Synopsis:
The remote host is running an obsolete operating system.

Description:
According to its version, the remote Unix operating system is obsolete and no longer maintained by its vendor or provider. Lack of support implies that no new security patches will be released for it.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Upgrade to a newer version.

Plugin output:
Debian 4.0 support ended on 2010-02-15. Upgrade to Debian Linux 6.0.1 "Squeeze". For more information, see : http://www.debian.org/releases/

Plugin ID:
33850

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 10.110.48.235 to 172.21.1.4 : 10.110.48.235 10.110.48.1 10.110.32.5 10.199.0.3 10.110.68.2 172.21.1.4

Plugin ID:
10287

Synopsis:
Information about the Nessus scan.

Description:
This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan : Nessus version : 4.4.1 Plugin feed version : 201109252237 Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 10.110.48.235 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : enabled Web application tests : enabled Web app tests - Test mode : some_pairs Web app tests - Try all HTTP methods : no Web app tests - Maximum run time : 60 minutes. Web app tests - Stop at first flaw : CGI Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2011/10/11 10:05 Scan duration : 2356 sec

Plugin ID:
19506

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:4.0 -> Debian GNU/Linux 4.0 Following application CPE's matched on the remote system : cpe:/a:openssl:openssl:0.9.8c -> OpenSSL Project OpenSSL 0.9.8c cpe:/a:openbsd:openssh:4.3 -> OpenBSD OpenSSH 4.3 cpe:/a:modssl:mod_ssl:2.2.3 -> mod_ssl 2.2.3 cpe:/a:apache:http_server:2.2.3 -> Apache Software Foundation Apache HTTP Server 2.2.3

Plugin ID:
45590

Synopsis:
It is possible to guess the remote device type.

Description:
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
Remote device type : general-purpose Confidence level : 95

Plugin ID:
54615

Synopsis:
It is possible to guess the remote operating system.

Description:
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version.

Risk factor:
None

Solution:
N/A

Plugin output:
Remote operating system : Linux Kernel 2.6 on Debian 4.0 (etch) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 4.0 (etch)

Plugin ID:
11936

Synopsis:
The name of the Linux distribution running on the remote host was found in the banner of the web server.

Description:
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the remote host is running.

Risk factor:
None

Solution:
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart Apache.

Plugin output:
The linux distribution detected was : - Debian 4.0 (etch)

Plugin ID:
18261

Synopsis:
It was possible to resolve the name of the remote host.

Description:
Nessus was able to resolve the FQDN of the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
172.21.1.4 resolves as portal.albastru.ex.

Plugin ID:
12053

Synopsis:
The remote service implements TCP timestamps.

Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine. This may help an attacker to defeat all time-based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
The remote clock is synchronized with the local clock.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94, CWE:200

Synopsis:
An ONC RPC service is running on the remote host.

Description:
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port.

Risk factor:
None

Solution:
n/a

Plugin output:
The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2

Plugin ID:
11111

Synopsis:
An ONC RPC portmapper is running on the remote host.

Description:
The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.

Risk factor:
None

Solution:
n/a

Plugin ID:
10223

Synopsis:
It is possible to determine which user is running the remote service.

Description:
By using the identd server (RFC 1413), it is possible to determine the process owner of the remote service.

Risk factor:
None

Solution:
Block access to, or remove the identd service.

Plugin output:
identd reveals that this service is running as user/uid daemon

Plugin ID:
14674

Synopsis:
An ONC RPC service is running on the remote host.

Description:
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port.

Risk factor:
None

Solution:
n/a

Plugin output:
The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2

Plugin ID:
11111

Synopsis:
An ONC RPC portmapper is running on the remote host.

Description:
The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.

Risk factor:
None

Solution:
n/a

Plugin ID:
53335

Synopsis:
It is possible to determine which user is running the remote service.

Description:
By using the identd server (RFC 1413), it is possible to determine the process owner of the remote service.

Risk factor:
None

Solution:
Block access to, or remove the identd service.

Plugin output:
identd reveals that this service is running as user/uid identd

Plugin ID:
14674

Synopsis:
The remote host is running an identification service.

Description:
The remote host is running an ident (also known as 'auth') daemon. The 'ident' service provides sensitive information to potential attackers. It is designed to say which accounts are running which services. This helps attackers to focus on valuable services (those owned by root or other privileged accounts). If you do not use this service, and software you run does not require it, disable it.

Risk factor:
None

Solution:
If you do not use this service and software you run does not require it, disable it.

Plugin ID:
10021

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
An identd server is running on this port.

Plugin ID:
22964

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin ID:
10884

Synopsis:
The remote SSH host keys are weak.

Description:
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL library. The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL. An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session or set up a man in the middle attack.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

See also:
http://www.nessus.org/u?5d01bdab

See also:
http://www.nessus.org/u?f14f4224

Solution:
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and OpenVPN key material should be re-generated.

Plugin ID:
32314

CVE:
CVE-2008-0166

BID:
29179

Other references:
OSVDB:45029, CWE:310

Synopsis:
Security patches are backported.

Description:
Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem.

Risk factor:
None

See also:
http://www.nessus.org/u?d636c8c7

Solution:
N/A

Plugin output:
Give Nessus credentials to perform local checks.

Plugin ID:
39520

Synopsis:
It is possible to determine which user is running the remote service.

Description:
By using the identd server (RFC 1413), it is possible to determine the process owner of the remote service.

Risk factor:
None

Solution:
Block access to, or remove the identd service.

Plugin output:
identd reveals that this service is running as user/uid root

Plugin ID:
14674

Synopsis:
A SSH server is running on the remote host.

Description:
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 8c:0f:8e:db:71:95:5a:32:51:f1:59:01:9c:7e:01:6d

Plugin ID:
10881

Synopsis:
An SSH server is listening on this port.

Description:
It is possible to obtain information about the remote SSH server by sending an empty authentication request.

Risk factor:
None

Solution:
n/a

Plugin output:
SSH version : SSH-2.0-OpenSSH_4.3p2 Debian-9 SSH supported authentication : publickey,password

Plugin ID:
10267

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
An SSH server is running on this port.

Plugin ID:
22964

Synopsis:
An ONC RPC service is running on the remote host.

Description:
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port.

Risk factor:
None

Solution:
n/a

Plugin output:
The following RPC services are available on UDP port 32768 : - program: 100024 (status), version: 1

Plugin ID:
11111

Synopsis:
A web application is potentially vulnerable to SQL injection.

Description:
By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability. An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

See also:
http://en.wikipedia.org/wiki/SQL_injection

See also:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

See also:
http://www.securitydocs.com/library/2651

See also:
http://projects.webappsec.org/SQL-Injection

Solution:
Modify the relevant CGIs so that they properly escape arguments.

Plugin output:
During testing for blind SQL injection (time based) vulnerabilities, SQL errors were noticed, suggesting that the scripts / parameters listed below may also be vulnerable to SQL Injection (SQLi). -------- request -------- POST /index.php?page=login HTTP/1.1 Host: portal.albastru.ex Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cookie: PHPSESSID=54564af228e9ffa676d1e495b44b1ade Content-Length: 216 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* reset=Reset%20Password&password=&name=&phone=&street=&problem=&period=10&region=east&page=reset_pwd&submit=Login&house_nr=&email=&town=&token=50ae5c12bd2c7f0c5291af197871df15&username=';WAITFOR%20DELAY%20'00:00:3';-- ------------------------ -------- output -------- <br /> <b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQL STATE[42000]: Syntax error or access violation: 1064 You have an error i n your SQL syntax; check the manual that corresponds to your MySQL serve r version for the right syntax to use near ';WAITFOR DELAY '00:00:3';--' AND `password`= 'd41d8cd98f00b204e9800998ecf8427e'' at line 1' in /var/ www/portal/login.php:42 Stack trace: #0 /var/www/portal/login.php(42): PDO-&gt;query('SELECT * FROM `...') ------------------------

Plugin ID:
42479

Other references:
CWE:89, CWE:20, CWE:77, CWE:810, CWE:713, CWE:722, CWE:727, CWE:751, CWE:801

Synopsis:
The web server running on the remote host is affected by a denial of service vulnerability.

