Your Company Vulnerability Descriptions - April 2011

Reference:
YC 201135
All [Selected]NewFixed Stoplist

Global PCI Status: FAILED

Westpoint Ltd has determined that Your Company is NOT COMPLIANT with the PCI scan validation requirement.

This report is provisional. In order to receive an Attestation of Scan Compliance, you must address any failing vulnerabilities and obtain a passing retest of the failing components. In addition you must ensure that you have addressed any issues listed in the 'PCI Finalisation' section of this report.


Reasons for PCI Failure
  • 12 Systems found to be non-compliant due to failing vulnerabilities.
  • 1 System had a mismatched hostname on its SSL certificate.

 21
 29
 16
 16
 22
 1
 4		High risk vulnerabilities found.
Medium risk vulnerabilities found.
Low risk vulnerabilities found.
SANS vulnerabilities found.
New vulnerabilities found.
Urgent vulnerabilities found.
Overdue vulnerabilities found. 		 9
 3
 0
 9
 12
 8
 1
 3		 Systems (45%) had high risk vulnerabilities.
Systems (15%) had medium risk vulnerabilities.
Systems (0%) had low risk vulnerabilities.
Systems (45%) had SANS vulnerabilities.
Systems (60%) failed PCI criteria.
Systems (40%) passed PCI criteria.
Systems (5%) had urgent vulnerabilities.
Systems (15%) had overdue vulnerabilities. 		Scan Type
Start Date
End Date
Report Generated
Expiry Date
Systems Scanned
New Systems 		Enterprise
13-Apr-11 11:54
16-Apr-11 16:32
08-Jun-11 11:09
15-Jul-11 16:32
20
2

Key Increase No change DecreaseHigh RiskMedium RiskLow RiskPCI Mapping

 

Summary of Vulnerabilities

Download Summary CSV...

Show Category: 
Filter by CVE or Vulnerability Id:      

Expand / collapse allCollapse Details   Collapse Graphs   Collapse Systems

Collapse   Vulnerability Collapse   90052Administration Interface with Weak Password   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionThis host is exposing an administration interface to the Internet with a default or easily guessable password. This allows a remote attacker full access to modify settings or content. The login details are: 
[For specific url or description click server link below.]
 
SolutionSet a stronger password and/or ensure this interface is not accessible from the Internet. 
CategoryHosting or infrastructure flaw.
CVE Reference CVE-1999-0508CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.your_company.nl (192.168.0.103)   NEW  

Collapse   Vulnerability Collapse   90064Authentication Bypass Through Cookie Manipulation   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionThe remote webserver contains a CGI script or web application which uses cookies for authentication in such a way that login bypass is possible by modifying the cookie value. Example cookie values which allow a login are:
[For specific url or description click server link below.]
 
SolutionRecode your web application source code to use stronger authentication. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.8 (Medium) (AV:N/AC:M/Au:N/C:P/I:P/A:N) Fail
Systemswww.example.com (192.168.0.112)   NEW  

Collapse   Vulnerability Collapse   10993IIS ASP.NET Application Trace Enabled   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionThis web server has an ASP.NET application running with application tracing enabled. This allows an attacker to view detailed information on recent HTTP requests. Sensitive information revealed includes physical paths and even session IDs. An example URL you can use to exploit this is: 
[For specific url or description click server link below.]
 
SolutionSet 'trace enabled=false' in web.config 
CategoryHosting or infrastructure flaw.
ReferencesASP.Net Tracing Overview    Tracing    How to: Enable Tracing for an ASP.NET Page    How to: Enable Tracing for an ASP.NET Application   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemswww.your_company.nl (192.168.0.103)   NEW  

Collapse   Vulnerability Collapse   90109Possible Compromise   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionSuspicious content or behaviour from the remote host indicates that it may have been compromised by a virus or remote attacker.
[For specific url or description click server link below.]
 
