| Security Issues and Fixes: example.com |
| Type |
Port |
Issue and Fix |
Warning
|
https (443/tcp) |
Synopsis :
Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.
In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.
See also :
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
Solution :
Disable these methods.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Plugin output :
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus648102987.html HTTP/1.1
Connection: Close
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Aug 2009 22:07:16 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus648102987.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Close
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
------------------------------ snip ------------------------------
CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648
Nessus ID : 11213 |
| Informational |
https (443/tcp) |
A TLSv1 server answered on this port
Nessus ID : 10330 |
| Informational |
https (443/tcp) |
A web server is running on this port through SSL
Nessus ID : 10330 |
| Informational |
https (443/tcp) |
Synopsis :
The remote service encrypts communications using SSL.
Description :
This script detects which SSL ciphers are supported by the remote
service for encrypting communications.
See also :
http://www.openssl.org/docs/apps/ciphers.html
Risk factor :
None
Plugin output :
Here is the list of SSL ciphers supported by the remote server :
High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Nessus ID : 21643 |
| Informational |
https (443/tcp) |
Synopsis :
Some information about the remote HTTP configuration can be extracted.
Description :
This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...
This test is informational only and does not denote any security
problem.
Risk factor :
None
Nessus ID : 24260 |
| Informational |
https (443/tcp) |
Synopsis :
The remote web server contains a 'robots.txt' file.
Description :
The remote host contains a file named 'robots.txt' that is intended to
prevent web 'robots' from visiting certain directories in a web site for
maintenance or indexing purposes. A malicious user may also be able to
use the contents of this file to learn of sensitive documents or
directories on the affected site and either retrieve them directly or
target them for other attacks.
See also :
http://www.robotstxt.org/wc/exclusion.html
Solution :
Review the contents of the site's robots.txt file, use Robots META tags
instead of entries in the robots.txt file, and/or adjust the web
server's access controls to limit access to sensitive material.
Risk factor :
None
Contents of robots.txt :
User-agent: *
Disallow: /
Other references : OSVDB:238
Nessus ID : 10302 |
| Informational |
https (443/tcp) |
Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:00:91:00:36
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TH, O=Government Information Technology Services, OU=G-CA Secure Server CA, CN=G-CA Secure Server CA
Validity
Not Before: Jan 19 01:45:56 2009 GMT
Not After : Jan 19 16:59:59 2010 GMT
Subject: C=TH, ST=Bangkok, L=Ratchathewi, O=GOV, OU=Government Information Technology Services, CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:eb:84:3f:f6:19:15:fc:2a:76:f9:f0:f6:a3:19:
c6:5f:81:c9:d8:a2:11:fc:bb:51:cb:4e:66:c3:b4:
7a:d1:1f:83:09:21:c7:6b:8c:8c:36:79:ba:c8:3d:
b4:22:b8:bb:91:36:d5:da:5d:73:37:79:ad:ca:7a:
2b:fd:60:5c:5c:30:ed:e2:5b:27:05:60:70:12:10:
83:91:f1:1c:00:ac:71:49:4c:52:b4:7e:86:43:b5:
a8:fa:38:f4:90:08:c3:d8:ad:07:b4:a9:29:3a:cc:
d0:c2:44:ca:5e:74:5c:4d:b5:fb:77:81:09:aa:0d:
56:8c:74:75:2f:e5:af:ad:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
5F:11:DA:B9:71:DE:2F:26:01:9C:C5:1F:2F:A0:22:4C:A2:46:D7:CD
X509v3 Authority Key Identifier:
keyid:D4:1B:B6:AF:05:7A:1E:F2:36:9D:65:96:27:74:64:75:B1:92:25:41
X509v3 CRL Distribution Points:
URI:http://crl.gca.thaigov.net/crl/crl_gca_ssca_1.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.19500.2.1.1
CPS: http://gca.thaigov.net
Signature Algorithm: sha1WithRSAEncryption
8f:05:ac:47:d6:49:26:f6:69:8c:d4:b8:a2:e1:8d:07:25:1f:
12:aa:6b:c1:61:19:cc:6b:c4:2c:b0:e0:2d:de:7d:21:d9:39:
3d:55:68:03:b1:86:9a:71:a2:5a:f2:86:2b:ba:6e:87:0d:59:
8b:ed:d2:13:0a:4f:3b:11:12:5a:99:be:26:db:d2:c6:12:13:
4a:94:ab:7b:76:36:94:f9:79:30:db:d2:72:11:77:73:44:f1:
0d:81:93:d2:bb:0e:7f:1c:59:f9:20:21:5f:09:c2:20:90:66:
21:30:9d:3a:05:27:44:52:4a:9e:83:0e:59:25:6d:01:a6:48:
cc:48:3d:f5:e3:35:04:e0:6a:9c:45:45:79:d1:ea:56:b5:c2:
b9:ea:ff:07:8f:47:90:f7:9d:b3:b5:13:69:bd:30:64:b6:05:
21:0c:23:8e:c5:7a:89:44:d3:bf:05:b8:4f:01:22:98:1c:07:
ec:09:25:97:bf:8b:b2:83:9e:83:66:44:3e:a2:33:d7:ad:62:
96:f7:ac:db:8c:6f:be:ef:a0:87:9f:59:4a:14:c0:8b:76:f6:
d9:0b:c0:a9:75:57:d8:60:60:92:db:ef:66:bc:33:fe:8b:77:
65:1f:53:d8:96:d3:16:4b:34:cb:99:2a:15:c0:9d:4e:cc:ef:
ad:53:93:eb
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.