Description:
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild.

Risk factor:
High

CVSS Base Score:7.8
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

See also:
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html

See also:
http://www.gossamer-threads.com/lists/apache/dev/401638

See also:
http://www.nessus.org/u?404627ec

See also:
http://www.apache.org/dist/httpd/CHANGES_2.2.20

See also:
http://www.nessus.org/u?1538124a

Solution:
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression. If the host is running a web server based on Apache httpd, contact the vendor for a fix.

Plugin output:
Nessus determined the server is unpatched and is not using any of the suggested workarounds by making the following requests : -------------------- Testing for workarounds -------------------- GET / HTTP/1.1 Host: portal.albastru.ex Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Tue, 11 Oct 2011 08:27:07 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch13 Set-Cookie: PHPSESSID=dbec71f23c24ea234c0c7591b2e6f8d4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1094 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4af01ac53165473f9 -------------------- Testing for workarounds -------------------- -------------------- Testing for patch -------------------- GET / HTTP/1.1 Host: portal.albastru.ex Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Keep-Alive Cookie: PHPSESSID=dbec71f23c24ea234c0c7591b2e6f8d4 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Tue, 11 Oct 2011 08:27:07 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 3524 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4af01ac54862273f9 -------------------- Testing for patch --------------------

Plugin ID:
55976

CVE:
CVE-2011-3192

BID:
49303

Other references:
OSVDB:74721, CERT:405811, EDB-ID:17696

Synopsis:
A web application's SQL backend can been identified.

Description:
At least one web application hosted on the remote web server is built on a SQL backend that Nessus was able to identify by looking at error messages. Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://projects.webappsec.org/Fingerprinting

Solution:
Filter out error messages.

Plugin output:
The web application appears to be based on MySQL This information was leaked by these URLs : https://portal.albastru.ex/

Plugin ID:
44670

Synopsis:
Arbitrary files may be accessed or executed on the remote host.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings and are affected by directory traversal or local files inclusion vulnerabilities. By leveraging this issue, an attacker may be able to read arbitrary files on the web server or execute commands.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://en.wikipedia.org/wiki/Directory_traversal

See also:
http://cwe.mitre.org/data/definitions/22.html

See also:
http://projects.webappsec.org/Path-Traversal

See also:
http://projects.webappsec.org/Null-Byte-Injection

See also:
http://www.owasp.org/index.php/Testing_for_Path_Traversal_%28OWASP-AZ-001%29

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to directory traversal : + The 'page' parameter of the /index.php CGI : /index.php?page=../../../../../../../../etc/passwd%00index.html -------- output -------- root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh ------------------------

Plugin ID:
39467

Other references:
CWE:22, CWE:21, CWE:632, CWE:813, CWE:715, CWE:723, OWASP:OWASP-AZ-001

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS vulnerabilities are likely to be 'non-persistent' or 'reflected'.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent

See also:
http://www.nessus.org/u?9717ad85

See also:
http://projects.webappsec.org/Cross-Site+Scripting

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the POST HTTP method, Nessus found that : + The following resources may be vulnerable to cross-site scripting (extended patterns) : + The 'pma_username' parameter of the /phpMyAdmin/index.php CGI : /phpMyAdmin/index.php [pma_username=508 src=http://www.example.com/explo it508.js] -------- output -------- <div class="item"> <label for="input_username">Username:</label> <input type="text" name="pma_username" id="input_username" value="508 sr c=http://www.example.com/exploit508.js" size="24" class="textfield" /> </div> <div class="item"> ------------------------

Plugin ID:
55903

Other references:
CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:86

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non persistent' or 'reflected'.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent

See also:
http://www.nessus.org/u?9717ad85

See also:
http://projects.webappsec.org/Cross-Site+Scripting

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to cross-site scripting (quick test) : + The 'page' parameter of the /index.php CGI : /index.php?page=<IMG%20SRC="javascript:alert(104);"> -------- output -------- <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title><IMG SRC="javascript:alert(104);"></title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> ------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) https://portal.albastru.ex/index.php?page=<IMG%20SRC="javascript:alert(104);">

Plugin ID:
39466

Other references:
CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:86

Synopsis:
The remote web server is prone to cookie injection attacks.

Description:
The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism. Please note that : - Nessus did not check if the session fixation attack is feasible. - This is not the only vector of session fixation.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Session_fixation

See also:
http://www.owasp.org/index.php/Session_Fixation

See also:
http://www.acros.si/papers/session_fixation.pdf

See also:
http://projects.webappsec.org/Session-Fixation

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to cookie manipulation : + The 'page' parameter of the /index.php CGI : /index.php?page=<meta%20http-equiv=Set-Cookie%20content="testiiuu=9434"> -------- output -------- <head> <title><meta http-equiv=Set-Cookie content="testiiuu=9434"></title> <link rel="stylesheet" type="text/css" href="css/main.css" /> < ------------------------

Plugin ID:
44136

Other references:
CWE:472, CWE:642, CWE:715, CWE:722

Synopsis:
Debugging functions are enabled on the remote web server.

Description:
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

See also:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

See also:
http://www.apacheweek.com/issues/03-01-24

See also:
http://www.kb.cert.org/vuls/id/288308

See also:
http://www.kb.cert.org/vuls/id/867593

See also:
http://download.oracle.com/sunalerts/1000718.1.html

Solution:
Disable these methods. Refer to the plugin output for more information.

Plugin output:
To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus611213376.html HTTP/1.1 Connection: Close Host: portal.albastru.ex Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Tue, 11 Oct 2011 08:20:50 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus611213376.html HTTP/1.1 Connection: Keep-Alive Host: portal.albastru.ex Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

Plugin ID:
11213

CVE:
CVE-2003-1567, CVE-2004-2320, CVE-2010-0386

BID:
9506, 9561, 11604, 33374, 37995

Other references:
OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485, CWE:16

Synopsis:
The remote web server may be prone to HTML injections.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site. The remote web server may be vulnerable to IFRAME injections or cross-site scripting attacks : - IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks. - XSS are extensively tested by four other scripts. - Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Code_injection#HTML-script_injection_.28cross-site_scripting.29

Solution:
Either restrict access to the vulnerable application or contact the vendor for an update.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to HTML injection : + The 'page' parameter of the /index.php CGI : /index.php?page=<cfofqk%20> -------- output -------- <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title><cfofqk ></title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> ------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) https://portal.albastru.ex/index.php?page=<cfofqk%20>

Plugin ID:
49067

Other references:
CWE:80, CWE:86

Synopsis:
The remote web server hosts publicly accessible SQL dump files.

Description:
The remote web server hosts publicly available files that contain SQL instructions. These files are most likely database dumps and may contain sensitive information.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials.

Plugin output:
The following SQL files are available on the remote server : - /sql/portal.sql

Plugin ID:
55640

Synopsis:
The remote host allows resuming SSL sessions.

Description:
The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming a session. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumes of that session to use a disabled cipher chosen by the attacker.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Solution:
Upgrade to OpenSSL 0.9.8j or later.

Plugin output:
Session ID : 5f2d2fc4cde4f2fc083f31109dcb24c286dbd7fcce3a9de01003b18dd0c48c72 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)

Plugin ID:
51893

CVE:
CVE-2008-7270

BID:
45254

Other references:
OSVDB:69655

Synopsis:
The remote host allows resuming SSL sessions.

Description:
The version of OpenSSL on the remote host has been shown to allow resuming session with a different cipher than was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumes of that session to use a weaker cipher chosen by the attacker. Note that other SSL implementations may also be affected by this vulnerability.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://openssl.org/news/secadv_20101202.txt

Solution:
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.

