 80/tcp Web Server
Description
The remote web server contains web pages that are protected by 'Basic' authentication over plain text.
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.
CVSS Score
2.6
CVSS Fingerprint
Solution
Make sure that HTTP authentication is transmitted over HTTPS.
Details
Path /_private/
Headers Host=www.barrettstoychest.com

Path /_private/

Path /_private/
Links
None
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
Links
None
References
None
Sensitive Form Begins at an Unencrypted Page 80/tcp Web Application
Description
A vulnerability exists that allows an attacker to harvest sensitive information (login credentials, etc) that are thought to be SSL-secured.
Specifically, a form was found on an HTTP (unencrypted) page that sends information to an HTTPS (encrypted) page. An attacker could
leverage cache poisoning (DNS/DHCP/ARP/etc) or another vulnerability (e.g. XSS) to cause the HTTP page to send information to an
attacker-controlled website instead of the legitimate HTTPS site.
Furthermore, toolkits exist to automate the process of harvesting such credentials, connecting to the legitimate HTTPS site and
establishing the attacker as a transparent proxy between the victim and the legitimate host where the attacker sees all information in
cleartext (including login credentials, etc).
Victim<---------HTTP--------->Attacker<---------HTTPS--------->Legitimate Site
CVSS Score
2.1
CVSS Fingerprint
Solution
Do not allow any information you want SSL secured to originate from an unsecured page.
Vulerable example:
http://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^
Secure example:
https://www.mybank.com/login POSTs to https://www.mybank.com/dashboard
^^^^^
Details
Headers
adminpw=
Body
6B%64%54%78%45
Body
user=
pw=
pass=Log in
Links
OWASP Description of Vulnerability

Coverage of Example Toolkit
References
None
Description
CVSS Score
2.6
CVSS Fingerprint
Solution
Details
Headers
adminpw=
Body

6B%64%54%78%45
Body
user=
pw=
pass=Log in
Query login=action
Headers
Referer=http%3A%2F%2Fwww.barrettstoychest.com%2FCartConfig%2F
Links
None
References
None
Web Server Directory Enumeration 80/tcp Web Application
Description
This plugin attempts to determine the presence of various common

directories on the remote web server. By sending a request for a
directory, the web server response code indicates if it is a valid
directory or not.
CVSS Score
0.0
CVSS Fingerprint
Solution
n/a
Details
Path /_private/
/_private/
Path /_vti_bin/
/_vti_bin/
Path /_vti_log/
/_vti_log/
Path /_vti_pvt/
/_vti_pvt/
Path /_vti_txt/
/_vti_txt/
Path /~root/
/~root/
Path /cgi-bin/
/cgi-bin/
Path /cgi-sys/
/cgi-sys/
Path /mailman/
/mailman/
Links
projects.webappsec.org
References
OWASP OWASP-CM-006
DNS Server Detection 53/udp Other
Description
A DNS server is running on this port. Domain Name System (DNS) server provides a mapping between hostnames and IP addresses. See
the wikipedia link below for a better understanding of DNS
DNS is a potentially dangerous service that should not be running if not needed.
CVSS Score
0.0
CVSS Fingerprint
Solution
Disable this service if you are not using it.
Details
Synopsis :
A DNS server is listening on the remote host.
Description :
The remote service is a Domain Name System (DNS) server, which

provides a mapping between hostnames and IP addresses.
See also :

http://en.wikipedia.org/wiki/Domain_Name_System
Solution :
Disable this service if it is not needed or restrict access to

internal hosts only if the service is available externally.
Risk factor :
None
Links
Wikipedia
References
None
Bind Banner 53/udp Bind
Description
The remote host is running BIND, an open-source DNS server. It is possible to extract the version number of the remote installation by
sending a special DNS request for the text 'version.bind' in the domain 'chaos'.
CVSS Score
0.0
CVSS Fingerprint
Solution
It is possible to hide the version number of bind by using the 'version' directive in the 'options' section in named.conf
Details
Synopsis :
It is possible to obtain the version number of the remote DNS server.
Description :
The remote host is running BIND, an open-source DNS server. It is

possible to extract the version number of the remote installation by
sending a special DNS request for the text 'version.bind' in the
domain 'chaos'.
Solution :
It is possible to hide the version number of bind by using the

'version' directive in the 'options' section in named.conf
Risk factor :
None
Plugin output :
The version of the remote DNS server is :
9.2.4
Other references : OSVDB:23
Links
None
References

Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An SMTP server is running on this port.
Links
None
References
None
Description
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
500 unrecognized command
500 unrecognized command
Links

Microsoft
Sendmail
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An SMTP server is running on this port.
Links
None
References
None
Description
CVSS Score
0.0
CVSS Fingerprint
Solution
Details

