List of PlugIn IDs

Plugin ID: 55976

Apache HTTP Server Byte Range DoS

Synopsis
The web server running on the remote host is affected by a denial of service vulnerability.

List of Hosts

172.16.45.27

Plugin Output

Nessus determined the server is unpatched and is not using any
of the suggested workarounds by making the following requests :

-------------------- Testing for workarounds --------------------
GET / HTTP/1.1
Host: www.mittel.ex
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

HTTP/1.1 206 Partial Content
Date: Mon, 10 Oct 2011 13:37:00 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Last-Modified: Tue, 14 Sep 2010 05:50:26 GMT
ETag: "91fc4-18ba-ca240c80"
Accept-Ranges: bytes
Content-Length: 1094
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4aef1e2af3a1737b4
-------------------- Testing for workarounds --------------------

-------------------- Testing for patch --------------------
GET / HTTP/1.1
Host: www.mittel.ex
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=0-,1-
Range: bytes=0-,1-
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

HTTP/1.1 206 Partial Content
Date: Mon, 10 Oct 2011 13:37:00 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Last-Modified: Tue, 14 Sep 2010 05:50:26 GMT
ETag: "91fc4-18ba-ca240c80"
Accept-Ranges: bytes
Content-Length: 12882
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4aef1e2afc55737b4
-------------------- Testing for patch --------------------

Description
The version of Apache HTTP Server running on the remote host is
affected by a denial of service vulnerability. Making a series of
HTTP requests with overlapping ranges in the Range or Request-Range
request headers can result in memory and CPU exhaustion. A remote,
unauthenticated attacker could exploit this to make the system
unresponsive.

Exploit code is publicly available and attacks have reportedly been
observed in the wild.

Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds
in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the
issue, but also introduced a regression.

If the host is running a web server based on Apache httpd, contact the
vendor for a fix.

See also
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://www.nessus.org/u?404627ec
http://www.apache.org/dist/httpd/CHANGES_2.2.20
http://www.nessus.org/u?1538124a

Risk Factor
High/ CVSS Base Score: 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVE
CVE-2011-3192

Bugtraq ID
49303

Other references
OSVDB:74721
CERT:405811
EDB-ID:17696

Plugin ID: 40984

Browsable Web Directories

Synopsis
Some directories on the remote web server are browsable.

List of Hosts

172.16.45.27

Plugin Output

The following directories are browsable :

http://www.mittel.ex/images/css/
http://www.mittel.ex/js/?C=D;O=A
http://www.mittel.ex/js/
http://www.mittel.ex/images/
http://www.mittel.ex/js/?C=N;O=D
http://www.mittel.ex/js/?C=M;O=A
http://www.mittel.ex/js/?C=S;O=A

Description
Miscellaneous Nessus plugins identified directories on this web
server that are browsable.

Solution
Make sure that browsable directories do not leak confidential
informative or give access to sensitive resources. And use access
restrictions or disable directory indexing for any that do.

See also
http://projects.webappsec.org/Directory-Indexing

Risk Factor
None

Plugin ID: 11032

Web Server Directory Enumeration

Synopsis
It is possible to enumerate directories on the web server.

List of Hosts

172.16.45.27

Plugin Output

The following directories were discovered:
/icons, /images, /js

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

Description
This plugin attempts to determine the presence of various common
directories on the remote web server. By sending a request for a
directory, the web server response code indicates if it is a valid
directory or not.

Solution
n/a

See also
http://projects.webappsec.org/Predictable-Resource-Location

Risk Factor
None

Other references
OWASP:OWASP-CM-006

Plugin ID: 24260

HyperText Transfer Protocol (HTTP) Information

Synopsis
Some information about the remote HTTP configuration can be extracted.

List of Hosts

172.16.45.27

Plugin Output

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : GET,HEAD,POST,OPTIONS,TRACE
Headers :

Date: Mon, 10 Oct 2011 13:36:44 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Last-Modified: Tue, 14 Sep 2010 05:50:26 GMT
ETag: "91fc4-18ba-ca240c80"
Accept-Ranges: bytes
Content-Length: 6330
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Description
This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...

This test is informational only and does not denote any security
problem.

Solution
n/a

Risk Factor
None

Plugin ID: 19506

Nessus Scan Information

Synopsis
Information about the Nessus scan.