SolutionConsider restoring the host from trusted media. 
CategoryN/A
CVE ReferenceCVE-MAP-NOMATCHCVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
Systemswww.yourcompany.co.uk (192.168.0.100)   NEW  

Collapse   Vulnerability Collapse   90139Script Allows Arbitrary Command Execution   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionOne or more scripts on this host appear to execute commands which can be manipulated by remote users. This flaw may allow arbitrary commands to be executed with the same privileges as the web server. A remote attacker could exploit this flaw to compromise the system. Under some circumstances it may be possible for attacker to elevate the privileges gained though the exploitation of local system flaws. An example that demonstrates this is: 
[For specific url or description click server link below.]
This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working. 
SolutionRecode the web application to ensure that unsanitised user supplied input is never included in executable statements. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.yourcompany.co.uk (192.168.0.100)   NEW  

Collapse   Vulnerability Collapse   11139Script Appears Vulnerable to SQL Injection   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionOne or more scripts on this host appear vulnerable to an SQL injection attack. By requesting the page with parameters containing particular SQL commands, it is possible to force a database level error or otherwise demonstrate that the database is executing user supplied code. This implies that the parameter is being passed to the database without proper input validation. A maliciously crafted parameter could modify the contents of the database, damage it, extract hidden information, allow an attacker to login without a password or allow execution of arbitrary system commands, depending on the type of database. The issue can be demonstrated as follows: 
[For specific url or description click server link below.]

This is simply an example that illustrates the problem, you should fix the underlying injection issue rather than attempting to prevent this exploit from working.

Note: Users of Microsoft Internet Explorer may need to disable the 'Show Friendly HTTP Error Messages' option in the Advanced tab of the options dialog in order to see the example properly. 

SolutionUse bound parameters (also known as parameterised commands) and improve input validation in the web application source code. 
CategoryApplication or content flaw.
ReferencesSQL Injection: Modes of Attack, Defence, and Why It Matters    OWASP Top Ten - Injection Flaws    Security Considerations for SQL Server: SQL Injection   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.yourcompany.co.uk (192.168.0.100)   NEW  

Collapse   Vulnerability Collapse   90085Sensitive Information Leakage   NEW  FAILCollapse  1 SystemHigh Risk
DescriptionThis host is leaking information that may be commercially sensitive or help an attacker craft an attack. An example of the information leaked can be found below: 
[For specific url or description click server link below.]
 
SolutionUse a firewall to restrict access to this service. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemswww.example.com (192.168.0.112)   NEW  

Collapse   Vulnerability Collapse   90027High Risk Ports Open  FAILCollapse  6 SystemsHigh Risk
DescriptionThe following high risk ports are open: 
[For specific url or description click server link below.]
It is generally not recommended to expose these ports to the internet as they may be used as attack vectors. If access to these services from remote sites is required, tunnelling or a VPN would be recommended instead of exposing these ports.

Note: Even if the ports are immediately closed after being opened, this is still a security risk as packets are reaching the destination host. It is recommended to completely drop packets from untrusted sources instead. 

SolutionEnsure that the ports are filtered by your router or firewall or close the ports on the affected systems. 
CategoryHosting or infrastructure flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.4 (Medium) (AV:N/AC:L/Au:N/C:P/I:P/A:N) Fail
Systemsdns0.example.com (192.168.0.110)   [Oct 2010] sql1.manc.yourcompany.com (192.168.1.52)   [Feb 2011]
sql2.manc.yourcompany.com (192.168.1.53)   [Nov 2010] www.your_company.fr (192.168.0.105)   NEW
www.your_company.nl (192.168.0.103)   NEWwww.yourcompany.com (192.168.0.101)   NEW

Collapse   Vulnerability Collapse   10264SNMP Default Community Names   SANS  FAILCollapse  3 SystemsHigh Risk
DescriptionThis system is running an SNMP agent which uses an easily guessable community string. This enables an attacker to extract a large amount of useful information. If a writeable community string is guessable, an attacker could make configuration changes to the server. Here is a sample of the information that can be extracted: 
[For specific url or description click server link below.]
 
SolutionDisable SNMP, or change the community string to something unguessable. 
CategoryHosting or infrastructure flaw.
CVE References CVE-1999-0517CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
  CVE-1999-0516CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
  CVE-1999-0254CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-2010-1574CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-1999-0186CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-2004-0311CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-2004-1474CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N) Fail
Systemsdns0.example.com (192.168.0.110)   [Feb 2011] www.your_company.fr (192.168.0.105)   NEW
www.your_company.nl (192.168.0.103)   [Jul 2010]  

Collapse   Vulnerability Collapse   11030Apache < 1.3.26 Chunked Encoding Vulnerability   SANS  FAILCollapse  1 SystemHigh Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner. There is a buffer overrun vulnerability in code related to chunked encoding. A remote attacker could use this to crash the service and may be able to take control of the system. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
ReferencesApache Security Alert    CERT Advisory CA-2002-17    Bugtraq ID 5033    Oracle Security Alert #36   
CVE Reference CVE-2002-0392CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.example.com (192.168.0.112)   [Oct 2010]  