Links
Microsoft
Sendmail
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An SSH server is running on this port.
Links
None
References
None
SSH Server Type and Version Information 22/tcp Other
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
CVSS Score
0.0
CVSS Fingerprint
Solution
None
Details
Synopsis :
An SSH server is listening on this port.
Description :
It is possible to obtain information about the remote SSH

server by sending an empty authentication request.
Solution :
n/a
Risk factor :
None
Plugin output :
SSH version : SSH-2.0-OpenSSH_3.9p1

SSH supported authentication : publickey,gssapi-with-mic,password
Links
www.openssh.org
References
None
Description
not.
CVSS Score
0.0
CVSS Fingerprint
Solution
Details
An FTP server is running on this port.
Links
None
References
None
Ftp Supports Clear Text Authentication 21/tcp FTP
Description
The remote FTP does not encrypt its data and control connections. The
user name and password are transmitted in clear text and may be
intercepted by a network sniffer, or a man-in-the-middle attack.
CVSS Score
2.6
CVSS Fingerprint

Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In
the latter case, configure the server such as data and control
connections must be encrypted.
Details
Synopsis :
The remote FTP server allows credentials to be transmitted in clear

text.
Description :
The remote FTP does not encrypt its data and control connections. The
user name and password are transmitted in clear text and may be
intercepted by a network sniffer, or a man-in-the-middle attack.
Solution :
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In
the latter case, configure the server such as data and control
connections must be encrypted.
Risk factor :
Low / CVSS Base Score : 2.6

(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Links
Configuring vsftpd for Secure Connections

Setting up ProFTPd & TLS on Debian Etch
Configuring & Using SSH/SFTP
Filezilla - Free (GPL) FTP(S) & SFTP Client (Windows, Linux, OS X)
References
None
Ftp Server Detected 21/tcp FTP
Description
During the scan we have identified an FTP service running. FTP is a file transfer protocol that does not encrypt files during transmission.
According to PCI-DSS 1.1.5b, this service needs to be identified and verified that it is necessary and that security features are documented
and implemented by examining firewall and router configuration standards and settings for this service.
In addition, PCI-DSS 2.2.2 states that if you allow this service to be available then it needs to be justified and documented as to the
appropriate use of it's service.
CVSS Score
0.0
CVSS Fingerprint
Solution
As with all insecure protocols, if this service is not being used, it should be disabled.
If this service is being used, then a business justification should be given and documented.
Details

The remote FTP banner is :
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 16:28. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Links
None
References
None
TCP Timestamps N/A Other
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host
can sometimes be computed.
CVSS Score
0.0
CVSS Fingerprint
Solution
n/a
Details
Synopsis :
The remote service implements TCP timestamps.
Description :
The remote host implements TCP timestamps, as defined by RFC1323. A

side effect of this feature is that the uptime of the remote host can
sometimes be computed.
See also :
http://www.ietf.org/rfc/rfc1323.txt
Solution :
n/a
Risk factor :
None
Links
www.ietf.org/rfc/rfc1323.txt
References
None

Excessive Open Ports Detected N/A Firewall
Description
The most recent port scan reveals that the remote host has 10 or more open ports. This may be an indication of a potential problem on a
particular host. Typically, a high number of ports could indicate the absence of a firewall, or that the firewall has been mis-configured in
some way.
A high number of ports could indicate the absence of a firewall, or that the firewall has been mis-configured. However, many
hosts actually require the number of ports to exceed 10 due to the popular use of Web-based control panels like H-Sphere, Plesk,
and cPanel.
CVSS Score
0.0
CVSS Fingerprint
Solution
Given the plethora of attacks available against different systems, it is imperative that a good firewall policy be in place, as it will prevent
most exploits from taking place. If a firewall is in place, review all open ports and the services running on them to ensure they are valid.
After verifying the open ports, you can mark this vulnerability as resolved - it can only be done manually, unless the number of open ports
drops below 10.
If you do not have a firewall installed, you will not be able to satisfy PCI requirements.
Firewall Solutions by Operating System:
Windows:
For an immediate software based solution install a basic firewall from a vendor such as ZoneLabs or Symantec.
Average or higher traffic sites should consider a hardware based firewall from a vendor like Netscreen, Cisco, Watchguard, or SonicWall.
Windows 2000
Install and configure IP Security Policies. See the Microsoft URL.
Linux:
Depending on kernel configuration ipchains or iptables should be enabled and port filtering configured to allow public access only to ports
requiring it.
Details
None
Links
www.sonicwall.com/
www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7D40460C-A069-412E-A015-A2AB904B7361
www.watchguard.com/
www.tldp.org/HOWTO/Firewall-HOWTO.html
www.netscreen.com/
Microsoft
References
None
Icmp Timestamp Request Remote Date Disclosure N/A Other
Description
The remote host appears to answer to an ICMP timestamp request.
This allows an attacker to obtain date and local time information set on your machine. This information could be useful in finding a way to
circumvent your time based authentication protocols.
CVSS Score
0.0