List of Hosts

172.16.45.27

Plugin Output
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201109252237
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 10.110.48.235
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
CGI scanning : enabled
Web application tests : enabled
Web app tests - Test mode : some_pairs
Web app tests - Try all HTTP methods : no
Web app tests - Maximum run time : 60 minutes.
Web app tests - Stop at first flaw : CGI
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : Detected
Scan Start Date : 2011/10/10 15:34
Scan duration : 220 sec

Description
This script displays, for each tested host, information about the scan itself:

- The version of the plugin set
- The type of plugin feed (HomeFeed or ProfessionalFeed)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel

Solution
n/a

Risk Factor
None

Plugin ID: 25220

TCP/IP Timestamps Supported

Synopsis
The remote service implements TCP timestamps.

List of Hosts

172.16.45.27

Description
The remote host implements TCP timestamps, as defined by RFC1323. A
side effect of this feature is that the uptime of the remote host can
sometimes be computed.

Solution
n/a

See also
http://www.ietf.org/rfc/rfc1323.txt

Risk Factor
None

Plugin ID: 10267

SSH Server Type and Version Information

Synopsis
An SSH server is listening on this port.

List of Hosts

172.16.45.27

Plugin Output

SSH version : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3
SSH supported authentication : publickey,password

Description
It is possible to obtain information about the remote SSH
server by sending an empty authentication request.

Solution
n/a

Risk Factor
None

Plugin ID: 10107

HTTP Server Type and Version

Synopsis
A web server is running on the remote host.

List of Hosts

172.16.45.27

Plugin Output
The remote web server type is :

Apache/2.0.55 (Ubuntu) PHP/5.1.2

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.

Description
This plugin attempts to determine the type and the version of the
remote web server.

Solution
n/a

Risk Factor
None

Plugin ID: 12053

Host Fully Qualified Domain Name (FQDN) Resolution

Synopsis
It was possible to resolve the name of the remote host.

List of Hosts

172.16.45.27

Plugin Output

172.16.45.27 resolves as www.mittel.ex.

Description
Nessus was able to resolve the FQDN of the remote host.

Solution
n/a

Risk Factor
None

Plugin ID: 54615

Device Type

Synopsis
It is possible to guess the remote device type.

List of Hosts

172.16.45.27

Plugin Output
Remote device type : general-purpose
Confidence level : 95

Description
Based on the remote operating system, it is possible to determine
what the remote system type is (eg: a printer, router, general-purpose
computer, etc).

Solution
n/a

Risk Factor
None

Plugin ID: 39520

Backported Security Patch Detection (SSH)

Synopsis
Security patches are backported.

List of Hosts

172.16.45.27

Plugin Output
Give Nessus credentials to perform local checks.

Description
Security patches may have been 'back ported' to the remote SSH server
without changing its version number.

Banner-based checks have been disabled to avoid false positives.

Note that this test is informational only and does not denote any
security problem.

Solution
N/A

See also
http://www.nessus.org/u?d636c8c7

Risk Factor
None

Plugin ID: 43111

HTTP Methods Allowed (per directory)

Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.

List of Hosts

172.16.45.27

Plugin Output
Based on the response to an OPTIONS request :

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/
/icons
/images
/images/css
/js


Based on tests of each method :

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/
/icons
/images
/images/css
/js

Description
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.

As this list may be incomplete, the plugin also tests - if 'Thorough
tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.

Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.

Solution
n/a

Risk Factor
None

Plugin ID: 11213

HTTP TRACE / TRACK Methods Allowed

Synopsis
Debugging functions are enabled on the remote web server.

List of Hosts

172.16.45.27

Plugin Output

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1236428606.html HTTP/1.1
Connection: Close
Host: www.mittel.ex
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2011 13:36:45 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1236428606.html HTTP/1.1
Connection: Keep-Alive
Host: www.mittel.ex
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

Description
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.

Solution
Disable these methods. Refer to the plugin output for more information.

See also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://download.oracle.com/sunalerts/1000718.1.html

Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: 3.9(CVSS2#E:F/RL:W/RC:C)

CVE
CVE-2003-1567
CVE-2004-2320
CVE-2010-0386

Bugtraq ID
9506
9561
11604
33374
37995

Other references
OSVDB:877
OSVDB:3726
OSVDB:5648
OSVDB:50485
CWE:16

Plugin ID: 10287

Traceroute Information

Synopsis
It was possible to obtain traceroute information.