Collapse   Vulnerability Collapse   10605BIND < 8.2.3 Buffer Overrun   SANS   OVERDUE  FAILCollapse  1 SystemHigh Risk
DescriptionThis system is running a vulnerable version of BIND, according to its banner. There is a buffer overrun vulnerability in code related to transaction signatures (TSIG). A remote attacker could use this to crash the service and take control of the system. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
CVE References CVE-2001-0011CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-2001-0013CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-2001-0010CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
  CVE-2001-0012CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Deadline13 August 2010
Systemsdns0.example.com (192.168.0.110)   [Mar 2011]  

Collapse   Vulnerability Collapse   11424IIS WebDAV Buffer Overrun  FAILCollapse  1 SystemHigh Risk
DescriptionThis system is an IIS server running WebDAV. This may be vulnerable to a buffer overrun when a malicious WebDAV request is sent. When running on an unpatched Windows 2000 server, a remote attacker could use this to crash the service or take control of the system.
Note: This may be a false positive as it is not possible to determine remotely if the patch has been applied. 
SolutionApply the patch from Microsoft. In addition we suggest you edit registry to disable WebDAV, following these instructions. If you do not disable WebDAV then this vulnerability will continue appearing until you stoplist it. 
CategoryHosting or infrastructure flaw.
ReferencesMicrosoft Security Bulletin MS03-007    CERT Advisory CA-2003-09    Microsoft Knowledge Base Q241520   
CVE Reference CVE-2003-0109CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.your_company.nl (192.168.0.103)   [May 2010]  

Collapse   Vulnerability Collapse   10481MySQL Database Accessible Without Password   OVERDUE  FAILCollapse  1 SystemHigh Risk
DescriptionThis system is running a MySQL service that allows network connections with no password. A remote attacker could use this to manipulate the database in any way. The unpassworded accounts are: 
[For specific url or description click server link below.]
 
SolutionAdd a password or restrict access to trusted addresses. 
ReferencesBugtraq ID 11704   
CVE References CVE-2004-1532CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
  CVE-2002-1809CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Deadline01 April 2011
Systemssql1.manc.yourcompany.com (192.168.1.52)   [Mar 2011]  

Collapse   Vulnerability Collapse   11316Sendmail < 8.12.8 Buffer Overrun   SANS   URGENT  FAILCollapse  1 SystemHigh Risk
DescriptionThis system is running a vulnerable version of Sendmail, according to its banner. There is a buffer overrun vulnerability in code related to message header parsing. A remote attacker could use this to crash the service or possibly take control of the system. This version may also be vulnerable to a flaw in smrsh which allows local users to escalate their privileges. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
ReferencesUS-CERT VU#398025   
CVE References CVE-2001-1349CVSS2 3.7 (Low) (AV:L/AC:H/Au:N/C:P/I:P/A:P) Pass
  CVE-2002-1165CVSS2 4.6 (Medium) (AV:L/AC:L/Au:N/C:P/I:P/A:P) Pass
  CVE-2002-1337CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
Deadline01 May 2011
Systemsmail.example.com (192.168.0.111)   [May 2010]  

Collapse   Vulnerability Collapse   90068SSL Certificate Problems   NEW  FAILCollapse  1 SystemMedium Risk
DescriptionThe remote host has presented a certificate that does not meet the requirements for establishing a secure session. The problems detected were: [For specific url or description click server link below.] 
SolutionEnsure you have a valid certificate issued by a trusted certificate authority. 
CategoryHosting or infrastructure flaw.
ReferencesMicrosoft KB245030    Apache SSL/TLS Strong Encryption: How-To    Microsoft KB187498   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N) Pass
Systemswww.example.com (192.168.0.112)   NEW  

Collapse   Vulnerability Collapse   90072Script Allows Arbitrary Redirection   NEW  FAILCollapse  1 SystemMedium Risk
DescriptionIt is possible to craft a URL which appears to be located on this site, but will redirect users to an arbitrary location. This site could then pose as the legitimate site and prompt users to provide sensitive information. It could also contain any other type of malicious content. The following is an example of a URL which will redirect you to another site:
[For specific url or description click server link below.]
 