Plugin output:
Session ID : a2527bc29158f9b351c3e6a49a7b94b2d6ade921f68c4822b957a9aa2a99c0bb Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)

Plugin ID:
51892

CVE:
CVE-2010-4180

BID:
45164

Other references:
OSVDB:69565

Synopsis:
The remote service supports the use of medium strength SSL ciphers.

Description:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Solution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Plugin output:
Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Plugin ID:
42873

Synopsis:
The remote service supports the use of weak SSL ciphers.

Description:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

See also:
http://www.openssl.org/docs/apps/ciphers.html

Solution:
Reconfigure the affected application if possible to avoid use of weak ciphers.

Plugin output:
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Plugin ID:
26928

Other references:
CWE:327, CWE:326, CWE:753, CWE:803, CWE:720

Synopsis:
The SSL certificate for this service is signed by an unknown certificate authority.

Description:
The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host.

Risk factor:
Medium

CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution:
Purchase or generate a proper certificate for this service.

Plugin output:
*** ERROR: Unknown root CA in the chain: Country: AU State/Province: Some-State Organization: Internet Widgits Pty Ltd Certificate chain: |-Country: AU |-State/Province: Some-State |-Organization: Internet Widgits Pty Ltd |

Plugin ID:
51192

Synopsis:
The remote server's SSL certificate has already expired.

Description:
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Solution:
Purchase or generate a new SSL certificate to replace the existing one.

Plugin output:
The SSL certificate has already expired : Subject : C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Issuer : C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Not valid before : May 5 05:47:52 2010 GMT Not valid after : May 5 05:47:52 2011 GMT

Plugin ID:
15901

Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.

Description:
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://www.schneier.com/paper-ssl.pdf

See also:
http://support.microsoft.com/kb/187498

See also:
http://www.linux4beginners.info/node/disable-sslv2

Solution:
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

Plugin ID:
20007

Synopsis:
Security patches are backported.

Description:
Security patches may have been 'back ported' to the remote HTTP server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem.

Risk factor:
None

See also:
http://www.nessus.org/u?d636c8c7

Solution:
N/A

Plugin output:
Give Nessus credentials to perform local checks.

Plugin ID:
39521

Synopsis:
Some directories on the remote web server are browsable.

Description:
Miscellaneous Nessus plugins identified directories on this web server that are browsable.

Risk factor:
None

See also:
http://projects.webappsec.org/Directory-Indexing

Solution:
Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. And use access restrictions or disable directory indexing for any that do.

Plugin output:
The following directories are browsable : https://portal.albastru.ex/phpMyAdmin/themes/original/css/ https://portal.albastru.ex/includes/smarty/plugins/ https://portal.albastru.ex/includes/smarty/internals/ https://portal.albastru.ex/includes/pear/Net/ https://portal.albastru.ex/includes/pear/Mail/ https://portal.albastru.ex/includes/smarty/ https://portal.albastru.ex/includes/pear/ https://portal.albastru.ex/includes/ https://portal.albastru.ex/classes/ https://portal.albastru.ex/css/ https://portal.albastru.ex/sql/ https://portal.albastru.ex/templates/ https://portal.albastru.ex/phpMyAdmin/themes/original/img/ https://portal.albastru.ex/includes/pear/Net/docs/ https://portal.albastru.ex/includes/pear/Net/examples/ https://portal.albastru.ex/includes/pear/Net/tests/ https://portal.albastru.ex/phpMyAdmin/themes/original/ https://portal.albastru.ex/phpMyAdmin/themes/

Plugin ID:
40984

Synopsis:
Load estimation for web application tests.

Description:
This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself. The results can be used to estimate the duration of these tests, or the complexity of additional manual tests. Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

Risk factor:
None

Solution:
n/a

Plugin output:
Here are the estimated number of requests in miscellaneous modes for one method only (GET or POST) : [Single / Some Pairs / All Pairs / Some Combinations / All Combinations] cross-site scripting (comprehensive test): S=324 SP=4844 AP=8764 SC=4423760 AC=60825680 cross-site scripting (quick test) : S=825 SP=13145 AP=23925 SC=12165120 AC=167270400 persistent XSS : S=324 SP=4844 AP=8764 SC=4423760 AC=60825680 arbitrary command execution : S=1296 SP=19376 AP=35056 SC=17695040 AC=243302720 web code injection : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 HTML injection : S=30 SP=30 AP=30 SC=30 AC=30 arbitrary command execution (time based) : S=486 SP=7266 AP=13146 SC=6635640 AC=91238520 script injection : S=6 SP=6 AP=6 SC=6 AC=6 XML injection : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 unseen parameters : S=2835 SP=42385 AP=76685 SC=38707900 AC=532224700 directory traversal (write access) : S=162 SP=2422 AP=4382 SC=2211880 AC=30412840 SQL injection (2nd order) : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 on site request forgery : S=6 SP=6 AP=6 SC=6 AC=6 blind SQL injection (4 requests) : S=324 SP=4844 AP=8764 SC=4423760 AC=60825680 HTTP response splitting : S=54 SP=54 AP=54 SC=54 AC=54 directory traversal (extended test) : S=4131 SP=61761 AP=111741 SC=56402940 AC=775527420 header injection : S=12 SP=12 AP=12 SC=12 AC=12 cookie manipulation : S=150 SP=2390 AP=4350 SC=2211840 AC=30412800 injectable parameter : S=162 SP=2422 AP=4382 SC=2211880 AC=30412840 local file inclusion : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 directory traversal : S=2025 SP=30275 AP=54775 SC=27648500 AC=380160500 cross-site scripting (extended patterns) : S=36 SP=36 AP=36 SC=36 AC=36 blind SQL injection : S=972 SP=14532 AP=26292 SC=13271280 AC=182477040 SQL injection : S=1944 SP=29064 AP=52584 SC=26542560 AC=364954080 SSI injection : S=243 SP=3633 AP=6573 SC=3317820 AC=45619260 format string : S=162 SP=2422 AP=4382 SC=2211880 AC=30412840 All tests : S=16833 SP=250613 AP=453473 SC=228929464 AC=>2G Here are the estimated number of requests in miscellaneous modes for both methods (GET and POST) : [Single / Some Pairs / All Pairs / Some Combinations / All Combinations] cross-site scripting (comprehensive test): S=348 SP=4908 AP=8828 SC=4423840 AC=60825760 cross-site scripting (quick test) : S=825 SP=13145 AP=23925 SC=12165120 AC=167270400 persistent XSS : S=348 SP=4908 AP=8828 SC=4423840 AC=60825760 arbitrary command execution : S=1392 SP=19632 AP=35312 SC=17695360 AC=243303040 web code injection : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 HTML injection : S=35 SP=35 AP=35 SC=35 AC=35 arbitrary command execution (time based) : S=522 SP=7362 AP=13242 SC=6635760 AC=91238640 script injection : S=7 SP=7 AP=7 SC=7 AC=7 XML injection : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 unseen parameters : S=3045 SP=42945 AP=77245 SC=38708600 AC=532225400 directory traversal (write access) : S=174 SP=2454 AP=4414 SC=2211920 AC=30412880 SQL injection (2nd order) : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 on site request forgery : S=7 SP=7 AP=7 SC=7 AC=7 blind SQL injection (4 requests) : S=348 SP=4908 AP=8828 SC=4423840 AC=60825760 HTTP response splitting : S=63 SP=63 AP=63 SC=63 AC=63 directory traversal (extended test) : S=4437 SP=62577 AP=112557 SC=56403960 AC=775528440 header injection : S=14 SP=14 AP=14 SC=14 AC=14 cookie manipulation : S=150 SP=2390 AP=4350 SC=2211840 AC=30412800 injectable parameter : S=174 SP=2454 AP=4414 SC=2211920 AC=30412880 local file inclusion : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 directory traversal : S=2175 SP=30675 AP=55175 SC=27649000 AC=380161000 cross-site scripting (extended patterns) : S=42 SP=42 AP=42 SC=42 AC=42 blind SQL injection : S=1044 SP=14724 AP=26484 SC=13271520 AC=182477280 SQL injection : S=2088 SP=29448 AP=52968 SC=26543040 AC=364954560 SSI injection : S=261 SP=3681 AP=6621 SC=3317880 AC=45619320 format string : S=174 SP=2454 AP=4414 SC=2211920 AC=30412880 All tests : S=18021 SP=253741 AP=456601 SC=228933368 AC=>2G Your mode : some_pairs, GET or POST. Maximum number of requests : 250613 The following tests would have timed out in the selected mode and have been degraded to a quicker mode : blind SQL injection single cross-site scripting (quick test) single arbitrary command execution single directory traversal single directory traversal (extended test) single unseen parameters single SQL injection single

Plugin ID:
33817

Synopsis:
Some CGIs are candidate for extended injection tests.