List of Hosts

172.16.45.27

Plugin Output
For your information, here is the traceroute from 10.110.48.235 to 172.16.45.27 :
10.110.48.235
10.110.48.1
10.110.32.5
10.199.0.1
10.110.0.2
10.110.22.2
172.16.45.27

Description
Makes a traceroute to the remote host.

Solution
n/a

Risk Factor
None

Plugin ID: 33817

CGI Generic Tests Load Estimation (all tests)

Synopsis
Load estimation for web application tests.

List of Hosts

172.16.45.27

Plugin Output
Here are the estimated number of requests in miscellaneous modes
for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

format string : S=0 SP=0 AP=0 SC=0 AC=0
arbitrary command execution (time based) : S=0 SP=0 AP=0 SC=0 AC=0
cross-site scripting (comprehensive test): S=0 SP=0 AP=0 SC=0 AC=0
injectable parameter : S=0 SP=0 AP=0 SC=0 AC=0
directory traversal : S=0 SP=0 AP=0 SC=0 AC=0
local file inclusion : S=0 SP=0 AP=0 SC=0 AC=0
arbitrary command execution : S=0 SP=0 AP=0 SC=0 AC=0
web code injection : S=0 SP=0 AP=0 SC=0 AC=0
blind SQL injection (4 requests) : S=0 SP=0 AP=0 SC=0 AC=0
directory traversal (write access) : S=0 SP=0 AP=0 SC=0 AC=0
persistent XSS : S=0 SP=0 AP=0 SC=0 AC=0
XML injection : S=0 SP=0 AP=0 SC=0 AC=0
blind SQL injection : S=0 SP=0 AP=0 SC=0 AC=0
directory traversal (extended test) : S=0 SP=0 AP=0 SC=0 AC=0
SQL injection (2nd order) : S=0 SP=0 AP=0 SC=0 AC=0
SSI injection : S=0 SP=0 AP=0 SC=0 AC=0
SQL injection : S=0 SP=0 AP=0 SC=0 AC=0
unseen parameters : S=0 SP=0 AP=0 SC=0 AC=0

All tests : S=0 SP=0 AP=0 SC=0 AC=0

Here are the estimated number of requests in miscellaneous modes
for both methods (GET and POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

format string : S=0 SP=0 AP=0 SC=0 AC=0
arbitrary command execution (time based) : S=0 SP=0 AP=0 SC=0 AC=0
cross-site scripting (comprehensive test): S=0 SP=0 AP=0 SC=0 AC=0
injectable parameter : S=0 SP=0 AP=0 SC=0 AC=0
directory traversal : S=0 SP=0 AP=0 SC=0 AC=0
local file inclusion : S=0 SP=0 AP=0 SC=0 AC=0
arbitrary command execution : S=0 SP=0 AP=0 SC=0 AC=0
web code injection : S=0 SP=0 AP=0 SC=0 AC=0
blind SQL injection (4 requests) : S=0 SP=0 AP=0 SC=0 AC=0
directory traversal (write access) : S=0 SP=0 AP=0 SC=0 AC=0
persistent XSS : S=0 SP=0 AP=0 SC=0 AC=0
XML injection : S=0 SP=0 AP=0 SC=0 AC=0
blind SQL injection : S=0 SP=0 AP=0 SC=0 AC=0
directory traversal (extended test) : S=0 SP=0 AP=0 SC=0 AC=0
SQL injection (2nd order) : S=0 SP=0 AP=0 SC=0 AC=0
SSI injection : S=0 SP=0 AP=0 SC=0 AC=0
SQL injection : S=0 SP=0 AP=0 SC=0 AC=0
unseen parameters : S=0 SP=0 AP=0 SC=0 AC=0

All tests : S=0 SP=0 AP=0 SC=0 AC=0

Your mode : some_pairs, GET or POST.
Maximum number of requests : 0

Description
This script computes the maximum number of requests that would be done
by the generic web tests, depending on miscellaneous options.
It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or
the complexity of additional manual tests.

Note that the script does not try to compute this duration based
on external factors such as the network and web servers loads.