SolutionRecode scripts to allow redirections only to specific locations, for example limit redirections to your own domain. 
CategoryApplication or content flaw.
ReferencesOWASP Guide: Phishing    Phishing: Understanding and Preventing Phishing Attacks    Anti-Phishing Technology   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N) Fail
Systemswww.yourcompany.co.uk (192.168.0.100)   NEW  

Collapse   Vulnerability Collapse   90111Service Permits Unauthenticated Users to Send Arbitrary Emails   NEW  PASSCollapse  1 SystemMedium Risk
DescriptionA service on the remote host appears to allow unauthenticated users to send emails containing arbitrary content. This service might be exploited by a remote attacker to conceal their identity whilst performing activities such as spamming, phishing and fraud.
The issue can be demonstrated as follows:
[For specific url or description click server link below.]

Note:This vulnerability may be a false positive as we do not attempt to send arbitrary messages in order to avoid the possibility of crashing the service. 
SolutionRestrict the service to authenticated users, restrict the allowed recipient email addresses or prevent users from controlling the email's content. Implementing a captcha mechanism could help prevent the attacker from automating their activities. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 .0 (Low) (AV:N/AC:L/Au:N/C:N/I:N/A:N) Pass
Systemswww.yourcompany.co.uk (192.168.0.100)   NEW  

Collapse   Vulnerability Collapse   90110Weak or Ineffective Authentication Mechanism   NEW  FAILCollapse  1 SystemMedium Risk
DescriptionThe remote server attempts to protect content through a mechanism which is ineffective, or can be trivially circumvented. The issue can be demonstrated as follows:
[For specific url or description click server link below.]
 
SolutionRecode your application to use a stronger authentication mechanism. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.4 (Medium) (AV:N/AC:L/Au:N/C:P/I:P/A:N) Fail
Systemswww.your_company.nl (192.168.0.103)   NEW  

Collapse   Vulnerability Collapse   90091XPath Injection   NEW  FAILCollapse  1 SystemMedium Risk
DescriptionOne or more scripts on this host appear vulnerable to XPath injection attacks. By requesting a page with parameters containing particular XPath elements, it is possible to force an XPath error or otherwise demonstrate that the user supplied code is being interpreted as XPath statements. This implies that a parameter is being passed to an XPath interpreter without proper input validation. A maliciously crafted parameter might be able to extract hidden information, bypass login requirements or even perform code execution depending on the XPath parser used. The issue can be demonstrated as follows: 
[For specific url or description click server link below.]

This is simply an example that illustrates the problem, you should fix the underlying injection issue rather than attempting to prevent this exploit from working. 

SolutionPerform input validation within the web application and utilise query parameterisation where supported by the XPath parser. 
CategoryApplication or content flaw.
ReferencesXPath Injection - Threat Classification   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.8 (Medium) (AV:N/AC:M/Au:N/C:P/I:P/A:P) Fail
Systemswww.example.com (192.168.0.112)   NEW  

Collapse   Vulnerability Collapse   10539Globally Useable Name Server   SANS  FAILCollapse  3 SystemsMedium Risk
DescriptionThis system is running a name server that allows any system on the Internet to perform recursive queries and resolve third-party domain names. A remote attacker could use this to extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks. 
SolutionRestrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives. 
CategoryHosting or infrastructure flaw.
ReferencesSecuring Windows Server 2003 Domain Controllers   
CVE Reference CVE-1999-0024CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N) Fail
Systemswww.your_company.fr (192.168.0.105)   NEWwww.your_company.nl (192.168.0.103)   NEW
www.yourcompany.net (192.168.0.102)   [May 2010]  

Collapse   Vulnerability Collapse   11137Apache < 1.3.27 Multiple Vulnerabilities  FAILCollapse  2 SystemsMedium Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner. There is a cross-site scripting vulnerability through the Host: header, if UseCanonicalName is Off. Exploitation is only possible where wildcard DNS is used. There is also a buffer overrun in the ApacheBench module - if this is enabled, it may allow arbitrary code execution. A further vulnerability exists in the shared memory scoreboard, but this is only exploitable by a local user. 
SolutionUpgrade to an unaffected version, or apply a patch.
Workaround : Set UseCanonicalName to On and disable ApacheBench 
CategoryHosting or infrastructure flaw.
CVE References CVE-2002-0839CVSS2 7.2 (High) (AV:L/AC:L/Au:N/C:C/I:C/A:C) Pass
  CVE-2002-0840CVSS2 6.8 (Medium) (AV:N/AC:M/Au:N/C:P/I:P/A:P) Fail
  CVE-2002-0843CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.example.com (192.168.0.112)   [Oct 2010] www.yourcompany.co.uk (192.168.0.100)   [Nov 2010]

Collapse   Vulnerability Collapse   10815Cross-Site Scripting  FAILCollapse  2 SystemsMedium Risk
DescriptionThis system is running a web server or web application which is vulnerable to Cross-Site Scripting (XSS) attacks. Certain pages include user-supplied input in the response and HTML special characters are not escaped. An attacker could use this to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, etc. An example that demonstrates this is: 
[For specific url or description click server link below.]
This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working.