CVSS Fingerprint
AV:L/AC:L/Au:N/C:N/I:N/A:N
Solution
Filter out the ICMP timestamp requests (ICMP type 13), the outgoing ICMP timestamp replies (ICMP type 14), the address mask request
(ICMP type 17), and the address mask reply (ICMP type 18).
Details
The remote clock is synchronized with the local clock.
CVE : CVE-1999-0524
Other references : OSVDB:94
Links
BlackIce Admin Guide

BlackIce Block ICMP
National Vulnerability Database
References
CVE CVE-1999-0524
3.1.5 - Resolved: www.barrettstoychest.com (64.6.242.117)
Date 04-AUG-2008 13:33
Vulnerability OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
Resolved By Brandon Poslof
Port 80
This issue was fixed in RHSA-2006:0680-4; we are using newer RPM openssl-0.9.7a-43.17.el4_6.1 retrieved from
Reason
RHN for RHEL 4 which also resolves other issues.
Date 04-AUG-2008 13:33
Vulnerability OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
Port 443
This issue was fixed in RHSA-2006:0680-4; we are using newer RPM openssl-0.9.7a-43.17.el4_6.1 retrieved from
Reason
RHN for RHEL 4 which also resolves other issues.
Date 04-AUG-2008 13:24
Vulnerability PHP Version Check
Port 80
PHP 5.2.5 is installed: PHP 5.2.5 (cli) (built: Jun 21 2008 15:19:18) Copyright (c) 1997-2007 The PHP Group Zend
Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with the ionCube PHP Loader v3.1.33, Copyright (c)
Reason
2002-2007, by ionCube Ltd., and with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend
Technologies with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies
Date 04-AUG-2008 13:24
Vulnerability PHP Version Check
Port 443
PHP 5.2.5 is installed: PHP 5.2.5 (cli) (built: Jun 21 2008 15:19:18) Copyright (c) 1997-2007 The PHP Group Zend
Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with the ionCube PHP Loader v3.1.33, Copyright (c)
Reason
2002-2007, by ionCube Ltd., and with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend
Technologies with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

Pcireport

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pcireport

Uploaded by

Copyright:

Available Formats

PCI Security Report

Barretts Toy Chest

Report Generation Date:26-JUL-2010 16:29

2 Certification of Regulatory Compliance

3.1 Device: www.barrettstoychest.com (64.6.242.117)

3.1.2 Open Ports

3.1.3 Consolidated Solution

Confidential - McAfee Security Audit Report Page 2

Certification of Regulatory Compliance

Confidential - McAfee Security Audit Report Page 3

3.1.2 - Open Ports: www.barrettstoychest.com (64.6.242.117)

Port Protocol Service Banner

21 tcp ftp ftp

22 tcp ssh ssh

25 tcp smtp smtp

26 tcp Unknown unknown

53 udp domain domain

80 tcp http http

110 tcp pop-3 pop3

143 tcp imap2 imap

443 tcp https https

465 tcp smtps urd

993 tcp imaps imaps

995 tcp pop3s pop3s

2082 tcp Unknown infowave

2083 tcp Unknown radsec

2086 tcp Unknown gnunet

2087 tcp Unknown eli

2095 tcp Unknown nbx-ser

2096 tcp Unknown nbx-dir

3297 tcp Unknown cytel-lm

8009 tcp ajp13 ajp13

8080 tcp http-proxy http-alt

3.1.3 - Consolidated Solution: www.barrettstoychest.com (64.6.242.117)

3.1.4 - Vulnerabilities: www.barrettstoychest.com (64.6.242.117)

Severity Name Port Category

Website Directory Listing 443/tcp Web Server

More often than not, this is representative of unintentional information disclosure.

Confidential - McAfee Security Audit Report Page 4

If directory listing is not required, disable this feature.

Directory Listing in IIS 7

Severity Name Port Category

Website Directory Listing 80/tcp Web Server

More often than not, this is representative of unintentional information disclosure.

If directory listing is not required, disable this feature.

Protocol http Port 80 Read Timeout 10000 Method GET Demo

Protocol http Port 80 Read Timeout 10000 Method GET Demo

Directory Listing in IIS 7

Severity Name Port Category

Apache Tomcat Transfer-encoding Header Vulnerability 8080/tcp Other

Upgrade to version 5.5.30 / 6.0.28 or greater.

The remote Apache tomcat service is vulnerable to information

The remote Apache Tomcat service is vulnerable to information

Upgrade to version 5.5.30 / 6.0.28 or greater.

Medium / CVSS Base Score : 6.4

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Date: Mon, 26 Jul 2010 20:40:49 GMT

User-Agent: Mozilla/4.0 (compatible

Transfer-Encoding: McAfee SECURE

Severity Name Port Category

Confidential - McAfee Security Audit Report Page 7

Update to Apache Tomcat version 4.1.32 or later.

The remote Apache Tomcat service may be affected by multiple

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /