Your Company System Detail - April 2010

System 192.168.0.112 ( http://www.example.com )   SANS
Criticality
Scan Type Enterprise
Start Date 13-Apr-10 11:54
End Date 13-Apr-10 16:01
Customer Ref
Groups Asia, Unix
Contact E-mail Role
janebloggs@yourcompany.com business
joe.bloggs@technicians.com Technical

Ports: 3 (High:0 Low:3)

  Port Protocol Service Details  
  21 tcp ftp 220 ProFTPD 1.2.1 Server (www.example.com)  
  80 tcp http Apache 1.3.20 Sun Cobalt (Unix) mod_ssl 2.8.4 OpenSSL 0.9.6b PHP 4.3.1 mod_auth_pam_external 0.1 FrontPage 4.0.4.3 mod_perl 1.25  
  443 tcp https Valid certificate: www.example.com  

Ports Closed Since Last Month: 1 (High:0 Low:1)

  Port Protocol Service Details  
  3 icmp timestamp reply Timestamp is 10:46:03  


Vulnerabilities: 11 (High:3 Medium:5 Low:3)

Vulnerability 90064 Authentication Bypass Through Cookie Manipulation   NEW High Risk
Description The remote webserver contains a CGI script or web application which uses cookies for authentication in such a way that login bypass is possible by modifying the cookie value. Example cookie values which allow a login are:
By setting the value of the cookie 'USER' to

ID=10004&COUNTRY=US&USER_REMEMBER=Y

and navigating to http://www.example.com/prizedraw/getuserdata_xml.do we could
access the following sensitive information:

Name: Jemma Green, DOB: Female 11/9/1976, Password: s3c4r3t,
Email: greenj@anymail.com, address details, etc.
 
Solution Recode your web application source code to use stronger authentication. 
Category Application or content flaw.
First Found 13 April 2010 Port 80/tcp Last 6 Months

Vulnerability 11030 Apache < 1.3.26 Chunked Encoding Vulnerability   SANS High Risk
Description This system is running a vulnerable version of Apache, according to its banner. There is a buffer overrun vulnerability in code related to chunked encoding. A remote attacker could use this to crash the service and may be able to take control of the system. 
Solution Upgrade to an unaffected version, or apply a patch. 
Category Hosting or infrastructure flaw.
References CERT Advisory CA-2002-17    Bugtraq ID 5033    CVE-2002-0392    Apache Security Alert    Oracle Security Alert #36   
First Found 13 October 2009 Port 80/tcp Last 6 Months

Vulnerability 90085 Sensitive Information Leakage   NEW High Risk
Description This host is leaking information that may be commercially sensitive or help an attacker craft an attack. An example of the information leaked can be found below: 
The remote AMF gateway application http://www.example.com/messaging/gateway allows unrestricted 
access to customer ordering information and payment details.

For example, calls to com.messaging.partners.getPayment(1337) 
return the details of the following account.

ACCOUNT: 123-123 1234567,
CLIENT: Widget Co Ltd, 99 Corked Road, Atlanta 
AMOUNT: -9845.87 USD
ORDERID: 1337
AUTHORISATION_CODE: 1234565
 
Solution Use a firewall to restrict access to this service. 
Category Application or content flaw.
First Found 13 April 2010 Port 443/tcp Last 6 Months

Vulnerability 11137 Apache < 1.3.27 Multiple Vulnerabilities Medium Risk
Description This system is running a vulnerable version of Apache, according to its banner. There is a cross-site scripting vulnerability through the Host: header, if UseCanonicalName is Off. Exploitation is only possible where wildcard DNS is used. There is also a buffer overrun in the ApacheBench module - if this is enabled, it may allow arbitrary code execution. A further vulnerability exists in the shared memory scoreboard, but this is only exploitable by a local user. 
Solution Upgrade to an unaffected version, or apply a patch.
Workaround : Set UseCanonicalName to On and disable ApacheBench 
Category Hosting or infrastructure flaw.
References CVE-2002-0839    CVE-2002-0840    CVE-2002-0843   
First Found 13 October 2009 Port No information available Last 6 Months