Note: This vulnerability must be addressed server-side. Adding JavaScript (client-side) validation on form fields does not offer any protection against Cross-Site Scripting or other attacks. 

SolutionRecode your web application to ensure all user supplied input is escaped when displayed, or contact your web application vendor for a patch. Any JavaScript-based fix will not be effective. 
CategoryApplication or content flaw.
ReferencesGeneral Info    CERT Advisory CA-2000-02    XSS Anatomy    PHP htmlspecialchars Quoting Function    How To: Prevent Cross-Site Scripting in ASP.NET    OWASP XSS Prevention Cheat Sheet   
CVE References CVE-2003-1543CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N) Fail
  CVE-2006-1681CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N) Fail
  CVE-2002-1060CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N) Fail
  CVE-2005-2453CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N) Fail
Systemswww.your_company.nl (192.168.0.103)   NEWwww.yourcompany.net (192.168.0.102)   [Dec 2010]

Collapse   Vulnerability Collapse   11378MySQL < 3.23.56 Privilege Escalation   SANS  FAILCollapse  2 SystemsMedium Risk
DescriptionThis system is running a vulnerable version of MySQL, according to its banner. There is insufficient permissions checking in code related to the "select into outfile" SQL command. A database user could use this to overwrite configuration files and escalate privileges. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
ReferencesBugtraq ID 7052   
CVE Reference CVE-2003-0150CVSS2 9.0 (High) (AV:N/AC:L/Au:S/C:C/I:C/A:C) Fail
Systemssql1.manc.yourcompany.com (192.168.1.52)   [Feb 2011] sql2.manc.yourcompany.com (192.168.1.53)   [Dec 2010]

Collapse   Vulnerability Collapse   11842MySQL < 3.23.58, 4.0.15 Password Overflow   SANS  FAILCollapse  2 SystemsMedium Risk
DescriptionThis system is running a vulnerable version of MySQL, according to its banner. There is a buffer overrun vulnerability in code related to passwords. A database user could use this to crash the service and take control of the system, by changing their password to a carefully crafted value. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesBugtraq ID 8590   
CVE Reference CVE-2003-0780CVSS2 9.0 (High) (AV:N/AC:L/Au:S/C:C/I:C/A:C) Fail
Systemssql1.manc.yourcompany.com (192.168.1.52)   [Feb 2011] sql2.manc.yourcompany.com (192.168.1.53)   [Feb 2011]

Collapse   Vulnerability Collapse   10882SSH Protocol Version 1 Enabled  FAILCollapse  2 SystemsMedium Risk
DescriptionThis system is running an SSH service with SSH protocol version 1 enabled. This version of the protocols is not completely cryptographically secure. A passive eavesdropper could use these weaknesses to extract information such as the lengths of passwords and commands. 
SolutionConfigure your SSH service to only use protocol version 2. For OpenSSH, set the 'Protocol' option to '2'. 
CategoryHosting or infrastructure flaw.
ReferencesUS-CERT VU#596827    OSVDB ID 2116   
CVE References CVE-2001-0361CVSS2 4.0 (Medium) (AV:N/AC:H/Au:N/C:P/I:P/A:N) Fail
  CVE-2001-0572CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemsmail.example.com (192.168.0.111)   [Nov 2010] www.yourcompany.net (192.168.0.102)   [Jan 2011]

Collapse   Vulnerability Collapse   12280Apache < 1.3.31, 2.0.49 Multiple Vulnerabilities   SANS  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner or fingerprint. It is possible for remote attackers to inject escape characters in the log files. A remote attacker can also cause a denial of service by making a long-lasting connection to a rarely used port. For Apache 1.x on 64-bit platforms, there is a mod_access weakness related to IP address rules without a netmask. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
ReferencesBuqtraq ID 9930    Buqtraq_9921    Buqtraq ID 9829    US-CERT VU#132110   
CVE References CVE-2004-0174CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P) Pass
  CVE-2003-0993CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
  CVE-2003-0020CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N) Fail
Systemswww.example.com (192.168.0.112)   [Feb 2011]  

