Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 1
Number of security warnings found 3


Host List
Host(s) Possible Issue
example.com Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
example.com https (443/tcp) Security warning(s) found
example.com http (80/tcp) Security warning(s) found
example.com ldap (389/tcp) Security warning(s) found
example.com general/udp Security notes found
example.com general/tcp Security hole found


Security Issues and Fixes: example.com
Type Port Issue and Fix
Warning
https (443/tcp) Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus648102987.html HTTP/1.1
Connection: Close
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Aug 2009 22:07:16 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus648102987.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Close
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)

------------------------------ snip ------------------------------

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648
Nessus ID : 11213
Informational https (443/tcp) A TLSv1 server answered on this port

Nessus ID : 10330
Informational https (443/tcp) A web server is running on this port through SSL
Nessus ID : 10330
Informational https (443/tcp)
Synopsis :

The remote service encrypts communications using SSL.

Description :

This script detects which SSL ciphers are supported by the remote
service for encrypting communications.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Risk factor :

None

Plugin output :

Here is the list of SSL ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Nessus ID : 21643
Informational https (443/tcp)
Synopsis :

Some information about the remote HTTP configuration can be extracted.

Description :

This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...

This test is informational only and does not denote any security
problem.

Risk factor :

None
Nessus ID : 24260
Informational https (443/tcp)
Synopsis :

The remote web server contains a 'robots.txt' file.

Description :

The remote host contains a file named 'robots.txt' that is intended to
prevent web 'robots' from visiting certain directories in a web site for
maintenance or indexing purposes. A malicious user may also be able to
use the contents of this file to learn of sensitive documents or
directories on the affected site and either retrieve them directly or
target them for other attacks.

See also :

http://www.robotstxt.org/wc/exclusion.html

Solution :

Review the contents of the site's robots.txt file, use Robots META tags
instead of entries in the robots.txt file, and/or adjust the web
server's access controls to limit access to sensitive material.

Risk factor :

None

Contents of robots.txt :

User-agent: *
Disallow: /

Other references : OSVDB:238
Nessus ID : 10302
Informational https (443/tcp) Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:00:91:00:36
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TH, O=Government Information Technology Services, OU=G-CA Secure Server CA, CN=G-CA Secure Server CA
Validity
Not Before: Jan 19 01:45:56 2009 GMT
Not After : Jan 19 16:59:59 2010 GMT
Subject: C=TH, ST=Bangkok, L=Ratchathewi, O=GOV, OU=Government Information Technology Services, CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:eb:84:3f:f6:19:15:fc:2a:76:f9:f0:f6:a3:19:
c6:5f:81:c9:d8:a2:11:fc:bb:51:cb:4e:66:c3:b4:
7a:d1:1f:83:09:21:c7:6b:8c:8c:36:79:ba:c8:3d:
b4:22:b8:bb:91:36:d5:da:5d:73:37:79:ad:ca:7a:
2b:fd:60:5c:5c:30:ed:e2:5b:27:05:60:70:12:10:
83:91:f1:1c:00:ac:71:49:4c:52:b4:7e:86:43:b5:
a8:fa:38:f4:90:08:c3:d8:ad:07:b4:a9:29:3a:cc:
d0:c2:44:ca:5e:74:5c:4d:b5:fb:77:81:09:aa:0d:
56:8c:74:75:2f:e5:af:ad:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
5F:11:DA:B9:71:DE:2F:26:01:9C:C5:1F:2F:A0:22:4C:A2:46:D7:CD
X509v3 Authority Key Identifier:
keyid:D4:1B:B6:AF:05:7A:1E:F2:36:9D:65:96:27:74:64:75:B1:92:25:41

X509v3 CRL Distribution Points:
URI:http://crl.gca.thaigov.net/crl/crl_gca_ssca_1.crl

X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.19500.2.1.1
CPS: http://gca.thaigov.net