Solution
n/a

Risk Factor
None

Plugin ID: 11936

OS Identification

Synopsis
It is possible to guess the remote operating system.

List of Hosts

172.16.45.27

Plugin Output

Remote operating system : Linux Kernel 2.6 on Ubuntu 6.06 (dapper)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.6 on Ubuntu 6.06 (dapper)

Description
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...)
it is possible to guess the name of the remote operating system in use, and
sometimes its version.

Solution
N/A

Risk Factor
None

Plugin ID: 22964

Service Detection

Synopsis
The remote service could be identified.

List of Hosts

172.16.45.27

Plugin Output
A web server is running on this port.

Description
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Solution
n/a

Risk Factor
None

Plugin ID: 22964

Service Detection

Synopsis
The remote service could be identified.

List of Hosts

172.16.45.27

Plugin Output
An SSH server is running on this port.

Description
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Solution
n/a

Risk Factor
None

Plugin ID: 33850

Unsupported Unix Operating System

Synopsis
The remote host is running an obsolete operating system.

List of Hosts

172.16.45.27

Plugin Output

Ubuntu 6.06 support ended on 2011-06-01.
Upgrade to Ubuntu 11.04.

For more information, see : https://wiki.ubuntu.com/Releases

Description
According to its version, the remote Unix operating system is
obsolete and no longer maintained by its vendor or provider.

Lack of support implies that no new security patches will be
released for it.

Solution
Upgrade to a newer version.

Risk Factor
Critical/ CVSS Base Score: 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin ID: 45590

Common Platform Enumeration (CPE)

Synopsis
It is possible to enumerate CPE names that matched on the remote system.

List of Hosts

172.16.45.27

Plugin Output

The remote operating system matched the following CPE :

cpe:/o:ubuntu:ubuntu_linux:6.06 (Inferred CPE)

Following application CPE's matched on the remote system :

cpe:/a:openbsd:openssh:4.2 -> OpenBSD OpenSSH 4.2
cpe:/a:apache:http_server:2.0.55 -> Apache Software Foundation Apache HTTP Server 2.0.55
cpe:/a:php:php:5.1.2 -> PHP PHP 5.1.2

Description
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.

Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information
available from the scan.

Solution
n/a

See also
http://cpe.mitre.org/

Risk Factor
None

Plugin ID: 10881

SSH Protocol Versions Supported

Synopsis
A SSH server is running on the remote host.

List of Hosts

172.16.45.27

Plugin Output
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 6b:45:27:4c:d0:d6:40:4a:5b:6f:47:6a:f8:30:6b:c7

Description
This plugin determines the versions of the SSH protocol supported by
the remote SSH daemon.

Solution
n/a

Risk Factor
None

Plugin ID: 10114

ICMP Timestamp Request Remote Date Disclosure

Synopsis
It is possible to determine the exact time set on the remote host.

List of Hosts

172.16.45.27

Plugin Output
The difference between the local and remote clocks is 22 seconds.

Description
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine.

This may help an attacker to defeat all time-based authentication
protocols.

Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk Factor
None

CVE
CVE-1999-0524

Other references
OSVDB:94
CWE:200

Plugin ID: 10662

Web mirroring

Synopsis
Nessus crawled the remote web site.

List of Hosts

172.16.45.27

Plugin Output



Directory index found at /js/
Directory index found at /images/
Directory index found at /js/?C=N;O=D
Directory index found at /js/?C=M;O=A
Directory index found at /js/?C=S;O=A
Directory index found at /js/?C=D;O=A
Directory index found at /images/css/

Description
This script makes a mirror of the remote web site(s) and extracts the
list of CGIs that are used by the remote host.

It is suggested that you change the number of pages to mirror in the
'Options' section of the client.

Solution
n/a

Risk Factor
None

Plugin ID: 39521

Backported Security Patch Detection (WWW)

Synopsis
Security patches are backported.

List of Hosts

172.16.45.27

Plugin Output
Give Nessus credentials to perform local checks.

Description
Security patches may have been 'back ported' to the remote HTTP server
without changing its version number.

Banner-based checks have been disabled to avoid false positives.

Note that this test is informational only and does not denote any
security problem.

Solution
N/A

See also
http://www.nessus.org/u?d636c8c7

Risk Factor
None