Collapse   Vulnerability Collapse   11039Apache mod_ssl < 2.8.10 off by one Vulnerability  PASSCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of the mod_ssl Apache module. There is an "off by one" buffer overrun in code related to parsing configuration. A local user with control over .htaccess files could use this to crash the service or take control of the system. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
ReferencesSecuriteam advisory    Bugtraq ID 5084   
CVE Reference CVE-2002-0653CVSS2 4.6 (Medium) (AV:L/AC:L/Au:N/C:P/I:P/A:P) Pass
Systemswww.example.com (192.168.0.112)   [Oct 2010]  

Collapse   Vulnerability Collapse   10595DNS Zone Transfer   OVERDUE  PASSCollapse  1 SystemMedium Risk
DescriptionThis system is running a name server that allows DNS zone transfers to be performed. This information could be useful to an attacker trying to map your network. The configuration may be intentional, but it's usual practice to restrict zone transfers. Here is a sample of the data that can be extracted: 
[For specific url or description click server link below.]
 
SolutionRestrict zone transfers to trusted addresses, usually just your slave name servers 
CategoryHosting or infrastructure flaw.
CVE Reference CVE-1999-0532CVSS2 .0 (Low) (AV:N/AC:L/Au:N/C:N/I:N/A:N) Pass
Deadline13 February 2011
Systemsdns0.example.com (192.168.0.110)   [Mar 2011]  

Collapse   Vulnerability Collapse   10661IIS .printer ISAPI Filter Enabled  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running IIS and has the .printer ISAPI filter enabled. Some versions of this filter contain a buffer overrun vulnerability. A remote attacker could use this to crash the service or take control of the system.
Note: To avoid crashing your server, we have not directly tested for the vulnerability and this may not be a real hole. However, as the filter is not usually required, you should turn it off as a matter of good practice. 
SolutionIf you don't require this filter, disable it. If it is required, make sure the latest patches are applied. 
CategoryHosting or infrastructure flaw.
ReferencesMicrosoft Security Bulletin MS01-023   
CVE Reference CVE-2001-0241CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Fail
Systemswww.your_company.nl (192.168.0.103)   [Feb 2011]  

Collapse   Vulnerability Collapse   10991IIS global.asa Accessible  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running IIS and allows retrieval of the /global.asa file. This is a global configuation file which may contain sensitive information such as database passwords, physical paths and configuration options. This vulnerability may be caused by a missing ISAPI map of the .asa extension to asp.dll. Here is a sample of your global.asa file:

[For specific url or description click server link below.]

 
SolutionRestore the .asa map. Alternatively, use a filter program such as URLScan to explicity forbid such requests. 
CategoryHosting or infrastructure flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemswww.your_company.nl (192.168.0.103)   [Mar 2011]  

Collapse   Vulnerability Collapse   11718Lotus Domino < 5.0.9 Database Lock DoS  PASSCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of Lotus Domino, according to its banner. There is a vulnerability in the code related to database locking. A remote attack could use this to lock out some databases, by requesting them through the web interface with a carefully crafted URL. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CVE Reference CVE-2001-0954CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P) Pass
Systemswww.yourcompany.com.my (192.168.0.106)   [Jan 2011]  

Collapse   Vulnerability Collapse   10629Lotus Domino Anonymous Database Access  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running Lotus Domino. Some databases are accessible without authentication:
[For specific url or description click server link below.]
This usually represents a security risk as the information contained is accessible to anyone on the internet. 
SolutionReconfigure Domino to require authentication for these databases. 
CVE References CVE-2000-0021CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
  CVE-2002-0664CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
Systemswww.yourcompany.com.my (192.168.0.106)   [Feb 2011]  

Collapse   Vulnerability Collapse   11299MySQL < 3.23.55 Multiple Vulnerabilities   SANS  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of MySQL, according to its banner. Insufficient permissions checking related to the "select into outfile" SQL command allows a database user to escalate their priviliges to root. There is also a double free vulnerability that allows a database user to crash the service. A "database user" could be a remote attacker who has valid database credentials. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CVE References CVE-2003-0150CVSS2 9.0 (High) (AV:N/AC:L/Au:S/C:C/I:C/A:C) Fail
  CVE-2003-0073CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P) Pass
Systemssql2.manc.yourcompany.com (192.168.1.53)   [Nov 2010]  