Description:
Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response. The affected parameters are candidates for extended injection tests like cross-site scripting attacks. This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

Risk factor:
Low

Solution:
n/a

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to injectable parameter : + The 'page' parameter of the /index.php CGI : /index.php?page=%00dyyhrg -------- output -------- <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>.dyyhrg</title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> ------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) https://portal.albastru.ex/index.php?page=%00dyyhrg Using the POST HTTP method, Nessus found that : + The following resources may be vulnerable to injectable parameter : + The 'pma_username' parameter of the /phpMyAdmin/index.php CGI : /phpMyAdmin/index.php [pma_username=%00dyyhrg] -------- output -------- Welcome to <bdo dir="ltr" xml:lang="en">phpMyAdmin </bdo></h1> <div class="error"><h1>Error</h1> #1045 - Access denied for user 'dyyhrg'@'portal.albastru.ex' (using pass word: NO)</div> <form method="post" action="index.php" target="_parent"> ------------------------

Plugin ID:
47830

Other references:
CWE:86

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : yes Keep-Alive : yes Options allowed : GET,HEAD,POST,OPTIONS,TRACE Headers : Date: Tue, 11 Oct 2011 08:20:20 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1651 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Plugin ID:
24260

Synopsis:
An application was found that may use CGI parameters to control sensitive information.

Description:
According to their names, some CGI parameters may control sensitive data (e.g., ID, privileges, commands, prices, credit card data, etc.). In the course of using an application, these variables may disclose sensitive data or be prone to tampering that could result in privilege escalation. These parameters should be examined to determine what type of data is controlled and if it poses a security risk. ** This plugin only reports information that may be useful for auditors ** or pen-testers, not a real flaw.

Risk factor:
None

Solution:
Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access to resources or privileges.

Plugin output:
Potentially sensitive parameters for CGI /index.php : password : Possibly a clear or hashed password, vulnerable to dictionary attack

Plugin ID:
40773

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.

Plugin ID:
10107

Synopsis:
Links to external sites were gathered.

Description:
Nessus gathered HREF links to external sites by crawling the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
1 external URL was gathered on this web server : URL... - Seen on... http://www.phpmyadmin.net - /phpMyAdmin/

Plugin ID:
49704

Synopsis:
Some cookies have been set by the web server.

Description:
HTTP cookies are pieces of information that are presented by web servers and are sent back by the browser. As HTTP is a stateless protocol, cookies are a possible mechanism to keep track of sessions. This plugin displays the list of the HTTP cookies that were set by the web server when it was crawled.

Risk factor:
None

Solution:
n/a

Plugin output:
path = /phpMyAdmin/ name = pma_fontsize value = deleted version = 1 expires = Mon, 11-Oct-2010 08:14:00 GMT secure = 1 httponly = 0 path = /phpMyAdmin/ name = pmaCookieVer value = 4 version = 1 expires = Thu, 10-Nov-2011 08:13:54 GMT secure = 1 httponly = 1 path = /phpMyAdmin/ name = pma_mcrypt_iv value = O%2FCpy2qM41E%3D version = 1 expires = Thu, 10-Nov-2011 08:13:55 GMT secure = 1 httponly = 1 path = /phpMyAdmin/ name = phpMyAdmin value = 5f548149142edaa8ff9241a234e4815b04291bc9 version = 1 secure = 1 httponly = 1 path = / name = PHPSESSID value = ff78e583025900ebe8d0573b907c9ec0 version = 1 secure = 0 httponly = 0 path = /phpMyAdmin/ name = PHPSESSID value = deleted version = 1 expires = Mon, 11-Oct-2010 08:13:53 GMT secure = 1 httponly = 0

Plugin ID:
39463

Synopsis:
Auto-complete is not disabled on password fields.

Description:
The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' is not set to 'off'. While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point.

Risk factor:
None

Solution:
Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Plugin output:
Page : /phpMyAdmin/ Destination Page : index.php Input name : pma_password Page : /phpMyAdmin/?D=A Destination Page : index.php Input name : pma_password Page : /index.php?page=login Destination Page : ?page=login Input name : password Page : /phpMyAdmin/index.php?collation_connection=utf8_unicode_ci&convch arset=iso-8859-1&server=1&lang=en-utf-8 Destination Page : index.php Input name : pma_password Page : /phpMyAdmin/index.php?pma_username=&pma_password=&server=1&lang=e n-utf-8&convcharset=iso-8859-1 Destination Page : index.php Input name : pma_password

Plugin ID:
42057

Synopsis:
Nessus crawled the remote web site.

Description:
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host. It is suggested that you change the number of pages to mirror in the 'Options' section of the client.

Risk factor:
None

Solution:
n/a

Plugin output:
The following CGI have been discovered : Syntax : cginame (arguments [default value]) /phpMyAdmin/index.php (pma_username [] pma_password [] server [1] lang [en-utf-8] collation_c...) /index.php (region [east] problem [] street [] username [] reset [Reset Password] ...) PHP script discloses physical path at /login (/var/www/portal/login.php) Directory index found at /includes/ Directory index found at /classes/ Directory index found at /css/ Directory index found at /sql/ Directory index found at /templates/ Directory index found at /includes/pear/ Directory index found at /includes/smarty/ Directory index found at /includes/pear/Mail/ Directory index found at /includes/pear/Net/ PHP script discloses physical path at /includes/smarty/Smarty_Compiler.class.php (/var/www/portal/includes/smarty/Smarty_Compiler.class.php) Directory index found at /includes/smarty/internals/ Directory index found at /includes/smarty/plugins/ Directory index found at /phpMyAdmin/themes/original/img/ PHP script discloses physical path at /includes/pear/Mail/mail.php (/var/www/portal/includes/pear/Mail/mail.php) PHP script discloses physical path at /includes/pear/Mail/mock.php (/var/www/portal/includes/pear/Mail/mock.php) PHP script discloses physical path at /includes/pear/Mail/null.php (/var/www/portal/includes/pear/Mail/null.php) PHP script discloses physical path at /includes/pear/Mail/sendmail.php (/var/www/portal/includes/pear/Mail/sendmail.php) PHP script discloses physical path at /includes/pear/Mail/smtp.php (/var/www/portal/includes/pear/Mail/smtp.php) PHP script discloses physical path at /includes/pear/Mail/smtpmx.php (/var/www/portal/includes/pear/Mail/smtpmx.php) PHP script discloses physical path at /includes/pear/Net/SMTP.php (/var/www/portal/includes/pear/Net/SMTP.php) Directory index found at /includes/pear/Net/docs/ Directory index found at /includes/pear/Net/examples/ Directory index found at /includes/pear/Net/tests/ PHP script discloses physical path at /includes/smarty/plugins/modifier.date_format.php (/var/www/portal/includes/smarty/plugins/modifier.date_format.php) Directory index found at /phpMyAdmin/themes/original/ PHP script discloses physical path at /includes/pear/Net/examples/basic.php (/var/www/portal/includes/pear/Net/examples/basic.php) Directory index found at /phpMyAdmin/themes/ Directory index found at /phpMyAdmin/themes/original/css/

Plugin ID:
10662

Synopsis:
It is possible to enumerate directories on the web server.