Vulnerability 90091 XPath Injection   NEW Medium Risk
Description One or more scripts on this host appear vulnerable to XPath injection attacks. By requesting a page with parameters containing particular XPath elements, it is possible to force an XPath error or otherwise demonstrate that the user supplied code is being interpreted as XPath statements. This implies that a parameter is being passed to a XPath interpreter without proper input validation. A maliciously crafted parameter might be able to extract hidden information, bypass login requirement or even perform code execution depending on the XPath parser used. The issue can be demonstrated as follows: 
The first URL below returns product information whilst the second does not. This indicates
that the injected expressions are being evaluated by an XPath interpreter.

http://www.example.com/productcatalog/product.do?id=12 and count(/..)=0 and 1=1
http://www.example.com/productcatalog/product.do?id=12 and count(/..)=0 and 1=0

This is simply an example that illustrates the problem, you should fix the underlying injection issue rather than attempting to prevent this exploit from working. 

Solution Perform input validation within the web application and utilise query parameterisation where supported by the XPath parser. 
Category Application or content flaw.
References XPath Injection - Threat Classification   
First Found 13 April 2010 Port 80/tcp Last 6 Months

Vulnerability 11039 Apache mod_ssl < 2.8.10 off by one Vulnerability Medium Risk
Description This system is running a vulnerable version of the mod_ssl Apache module. There is an "off by one" buffer overrun in code related to parsing configuration. A local user with control over .htaccess files could use this to crash the service or take control of the system. 
Solution Upgrade to an unaffected version, or apply a patch. 
Category Hosting or infrastructure flaw.
References Bugtraq ID 5084    Securiteam advisory    CVE-2002-0653   
First Found 13 October 2009 Port 80/tcp Last 6 Months

Vulnerability 12280 Apache < 1.3.31, 2.0.49 Multiple Vulnerabilities   SANS Medium Risk
Description This system is running a vulnerable version of Apache, according to its banner or fingerprint. It is possible for remote attackers to inject escape characters in the log files. A remote attacker can also cause a denial of service by making a long-lasting connection to a rarely used port. For Apache 1.x on 64-bit platforms, there is a mod_access weakness related to IP address rules without a netmask. 
Solution Upgrade to an unaffected version, or apply a patch. 
Category Hosting or infrastructure flaw.
References Buqtraq_9930    CVE-2003-0993    Buqtraq ID 9829    CVE-2004-0174    Buqtraq_9921    CVE-2003-0020   
CVSS Score 5  (AV:N/AC:L/Au:N/C:N/I:N/A:P) 
First Found 13 February 2010 Port 80/tcp Last 6 Months

Vulnerability 90068 SSL Certificate Problems   NEW Medium Risk
Description The remote host has presented a certificate that does not meet the requirements for establishing a secure session. The problems detected were:
  • The certificate name (192.168.0.112) does not match the host's fully qualified name.
  • The certificate has expired (Tues Apr 1 00:59:59 BST 2008).
  • The certificate was not issued by a trusted certificate authority.
  • The certificate is self-signed.
 
Solution Ensure you have a valid certificate issued by a trusted certificate authority. 
Category Hosting or infrastructure flaw.
References Microsoft KB245030    Microsoft KB187498    Apache SSL/TLS Strong Encryption: How-To   
CVSS Score 2.6  (AV:N/AC:H/Au:N/C:P/I:N/A:N) 
First Found 13 April 2010 Port 443/tcp Last 6 Months