Signature Algorithm: sha1WithRSAEncryption
8f:05:ac:47:d6:49:26:f6:69:8c:d4:b8:a2:e1:8d:07:25:1f:
12:aa:6b:c1:61:19:cc:6b:c4:2c:b0:e0:2d:de:7d:21:d9:39:
3d:55:68:03:b1:86:9a:71:a2:5a:f2:86:2b:ba:6e:87:0d:59:
8b:ed:d2:13:0a:4f:3b:11:12:5a:99:be:26:db:d2:c6:12:13:
4a:94:ab:7b:76:36:94:f9:79:30:db:d2:72:11:77:73:44:f1:
0d:81:93:d2:bb:0e:7f:1c:59:f9:20:21:5f:09:c2:20:90:66:
21:30:9d:3a:05:27:44:52:4a:9e:83:0e:59:25:6d:01:a6:48:
cc:48:3d:f5:e3:35:04:e0:6a:9c:45:45:79:d1:ea:56:b5:c2:
b9:ea:ff:07:8f:47:90:f7:9d:b3:b5:13:69:bd:30:64:b6:05:
21:0c:23:8e:c5:7a:89:44:d3:bf:05:b8:4f:01:22:98:1c:07:
ec:09:25:97:bf:8b:b2:83:9e:83:66:44:3e:a2:33:d7:ad:62:
96:f7:ac:db:8c:6f:be:ef:a0:87:9f:59:4a:14:c0:8b:76:f6:
d9:0b:c0:a9:75:57:d8:60:60:92:db:ef:66:bc:33:fe:8b:77:
65:1f:53:d8:96:d3:16:4b:34:cb:99:2a:15:c0:9d:4e:cc:ef:
ad:53:93:eb
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.

Nessus ID : 10863
Warning
http (80/tcp) Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus925552916.html HTTP/1.1
Connection: Close
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Aug 2009 22:07:14 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus925552916.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Keep-Alive
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)

------------------------------ snip ------------------------------

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648
Nessus ID : 11213
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp)
Synopsis :

A web server is running on the remote host.

Description :

This plugin attempts to determine the type and the version of
the remote web server.

Risk factor :

None

Plugin output :

The remote web server type is :

Apache

and the 'ServerTokens' directive is ProductOnly
Apache does not offer a way to hide the server type.

Nessus ID : 10107
Informational http (80/tcp)
Synopsis :

Some information about the remote HTTP configuration can be extracted.

Description :

This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...

This test is informational only and does not denote any security
problem.

Risk factor :

None
Nessus ID : 24260
Informational http (80/tcp)
Synopsis :

The remote web server contains a 'robots.txt' file.

Description :

The remote host contains a file named 'robots.txt' that is intended to
prevent web 'robots' from visiting certain directories in a web site for
maintenance or indexing purposes. A malicious user may also be able to
use the contents of this file to learn of sensitive documents or
directories on the affected site and either retrieve them directly or
target them for other attacks.

See also :

http://www.robotstxt.org/wc/exclusion.html

Solution :

Review the contents of the site's robots.txt file, use Robots META tags
instead of entries in the robots.txt file, and/or adjust the web
server's access controls to limit access to sensitive material.

Risk factor :

None

Contents of robots.txt :

User-agent: *
Disallow: /

Other references : OSVDB:238
Nessus ID : 10302
Warning
ldap (389/tcp) Synopsis :

The remote LDAP server allows anonymous access.

Description :

The LDAP server on the remote host is currently configured such that a
user can connect to it without authentication - via a 'NULL BIND' -
and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of
information that an attacker could find useful.

Note that version 3 of the LDAP protocol requires that a server allow
anonymous access -- a 'NULL BIND' -- to the root DSA-Specific Entry
(DSE) even though it may still require authentication to perform other
queries. As such, this finding may be a false-positive.

Solution :

Unless the remote LDAP server supports LDAP v3, configure it to
disallow NULL BINDs.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Other references : OSVDB:9723
Nessus ID : 10723
Informational ldap (389/tcp)
Synopsis :

There is an LDAP server active on the remote host.

Description :

The remote host is running a Lightweight Directory Access Protocol, or
LDAP, server. LDAP is a protocol for providing access to directory
services over TCP/IP.

See also :

http://en.wikipedia.org/wiki/LDAP

Risk factor :

None
Nessus ID : 20870
Informational general/udp For your information, here is the traceroute from 164.115.2.148 to 164.115.10.8 :
164.115.2.148
164.115.2.129
164.115.10.8

Nessus ID : 10287
Vulnerability general/tcp Information about this scan :

Nessus version : 2.2.11 (Nessus 4.0.1 is available - consider upgrading)

Plugin feed version : 200907171734
Type of plugin feed : HomeFeed (Non-commercial use only)

ERROR: Your plugin feed has not been updated since 2009/7/17
Performing a scan with an older plugin set will yield out of date results and
produce an incomplete audit. Please run nessus-update-plugins to get the
newest vulnerability checks from Nessus.org.

Scanner IP : 164.115.2.148
Port scanner(s) : nessus_tcp_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
CGI scanning : enabled
Web application tests : disabled
Max hosts : 20
Max checks : 4
Recv timeout : 5
Backports : None
Scan Start Date : 2009/9/1 4:47
Scan duration : 2794 sec

Nessus ID : 19506
Informational general/tcp 164.115.10.8 resolves as example.com.
Nessus ID : 12053

This file was generated by Nessus, the security scanner.