Description:
This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.

Risk factor:
None

See also:
http://projects.webappsec.org/Predictable-Resource-Location

Solution:
n/a

Plugin output:
The following directories were discovered: /classes, /config, /include, /includes, /login, /css, /error, /icons, /phpMyAdmin, /sql, /templates While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards

Plugin ID:
11032

Other references:
OWASP:OWASP-CM-006

Synopsis:
The remote service allows repeated renegotiation of TLS / SSL connections.

Description:
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P

See also:
http://orchilles.com/2011/03/ssl-renegotiation-dos.html

See also:
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html

Solution:
Contact the vendor for specific patch information.

Plugin ID:
53491

CVE:
CVE-2011-1473

BID:
48626

Other references:
OSVDB:73894

Synopsis:
The remote service allows insecure renegotiation of TLS / SSL connections.

Description:
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake. An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

See also:
http://extendedsubset.com/?p=8

See also:
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html

See also:
http://www.kb.cert.org/vuls/id/120541

See also:
http://www.g-sec.lu/practicaltls.pdf

See also:
http://tools.ietf.org/html/rfc5746

Solution:
Contact the vendor for specific patch information.

Plugin output:
Port 443 supports insecure renegotiation.

Plugin ID:
42880

CVE:
CVE-2009-3555

BID:
36935

Other references:
OSVDB:59968, OSVDB:59969, OSVDB:59970, OSVDB:59971, OSVDB:59972, OSVDB:59973, OSVDB:59974, OSVDB:60366, OSVDB:60521, OSVDB:61234, OSVDB:61718, OSVDB:61784, OSVDB:61785, OSVDB:61929, OSVDB:62064, OSVDB:62135, OSVDB:62210, OSVDB:62273, OSVDB:62536, OSVDB:62877, OSVDB:64040, OSVDB:64499, OSVDB:64725, OSVDB:65202, OSVDB:66315, OSVDB:67029, OSVDB:69032, OSVDB:69561, OSVDB:70055, OSVDB:70620, OSVDB:71951, OSVDB:71961, OSVDB:74335, CWE:310

Synopsis:
The remote service encrypts communications using SSL.

Description:
This script detects which SSL ciphers are supported by the remote service for encrypting communications.

Risk factor:
None

See also:
http://www.openssl.org/docs/apps/ciphers.html

Solution:
n/a

Plugin output:
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Plugin ID:
21643

Synopsis:
It is possible to determine which user is running the remote service.

Description:
By using the identd server (RFC 1413), it is possible to determine the process owner of the remote service.

Risk factor:
None

Solution:
Block access to, or remove the identd service.

Plugin output:
identd reveals that this service is running as user/uid www-data

Plugin ID:
14674

Synopsis:
The remote host allows resuming SSL sessions.

Description:
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Risk factor:
None

Solution:
n/a

Plugin output:
This port supports resuming SSLv3/TLSv1 sessions.

Plugin ID:
51891

Synopsis:
This plugin displays the SSL certificate.

Description:
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Risk factor:
None

Solution:
n/a

Plugin output:
Subject Name: Country: AU State/Province: Some-State Organization: Internet Widgits Pty Ltd Issuer Name: Country: AU State/Province: Some-State Organization: Internet Widgits Pty Ltd Serial Number: 00 E7 ED 9C 84 B4 90 4C 83 Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: May 05 05:47:52 2010 GMT Not Valid After: May 05 05:47:52 2011 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 BF 94 29 10 A5 25 3A 69 38 68 6F 0E 2E EE 3C B7 CE 21 C0 DF B5 68 38 4A F6 41 DD 0A 0D 36 61 AC AC 78 5A 9D 09 BB 87 1A 01 6A 76 26 F9 BB 72 2B 59 00 2E BA 67 C9 3D 9E 4B 28 5B 57 40 E9 E9 36 23 08 2B 2F DC B2 54 6A 77 86 44 A9 3D FE 5B B1 7D 5A A4 97 67 A2 C9 6C 36 75 9E 23 D5 33 35 B4 4C 7B 88 6B A3 37 79 46 7F D2 B7 DE D0 5B 79 91 F8 8F 38 6E EE 0C 2F 6E F7 0E EE 17 30 02 EE 11 Exponent: 01 00 01 Signature: 00 1B 94 E4 23 A1 CB CC 50 3A D0 BF AB C2 32 BB 5D CA A2 CE FC 05 22 FC 8C CE 9C DE D5 68 A0 C1 9F 3C E3 84 8D 21 3F 43 42 E5 7E D9 FD 80 3E 83 DA 52 57 FD C9 C0 87 C5 D0 A2 05 3E 60 4E 94 49 24 F3 2E 4B 11 19 92 17 0D 8C 6F E2 BE ED 19 32 62 A2 6C 41 CA 1A 34 CD 2F DE E4 8E 6E 38 BE 7F A3 EE 46 22 4C 23 3D 78 75 12 31 8F AB 74 BD 86 2C 79 96 5B 40 E5 15 BF 99 D7 16 A0 D0 54 E6 23 24 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: A0 E1 4A 92 B7 B6 79 83 BF A1 FE 2E A1 3C 11 DF 2F 4B 53 70 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0

Plugin ID:
10863

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port through TLSv1.

Plugin ID:
22964

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A TLSv1 server answered on this port.

Plugin ID:
22964

Synopsis:
An ONC RPC service is running on the remote host.

Description:
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port.

Risk factor:
None

Solution:
n/a

Plugin output:
The following RPC services are available on TCP port 46706 : - program: 100024 (status), version: 1

Plugin ID:
11111

Synopsis:
A web application is potentially vulnerable to SQL injection.

Description:
By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability. An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

See also:
http://en.wikipedia.org/wiki/SQL_injection

See also:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

See also:
http://www.securitydocs.com/library/2651

See also:
http://projects.webappsec.org/SQL-Injection

Solution:
Modify the relevant CGIs so that they properly escape arguments.

Plugin output:
During testing for blind SQL injection (time based) vulnerabilities, SQL errors were noticed, suggesting that the scripts / parameters listed below may also be vulnerable to SQL Injection (SQLi). -------- request -------- POST /index.php?page=login HTTP/1.1 Host: portal.albastru.ex Accept-Language: en Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Content-Type: application/x-www-form-urlencoded Connection: Close Cookie: PHPSESSID=41f317e244ed8bc7a69c7cc09bf0a52c Content-Length: 217 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* reset=Reset%20Password&password=&name=&phone=&street=&problem=&period=10&region=north&page=reset_pwd&submit=Login&house_nr=&email=&town=&token=6f0a654601c0c5d13bb1e0923902cba4&username=';WAITFOR%20DELAY%20'00:00:3';-- ------------------------ -------- output -------- <br /> <b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQL STATE[42000]: Syntax error or access violation: 1064 You have an error i n your SQL syntax; check the manual that corresponds to your MySQL serve r version for the right syntax to use near ';WAITFOR DELAY '00:00:3';--' AND `password`= 'd41d8cd98f00b204e9800998ecf8427e'' at line 1' in /var/ www/portal/login.php:42 Stack trace: #0 /var/www/portal/login.php(42): PDO-&gt;query('SELECT * FROM `...') ------------------------

Plugin ID:
42479

Other references:
CWE:89, CWE:20, CWE:77, CWE:810, CWE:713, CWE:722, CWE:727, CWE:751, CWE:801

Synopsis:
A web application's SQL backend can been identified.

Description:
At least one web application hosted on the remote web server is built on a SQL backend that Nessus was able to identify by looking at error messages. Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://projects.webappsec.org/Fingerprinting

Solution:
Filter out error messages.