Collapse   Vulnerability Collapse   11574OpenSSH < 3.6.1p2 PAM Timing Attack  FAILCollapse  1 SystemMedium Risk
DescriptionThis system appears to be running a vulnerable version of OpenSSH. If PAM authentication is used there is a timing attack against the protocol. A remote attacker could use this to conduct brute force attacks against users' passwords. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
CVE References CVE-2003-1562CVSS2 5.1 (Medium) (AV:N/AC:H/Au:N/C:P/I:P/A:P) Fail
  CVE-2003-0190CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemsmail.example.com (192.168.0.111)   [Mar 2011]  

Collapse   Vulnerability Collapse   12110OpenSSL < 0.9.6m, 0.9.7d Multiple Vulnerabilities   SANS  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of OpenSSL, according to its banner. A remote attacker could crash the service by conducting a deliberately invalid SSL/TLS handshake. Also, this version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks, such as passwords or credit card numbers. 
SolutionUpgrade to an unaffected version, or apply a patch. 
CategoryHosting or infrastructure flaw.
ReferencesBugtraq ID 9899   
CVE References CVE-2004-0079CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P) Pass
  CVE-2003-0131CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
  CVE-1999-0428CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Fail
  CVE-2004-0112CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P) Pass
  CVE-2003-0147CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
  CVE-2003-0078CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
  CVE-2004-0081CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P) Pass
Systemsapollo.example.com (192.168.0.81)   [Nov 2010]  

Collapse   Vulnerability Collapse   10249SMTP Server Allows VRFY/EXPN  FAILCollapse  1 SystemMedium Risk
DescriptionThis system is running an SMTP server which allows the VRFY and/or EXPN commands. These can be used to check the validity of accounts, find the delivery address of mail aliases, or even determine the full name of a recipient. An attacker could use this information to focus their attacks, or aid social engineering. The information leakage is unnecessary so you should disable these commands. 
SolutionIf you are using sendmail, add the configuration directive 'PrivacyOptions=goaway'. For other mail daemons, consult the documentation. 
CategoryHosting or infrastructure flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemsmail.example.com (192.168.0.111)   [Mar 2011]  

Collapse   Vulnerability Collapse   10884NTP Information Leakage   NEW  FAILCollapse  1 SystemLow Risk
DescriptionThis system is running an NTP server that responds to information requests. A remote attacker could use this to extract information about the system, e.g. operating system, upstream NTP server and detailed clock information. 
SolutionConfigure ntpd to ignore information requests. Alternatively, use a firewall to restrict NTP to trusted addresses. 
CategoryHosting or infrastructure flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemswww.yourcompany.com (192.168.0.101)   NEW  

Collapse   Vulnerability Collapse   90001Holes Detected in Firewall Configuration  PASSCollapse  4 SystemsLow Risk
DescriptionThis system is protected by a firewall which blocks access to TCP ports in inconsistent ways. Incoming TCP connections to most ports are simply dropped, however some ports were discovered where the connection is actively refused, for example with a TCP RST. This often indicates a firewall configuration error, and commonly occurs when the configuration has not been altered in line with changing system configuration behind the firewall. For example when a service such as a mail server is removed, but the corresponding firewall rule is not.

The TCP ports which actively refuse connections are: [For specific url or description click server link below.] 

SolutionReconfigure your firewall to completely drop all connections on ports that you are not running services on. 
CategoryHosting or infrastructure flaw.
ReferencesFirewalls FAQ   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N) Pass
Systemsdns0.example.com (192.168.0.110)   NEWmail.example.com (192.168.0.111)   [Mar 2011]
www.example.com (192.168.0.112)   [Nov 2010] www.your_company.nl (192.168.0.103)   [Mar 2011]

Collapse   Vulnerability Collapse   11213TRACE and/or TRACK Methods Enabled  FAILCollapse  3 SystemsLow Risk
DescriptionThis system supports the HTTP TRACE and/or TRACK methods. These increase the exploitability of any cross-site scripting vulnerabilities that may exist in your site. As they are primarily intended for debugging, they can be turned off without reduction of service. 
SolutionDisable these methods on production servers.
IIS6, IIS7: Use the URLScan Security tool
IIS5: Use the IIS Lockdown tool
Apache: Use mod_rewrite to redirect unallowed verbs to the forbidden target, or with newer versions use the configuration option 'TraceEnable off'. 
CategoryHosting or infrastructure flaw.
ReferencesUS-CERT VU#867593    UrlScan Security Tool    IIS Lockdown Tool    Apache TraceEnable Directive   
CVE References CVE-2004-2320CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N) Pass
  CVE-2003-1567CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N) Pass
  CVE-2010-0386CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N) Pass
Systemswww.example.com (192.168.0.112)   [Mar 2011] www.yourcompany.co.uk (192.168.0.100)   [May 2010]
www.yourcompany.net (192.168.0.102)   [Dec 2010]  