Vulnerability 11213 TRACE and/or TRACK Methods Enabled Low Risk
Description This system supports the HTTP TRACE and/or TRACK methods. These increase the exploitability of any cross-site scripting vulnerabilities that may exist in your site. As they are primarily intended for debugging, they can be turned off without reduction of service. 
Solution Disable these methods on production servers.
IIS6, IIS7: Use the URLScan Security tool
IIS5: Use the IIS Lockdown tool
Apache: Use mod_rewrite to redirect unallowed verbs to the forbidden target, or with newer versions use the configuration option 'TraceEnable off'. 
Category Hosting or infrastructure flaw.
References IIS Lockdown Tool    Apache TraceEnable Directive    UrlScan Security Tool    US-CERT VU#867593    CVE-2004-2320   
CVSS Score 5  (AV:N/AC:L/Au:N/C:P/I:N/A:N) 
First Found 13 March 2010 Port 80/tcp Last 6 Months

Vulnerability 11915 Apache < 1.3.29 Multiple Local Flaws Low Risk
Description This system is running a vulnerable version of Apache, according to its banner. This version contains buffer overruns in mod_alias and mod_rewrite. A local user could exploit these to escalate their privileges. 
Solution Upgrade to an unaffected version, or apply a patch. 
References Bugtraq    CVE-2003-0542   
First Found 13 January 2010 Port 80/tcp Last 6 Months

Vulnerability 90001 Holes Detected in Firewall Configuration Low Risk
Description This system is protected by a firewall which blocks access to TCP ports in inconsistent ways. Incoming TCP connections to most ports are simply dropped, however some ports were discovered where the connection is actively refused, for example with a TCP RST. This often indicates a firewall configuration error, and commonly occurs when the configuration has not been altered in line with changing system configuration behind the firewall. For example when a service such as a mail server is removed, but the corresponding firewall rule is not.

The TCP ports which actively refuse connections are: 25 

Solution Reconfigure your firewall to completely drop all connections on ports that you are not running services on. 
Category Hosting or infrastructure flaw.
References Firewalls FAQ   
CVSS Score 2.6  (AV:N/AC:H/Au:N/C:P/I:N/A:N) 
First Found 13 November 2009 Port general/tcp Last 6 Months


Vulnerabilities Fixed Since Last Month: 1 (High:0 Medium:0 Low:1)

Vulnerability 10114 ICMP Timestamp Request Low Risk
Description This system responds to ICMP timestamp requests. A remote attacker could use such requests to determine the exact date and time on the system. This information could be used in attacks against time-based authentication protocols. 
Solution Either disable timestamp replies, or filter them at your firewall. 
References CVE-1999-0524   
First Found 13 March 2010 Port No information available Last 6 Months


Historical Information


Stoplisted Vulnerabilities for this Host: 2

Vulnerability 12085 Apache Tomcat Servlet / JSP Container Default Files Low Risk
Description This system is running an Apache Tomcat servlet/JSP container with default files (such as documentation, default Servlets and JSPs) installed. These files may help an attacker to guess the exact version of the Apache Tomcat which is running on this host and may provide other useful information. 
Solution Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container. 
Category Hosting or infrastructure flaw.
First Found 13 March 2010 Port 443/tcp Last 6 Months
Stopped By: joe.bloggs@technicians.com     From: 12 March 2003     To: 12 March 2013
Reason None specified

Vulnerability 11046 Apache Tomcat TroubleShooter Servlet Detected Low Risk
Description The remote Apache Tomcat server has the TroubleShooter servlet accessible. This displays information about your system configuration, which may be useful to attackers. It can also be used to perform cross-site scripting attacks. You can access the servlet through this URL:
https://192.168.0.112/examples/servlet/TroubleShooter
 
Solution Remove the example files from production servers. If you do require this functionality, protect it using password or IP address authentication. 
References CVE-2002-2006   
CVSS Score 4.3  (AV:N/AC:M/Au:N/C:N/I:P/A:N) 
First Found 13 March 2010 Port 443/tcp Last 6 Months
Stopped By: joe.bloggs@technicians.com     From: 12 March 2003     To: 12 March 2013
Reason None specified

Scans by Westpoint Ltd