Plugin output:
The web application appears to be based on MySQL This information was leaked by these URLs : http://portal.albastru.ex/

Plugin ID:
44670

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS vulnerabilities are likely to be 'non-persistent' or 'reflected'.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent

See also:
http://www.nessus.org/u?9717ad85

See also:
http://projects.webappsec.org/Cross-Site+Scripting

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the POST HTTP method, Nessus found that : + The following resources may be vulnerable to cross-site scripting (extended patterns) : + The 'pma_username' parameter of the /phpMyAdmin/index.php CGI : /phpMyAdmin/index.php [pma_username=508 src=http://www.example.com/explo it508.js] -------- output -------- <div class="item"> <label for="input_username">Username:</label> <input type="text" name="pma_username" id="input_username" value="508 sr c=http://www.example.com/exploit508.js" size="24" class="textfield" /> </div> <div class="item"> ------------------------

Plugin ID:
55903

Other references:
CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:86

Synopsis:
Arbitrary files may be accessed or executed on the remote host.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings and are affected by directory traversal or local files inclusion vulnerabilities. By leveraging this issue, an attacker may be able to read arbitrary files on the web server or execute commands.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://en.wikipedia.org/wiki/Directory_traversal

See also:
http://cwe.mitre.org/data/definitions/22.html

See also:
http://projects.webappsec.org/Path-Traversal

See also:
http://projects.webappsec.org/Null-Byte-Injection

See also:
http://www.owasp.org/index.php/Testing_for_Path_Traversal_%28OWASP-AZ-001%29

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to directory traversal : + The 'page' parameter of the /index.php CGI : /index.php?page=../../../../../../../../etc/passwd%00index.html -------- output -------- root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh ------------------------

Plugin ID:
39467

Other references:
CWE:22, CWE:21, CWE:632, CWE:813, CWE:715, CWE:723, OWASP:OWASP-AZ-001

Synopsis:
The remote web server is prone to cookie injection attacks.

Description:
The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism. Please note that : - Nessus did not check if the session fixation attack is feasible. - This is not the only vector of session fixation.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Session_fixation

See also:
http://www.owasp.org/index.php/Session_Fixation

See also:
http://www.acros.si/papers/session_fixation.pdf

See also:
http://projects.webappsec.org/Session-Fixation

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to cookie manipulation : + The 'page' parameter of the /index.php CGI : /index.php?page=<meta%20http-equiv=Set-Cookie%20content="testiiuu=9434"> -------- output -------- <head> <title><meta http-equiv=Set-Cookie content="testiiuu=9434"></title> <link rel="stylesheet" type="text/css" href="css/main.css" /> < ------------------------

Plugin ID:
44136

Other references:
CWE:472, CWE:642, CWE:715, CWE:722

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non persistent' or 'reflected'.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent

See also:
http://www.nessus.org/u?9717ad85

See also:
http://projects.webappsec.org/Cross-Site+Scripting

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to cross-site scripting (quick test) : + The 'page' parameter of the /index.php CGI : /index.php?page=<IMG%20SRC="javascript:alert(104);"> -------- output -------- <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title><IMG SRC="javascript:alert(104);"></title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> ------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) http://portal.albastru.ex/index.php?page=<IMG%20SRC="javascript:alert(104);">

Plugin ID:
39466

Other references:
CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:86

Synopsis:
Debugging functions are enabled on the remote web server.

Description:
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

See also:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

See also:
http://www.apacheweek.com/issues/03-01-24

See also:
http://www.kb.cert.org/vuls/id/288308

See also:
http://www.kb.cert.org/vuls/id/867593

See also:
http://download.oracle.com/sunalerts/1000718.1.html

Solution:
Disable these methods. Refer to the plugin output for more information.

Plugin output:
To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1947368192.html HTTP/1.1 Connection: Close Host: portal.albastru.ex Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.0 200 OK Date: Tue, 11 Oct 2011 08:20:49 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c Content-Type: message/http X-Cache: MISS from localhost Via: 1.0 localhost (squid/3.0.PRE5) Proxy-Connection: close TRACE /Nessus1947368192.html HTTP/1.0 Host: portal.albastru.ex Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Via: 1.1 localhost (squid/3.0.PRE5) X-Forwarded-For: 10.110.48.235 Cache-Control: max-age=259200 Connection: keep-alive ------------------------------ snip ------------------------------

Plugin ID:
11213

CVE:
CVE-2003-1567, CVE-2004-2320, CVE-2010-0386

BID:
9506, 9561, 11604, 33374, 37995

Other references:
OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485, CWE:16

Synopsis:
The remote web server may be prone to HTML injections.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site. The remote web server may be vulnerable to IFRAME injections or cross-site scripting attacks : - IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks. - XSS are extensively tested by four other scripts. - Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Code_injection#HTML-script_injection_.28cross-site_scripting.29

Solution:
Either restrict access to the vulnerable application or contact the vendor for an update.

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to HTML injection : + The 'page' parameter of the /index.php CGI : /index.php?page=<cfofqk%20> -------- output -------- <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title><cfofqk ></title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> ------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) http://portal.albastru.ex/index.php?page=<cfofqk%20>

Plugin ID:
49067

Other references:
CWE:80, CWE:86

Synopsis:
The remote web server hosts publicly accessible SQL dump files.

Description:
The remote web server hosts publicly available files that contain SQL instructions. These files are most likely database dumps and may contain sensitive information.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials.

Plugin output:
The following SQL files are available on the remote server : - /sql/portal.sql

Plugin ID:
55640

Synopsis:
It is possible to retrieve file backups from the remote web server.

Description:
By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of various files on the remote host, it seems possible to retrieve their contents, which may result in disclosure of sensitive information.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://projects.webappsec.org/Predictable-Resource-Location

Solution:
Ensure the files do no contain any sensitive information, such as credentials to connect to a database, and delete or protect those files that should not be accessible.

Plugin output:
It is possible to read the following backup files : - File : /index.php~ URL : http://portal.albastru.ex/index.php~ - File : /includes/functions.inc.php~ URL : http://portal.albastru.ex/includes/functions.inc.php~ - File : /includes/pear/Mail/smtp.php~ URL : http://portal.albastru.ex/includes/pear/Mail/smtp.php~

Plugin ID:
11411

Synopsis:
Security patches are backported.

Description:
Security patches may have been 'back ported' to the remote HTTP server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem.

Risk factor:
None

See also:
http://www.nessus.org/u?d636c8c7

Solution:
N/A

Plugin output:
Give Nessus credentials to perform local checks.

Plugin ID:
39521

Synopsis:
Some directories on the remote web server are browsable.

Description:
Miscellaneous Nessus plugins identified directories on this web server that are browsable.

Risk factor:
None

See also:
http://projects.webappsec.org/Directory-Indexing

Solution:
Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. And use access restrictions or disable directory indexing for any that do.

Plugin output:
The following directories are browsable : http://portal.albastru.ex/phpMyAdmin/themes/original/css/ http://portal.albastru.ex/includes/smarty/plugins/ http://portal.albastru.ex/includes/smarty/internals/ http://portal.albastru.ex/includes/pear/Net/ http://portal.albastru.ex/includes/pear/Mail/ http://portal.albastru.ex/includes/smarty/ http://portal.albastru.ex/includes/pear/ http://portal.albastru.ex/includes/ http://portal.albastru.ex/classes/ http://portal.albastru.ex/css/ http://portal.albastru.ex/sql/ http://portal.albastru.ex/templates/ http://portal.albastru.ex/phpMyAdmin/themes/original/img/ http://portal.albastru.ex/includes/pear/Net/docs/ http://portal.albastru.ex/includes/pear/Net/examples/ http://portal.albastru.ex/includes/pear/Net/tests/ http://portal.albastru.ex/phpMyAdmin/themes/original/ http://portal.albastru.ex/phpMyAdmin/themes/

Plugin ID:
40984

Synopsis:
Load estimation for web application tests.