Collapse   Vulnerability Collapse   11915Apache < 1.3.29 Multiple Local Flaws  PASSCollapse  2 SystemsLow Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner. This version contains buffer overruns in mod_alias and mod_rewrite. A local user could exploit these to escalate their privileges. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesBugtraq   
CVE Reference CVE-2003-0542CVSS2 7.2 (High) (AV:L/AC:L/Au:N/C:C/I:C/A:C) Pass
Systemswww.example.com (192.168.0.112)   [Jan 2011] www.yourcompany.co.uk (192.168.0.100)   [Nov 2010]

Collapse   Vulnerability Collapse   12217DNS Cache Snooping  FAILCollapse  2 SystemsLow Risk
DescriptionThis system is running a DNS server that accepts queries from any address (although recursive queries may be disabled). The name server responds differently for domains that have recently been looked-up. A remote attacker could use this to determine if certain sites have been visited by users of this nameserver. 
SolutionRestrict access to DNS caches to local users. For Bind, use the "AllowQuery" directive. 
CategoryHosting or infrastructure flaw.
ReferencesDNS Cache Snooping   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:P/I:N/A:N) Fail
Systemswww.your_company.nl (192.168.0.103)   NEWwww.yourcompany.net (192.168.0.102)   [Mar 2011]

Collapse   Vulnerability Collapse   10766Apache mod_userdir Information Leak  FAILCollapse  1 SystemLow Risk
DescriptionThis system has the mod_userdir Apache module enabled. This leaks information about which user accounts exists. A request to a non-existant user will always return a 404 (file not found) code. However, if the user exists then the web server may return a 403 (permission denied) code, depending on the permissions on the user's home directory. 
SolutionIf you do not need the functionality, disable mod_userdir. Alternatively, mod_rewrite can provide equivalent functionality without the information leak. 
ReferencesSecuriTeam advisory   
CVE Reference CVE-2001-1013CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemsapollo.example.com (192.168.0.81)   [Dec 2010]  

Collapse   Vulnerability Collapse   10077Microsoft Frontpage Extensions Installed  FAILCollapse  1 SystemLow Risk
DescriptionThis system is running Microsoft Frontpage extensions. These have had a history of insecurity, so you should carefully check that you have the latest patches applied. It is also common for Frontpage extensions to be insecure because they are misconfigured.
[For specific url or description click server link below.]
 
SolutionIf you do not require Frontpage extensions, disable them. If they are required, make sure the latest patches are applied. 
CategoryHosting or infrastructure flaw.
ReferencesMicrosoft Security Bulletin MS02-018    Microsoft Knowledge Base Q813379    Microsoft Knowledge Base Q813380   
CVE Reference CVE-2000-0114CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Systemswww.your_company.nl (192.168.0.103)   [May 2010]  

Collapse   Vulnerability Collapse   10759Private IP Address Leakage  PASSCollapse  1 SystemLow Risk
DescriptionThis system exposes its RFC 1918 private IP address. This is the internal IP address of the system, that would usually be masked by a proxy or NAT firewall. This information may be useful to an attacker trying to remotely map your network or prepare an attack. The private IP address is:
[For specific url or description click server link below.]
 
SolutionUpdate your web server configuration. For IIS, issue "adsutil set w3svc/UseHostName True" and restart. On Apache, ensure that ServerName in httpd.conf is set to a hostname. 
CategoryHosting or infrastructure flaw.
ReferencesBugtraq ID 1499    Microsoft Knowledge Base Q218180   
CVE Reference CVE-2000-0649CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N) Pass
Systemswww.yourcompany.co.uk (192.168.0.100)   [Mar 2011]  

Collapse   Vulnerability Collapse   11229Script Calling phpinfo() Detected   OVERDUE  FAILCollapse  1 SystemLow Risk
DescriptionThis system has a PHP script that calls phpinfo(). This function displays a significant amount of system and configuration information. A remote attacker could use this for reconnaissance. An example of a URL you can use to exploit this is: 
[For specific url or description click server link below.]
 
SolutionRemove this script, or protect it with some kind of authentication. 
CategoryApplication or content flaw.
Referencesphpinfo documentation   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Fail
Deadline13 January 2011
Systemsapollo.example.com (192.168.0.81)   [Nov 2010]  

Scans by Westpoint Ltd