Description:
This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself. The results can be used to estimate the duration of these tests, or the complexity of additional manual tests. Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

Risk factor:
None

Solution:
n/a

Plugin output:
Here are the estimated number of requests in miscellaneous modes for one method only (GET or POST) : [Single / Some Pairs / All Pairs / Some Combinations / All Combinations] on site request forgery : S=6 SP=6 AP=6 SC=6 AC=6 SQL injection : S=1944 SP=29064 AP=52584 SC=26542560 AC=364954080 unseen parameters : S=2835 SP=42385 AP=76685 SC=38707900 AC=532224700 local file inclusion : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 web code injection : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 cookie manipulation : S=150 SP=2390 AP=4350 SC=2211840 AC=30412800 XML injection : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 format string : S=162 SP=2422 AP=4382 SC=2211880 AC=30412840 script injection : S=6 SP=6 AP=6 SC=6 AC=6 cross-site scripting (comprehensive test): S=324 SP=4844 AP=8764 SC=4423760 AC=60825680 injectable parameter : S=162 SP=2422 AP=4382 SC=2211880 AC=30412840 cross-site scripting (extended patterns) : S=36 SP=36 AP=36 SC=36 AC=36 directory traversal (write access) : S=162 SP=2422 AP=4382 SC=2211880 AC=30412840 SSI injection : S=243 SP=3633 AP=6573 SC=3317820 AC=45619260 header injection : S=12 SP=12 AP=12 SC=12 AC=12 directory traversal : S=2025 SP=30275 AP=54775 SC=27648500 AC=380160500 HTML injection : S=30 SP=30 AP=30 SC=30 AC=30 cross-site scripting (quick test) : S=825 SP=13145 AP=23925 SC=12165120 AC=167270400 arbitrary command execution (time based) : S=486 SP=7266 AP=13146 SC=6635640 AC=91238520 SQL injection (2nd order) : S=81 SP=1211 AP=2191 SC=1105940 AC=15206420 persistent XSS : S=324 SP=4844 AP=8764 SC=4423760 AC=60825680 directory traversal (extended test) : S=4131 SP=61761 AP=111741 SC=56402940 AC=775527420 arbitrary command execution : S=1296 SP=19376 AP=35056 SC=17695040 AC=243302720 blind SQL injection (4 requests) : S=324 SP=4844 AP=8764 SC=4423760 AC=60825680 HTTP response splitting : S=54 SP=54 AP=54 SC=54 AC=54 blind SQL injection : S=972 SP=14532 AP=26292 SC=13271280 AC=182477040 All tests : S=16833 SP=250613 AP=453473 SC=228929464 AC=>2G Here are the estimated number of requests in miscellaneous modes for both methods (GET and POST) : [Single / Some Pairs / All Pairs / Some Combinations / All Combinations] on site request forgery : S=7 SP=7 AP=7 SC=7 AC=7 SQL injection : S=2088 SP=29448 AP=52968 SC=26543040 AC=364954560 unseen parameters : S=3045 SP=42945 AP=77245 SC=38708600 AC=532225400 local file inclusion : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 web code injection : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 cookie manipulation : S=150 SP=2390 AP=4350 SC=2211840 AC=30412800 XML injection : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 format string : S=174 SP=2454 AP=4414 SC=2211920 AC=30412880 script injection : S=7 SP=7 AP=7 SC=7 AC=7 cross-site scripting (comprehensive test): S=348 SP=4908 AP=8828 SC=4423840 AC=60825760 injectable parameter : S=174 SP=2454 AP=4414 SC=2211920 AC=30412880 cross-site scripting (extended patterns) : S=42 SP=42 AP=42 SC=42 AC=42 directory traversal (write access) : S=174 SP=2454 AP=4414 SC=2211920 AC=30412880 SSI injection : S=261 SP=3681 AP=6621 SC=3317880 AC=45619320 header injection : S=14 SP=14 AP=14 SC=14 AC=14 directory traversal : S=2175 SP=30675 AP=55175 SC=27649000 AC=380161000 HTML injection : S=35 SP=35 AP=35 SC=35 AC=35 cross-site scripting (quick test) : S=825 SP=13145 AP=23925 SC=12165120 AC=167270400 arbitrary command execution (time based) : S=522 SP=7362 AP=13242 SC=6635760 AC=91238640 SQL injection (2nd order) : S=87 SP=1227 AP=2207 SC=1105960 AC=15206440 persistent XSS : S=348 SP=4908 AP=8828 SC=4423840 AC=60825760 directory traversal (extended test) : S=4437 SP=62577 AP=112557 SC=56403960 AC=775528440 arbitrary command execution : S=1392 SP=19632 AP=35312 SC=17695360 AC=243303040 blind SQL injection (4 requests) : S=348 SP=4908 AP=8828 SC=4423840 AC=60825760 HTTP response splitting : S=63 SP=63 AP=63 SC=63 AC=63 blind SQL injection : S=1044 SP=14724 AP=26484 SC=13271520 AC=182477280 All tests : S=18021 SP=253741 AP=456601 SC=228933368 AC=>2G Your mode : some_pairs, GET or POST. Maximum number of requests : 250613 The following tests would have timed out in the selected mode and have been degraded to a quicker mode : directory traversal (extended test) single arbitrary command execution single SQL injection single directory traversal single unseen parameters single

Plugin ID:
33817

Synopsis:
Some CGIs are candidate for extended injection tests.

Description:
Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response. The affected parameters are candidates for extended injection tests like cross-site scripting attacks. This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

Risk factor:
Low

Solution:
n/a

Plugin output:
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to injectable parameter : + The 'page' parameter of the /index.php CGI : /index.php?page=%00dyyhrg -------- output -------- <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>.dyyhrg</title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> ------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) http://portal.albastru.ex/index.php?page=%00dyyhrg Using the POST HTTP method, Nessus found that : + The following resources may be vulnerable to injectable parameter : + The 'pma_username' parameter of the /phpMyAdmin/index.php CGI : /phpMyAdmin/index.php [pma_username=%00dyyhrg] -------- output -------- Welcome to <bdo dir="ltr" xml:lang="en">phpMyAdmin </bdo></h1> <div class="error"><h1>Error</h1> #1045 - Access denied for user 'dyyhrg'@'portal.albastru.ex' (using pass word: NO)</div> <form method="post" action="index.php" target="_parent"> ------------------------

Plugin ID:
47830

Other references:
CWE:86

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.0 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Tue, 11 Oct 2011 08:20:19 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1651 Content-Type: text/html; charset=UTF-8 X-Cache: MISS from localhost Via: 1.0 localhost (squid/3.0.PRE5) Proxy-Connection: close

Plugin ID:
24260

Synopsis:
The remote web server contains a graphic image that is prone to information disclosure.

Description:
The 'favicon.ico' file found on the remote web server belongs to a popular webserver. This may be used to fingerprint the web server.

Risk factor:
None

Solution:
Remove the 'favicon.ico' file or create a custom one for your site.

Plugin output:
The MD5 fingerprint for 'favicon.ico' suggests the web server is myghty 1.1 - zblog.

Plugin ID:
20108

Other references:
OSVDB:39272

Synopsis:
A transparent or reverse HTTP proxy is running on this port.

Description:
This web server is reachable through a reverse HTTP proxy.

Risk factor:
None

Solution:
n/a

Plugin output:
The GET method revealed those proxies on the way to this web server : HTTP/1.0 localhost (squid/3.0.PRE5)

Plugin ID:
11040

Synopsis:
An application was found that may use CGI parameters to control sensitive information.

Description:
According to their names, some CGI parameters may control sensitive data (e.g., ID, privileges, commands, prices, credit card data, etc.). In the course of using an application, these variables may disclose sensitive data or be prone to tampering that could result in privilege escalation. These parameters should be examined to determine what type of data is controlled and if it poses a security risk. ** This plugin only reports information that may be useful for auditors ** or pen-testers, not a real flaw.

Risk factor:
None

Solution:
Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access to resources or privileges.

Plugin output:
Potentially sensitive parameters for CGI /index.php : password : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Plugin ID:
40773

Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.

Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST TRACE are allowed on : /classes /css /icons /includes /includes/pear /includes/pear/Mail /includes/pear/Net /includes/pear/Net/docs /includes/pear/Net/examples /includes/pear/Net/tests /includes/smarty /includes/smarty/internals /includes/smarty/plugins /phpMyAdmin/themes /phpMyAdmin/themes/darkblue_orange /phpMyAdmin/themes/original /phpMyAdmin/themes/original/css /phpMyAdmin/themes/original/img /sql /templates Based on tests of each method : - HTTP methods BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CONNECT COPY DELETE GET HEAD LOCK MKCOL MOVE OPTIONS POLL POST PROPFIND PROPPATCH PUT REPORT SEARCH SUBSCRIBE TRACE UNLOCK UNSUBSCRIBE are allowed on : /config /error /include /login - HTTP methods CONNECT GET HEAD OPTIONS POST TRACE are allowed on : / /classes /css /icons /includes /includes/pear /includes/pear/Mail /includes/pear/Net /includes/pear/Net/docs /includes/pear/Net/examples /includes/pear/Net/tests /includes/smarty /includes/smarty/internals /includes/smarty/plugins /phpMyAdmin /phpMyAdmin/themes /phpMyAdmin/themes/darkblue_orange /phpMyAdmin/themes/original /phpMyAdmin/themes/original/css /phpMyAdmin/themes/original/img /sql /templates

Plugin ID:
43111

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.

Plugin ID:
10107

Synopsis:
The remote web server might transmit credentials in cleartext.

Description:
The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Make sure that every sensitive form transmits content over HTTPS.

Plugin output:
Page : /phpMyAdmin/ Destination page : index.php Input name : pma_password Page : /phpMyAdmin/?D=A Destination page : index.php Input name : pma_password Page : /index.php?page=login Destination page : ?page=login Input name : password Page : /phpMyAdmin/index.php?collation_connection=utf8_unicode_ci&convcharset=iso-8859-1&server=1&lang=en-utf-8 Destination page : index.php Input name : pma_password Page : /phpMyAdmin/index.php?pma_username=&pma_password=&server=1&lang=en-utf-8&convcharset=iso-8859-1 Destination page : index.php Input name : pma_password

Plugin ID:
26194

Other references:
CWE:522, CWE:523, CWE:718, CWE:724

Synopsis:
Links to external sites were gathered.

Description:
Nessus gathered HREF links to external sites by crawling the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
1 external URL was gathered on this web server : URL... - Seen on... http://www.phpmyadmin.net - /phpMyAdmin/

Plugin ID:
49704

Synopsis:
Some cookies have been set by the web server.

Description:
HTTP cookies are pieces of information that are presented by web servers and are sent back by the browser. As HTTP is a stateless protocol, cookies are a possible mechanism to keep track of sessions. This plugin displays the list of the HTTP cookies that were set by the web server when it was crawled.

Risk factor:
None

Solution:
n/a

Plugin output:
path = /phpMyAdmin/ name = pmaCookieVer value = 4 version = 1 expires = Thu, 10-Nov-2011 08:12:40 GMT secure = 0 httponly = 1 path = /phpMyAdmin/ name = pma_fontsize value = deleted version = 1 expires = Mon, 11-Oct-2010 08:12:46 GMT secure = 0 httponly = 0 path = /phpMyAdmin/ name = pma_mcrypt_iv value = Mts%2B6l%2Bf7H8%3D version = 1 expires = Thu, 10-Nov-2011 08:12:40 GMT secure = 0 httponly = 1 path = /phpMyAdmin/ name = phpMyAdmin value = 4dfb49ab0793f389b1d5782a8a5ef37e34d4cbfc version = 1 secure = 0 httponly = 1 path = / name = PHPSESSID value = 88bf5e68fd2d98b9ae03dc6738274a4a version = 1 secure = 0 httponly = 0 path = /phpMyAdmin/ name = PHPSESSID value = deleted version = 1 expires = Mon, 11-Oct-2010 08:12:39 GMT secure = 0 httponly = 0

Plugin ID:
39463

Synopsis:
Auto-complete is not disabled on password fields.

Description:
The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' is not set to 'off'. While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point.

Risk factor:
None

Solution:
Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Plugin output:
Page : /phpMyAdmin/ Destination Page : index.php Input name : pma_password Page : /phpMyAdmin/?D=A Destination Page : index.php Input name : pma_password Page : /index.php?page=login Destination Page : ?page=login Input name : password Page : /phpMyAdmin/index.php?collation_connection=utf8_unicode_ci&convch arset=iso-8859-1&server=1&lang=en-utf-8 Destination Page : index.php Input name : pma_password Page : /phpMyAdmin/index.php?pma_username=&pma_password=&server=1&lang=e n-utf-8&convcharset=iso-8859-1 Destination Page : index.php Input name : pma_password

Plugin ID:
42057

Synopsis:
Nessus crawled the remote web site.

Description:
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host. It is suggested that you change the number of pages to mirror in the 'Options' section of the client.

Risk factor:
None

Solution:
n/a

Plugin output:
The following CGI have been discovered : Syntax : cginame (arguments [default value]) /phpMyAdmin/index.php (pma_username [] pma_password [] server [1] lang [en-utf-8] collation_c...) /index.php (region [north] problem [] street [] username [] reset [Reset Password]...) PHP script discloses physical path at /login (/var/www/portal/login.php) Directory index found at /includes/ Directory index found at /classes/ Directory index found at /css/ Directory index found at /sql/ Directory index found at /templates/ Directory index found at /includes/pear/ Directory index found at /includes/smarty/ Directory index found at /includes/pear/Mail/ Directory index found at /includes/pear/Net/ PHP script discloses physical path at /includes/smarty/Smarty_Compiler.class.php (/var/www/portal/includes/smarty/Smarty_Compiler.class.php) Directory index found at /includes/smarty/internals/ Directory index found at /includes/smarty/plugins/ Directory index found at /phpMyAdmin/themes/original/img/ PHP script discloses physical path at /includes/pear/Mail/mail.php (/var/www/portal/includes/pear/Mail/mail.php) PHP script discloses physical path at /includes/pear/Mail/mock.php (/var/www/portal/includes/pear/Mail/mock.php) PHP script discloses physical path at /includes/pear/Mail/null.php (/var/www/portal/includes/pear/Mail/null.php) PHP script discloses physical path at /includes/pear/Mail/sendmail.php (/var/www/portal/includes/pear/Mail/sendmail.php) PHP script discloses physical path at /includes/pear/Mail/smtp.php (/var/www/portal/includes/pear/Mail/smtp.php) PHP script discloses physical path at /includes/pear/Mail/smtpmx.php (/var/www/portal/includes/pear/Mail/smtpmx.php) PHP script discloses physical path at /includes/pear/Net/SMTP.php (/var/www/portal/includes/pear/Net/SMTP.php) Directory index found at /includes/pear/Net/docs/ Directory index found at /includes/pear/Net/examples/ Directory index found at /includes/pear/Net/tests/ PHP script discloses physical path at /includes/smarty/plugins/modifier.date_format.php (/var/www/portal/includes/smarty/plugins/modifier.date_format.php) Directory index found at /phpMyAdmin/themes/original/ PHP script discloses physical path at /includes/pear/Net/examples/basic.php (/var/www/portal/includes/pear/Net/examples/basic.php) Directory index found at /phpMyAdmin/themes/ Directory index found at /phpMyAdmin/themes/original/css/

Plugin ID:
10662

Synopsis:
It is possible to enumerate directories on the web server.

Description:
This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.

Risk factor:
None

See also:
http://projects.webappsec.org/Predictable-Resource-Location

Solution:
n/a

Plugin output:
The following directories were discovered: /classes, /config, /include, /includes, /login, /css, /error, /icons, /phpMyAdmin, /sql, /templates While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards

Plugin ID:
11032

Other references:
OWASP:OWASP-CM-006

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
An HTTP proxy is running on this port.

Plugin ID:
22964

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964