Nessus ID : 10863 |
Warning
|
http (80/tcp) |
Synopsis :
Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.
In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.
See also :
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
Solution :
Disable these methods.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Plugin output :
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus925552916.html HTTP/1.1
Connection: Close
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Aug 2009 22:07:14 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus925552916.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Keep-Alive
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
------------------------------ snip ------------------------------
CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648
Nessus ID : 11213 |
| Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
http (80/tcp) |
Synopsis :
A web server is running on the remote host.
Description :
This plugin attempts to determine the type and the version of
the remote web server.
Risk factor :
None
Plugin output :
The remote web server type is :
Apache
and the 'ServerTokens' directive is ProductOnly
Apache does not offer a way to hide the server type.
Nessus ID : 10107 |
| Informational |
http (80/tcp) |
Synopsis :
Some information about the remote HTTP configuration can be extracted.
Description :
This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...
This test is informational only and does not denote any security
problem.
Risk factor :
None
Nessus ID : 24260 |
| Informational |
http (80/tcp) |
Synopsis :
The remote web server contains a 'robots.txt' file.
Description :
The remote host contains a file named 'robots.txt' that is intended to
prevent web 'robots' from visiting certain directories in a web site for
maintenance or indexing purposes. A malicious user may also be able to
use the contents of this file to learn of sensitive documents or
directories on the affected site and either retrieve them directly or
target them for other attacks.
See also :
http://www.robotstxt.org/wc/exclusion.html
Solution :
Review the contents of the site's robots.txt file, use Robots META tags
instead of entries in the robots.txt file, and/or adjust the web
server's access controls to limit access to sensitive material.
Risk factor :
None
Contents of robots.txt :
User-agent: *
Disallow: /
Other references : OSVDB:238
Nessus ID : 10302 |
Warning
|
ldap (389/tcp) |
Synopsis :
The remote LDAP server allows anonymous access.
Description :
The LDAP server on the remote host is currently configured such that a
user can connect to it without authentication - via a 'NULL BIND' -
and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of
information that an attacker could find useful.
Note that version 3 of the LDAP protocol requires that a server allow
anonymous access -- a 'NULL BIND' -- to the root DSA-Specific Entry
(DSE) even though it may still require authentication to perform other
queries. As such, this finding may be a false-positive.
Solution :
Unless the remote LDAP server supports LDAP v3, configure it to
disallow NULL BINDs.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Other references : OSVDB:9723
Nessus ID : 10723 |
| Informational |
ldap (389/tcp) |
Synopsis :
There is an LDAP server active on the remote host.
Description :
The remote host is running a Lightweight Directory Access Protocol, or
LDAP, server. LDAP is a protocol for providing access to directory
services over TCP/IP.
See also :
http://en.wikipedia.org/wiki/LDAP
Risk factor :
None
Nessus ID : 20870 |
| Informational |
general/udp |
For your information, here is the traceroute from 164.115.2.148 to 164.115.10.8 :
164.115.2.148
164.115.2.129
164.115.10.8
Nessus ID : 10287 |
| Vulnerability |
general/tcp |
Information about this scan :
Nessus version : 2.2.11 (Nessus 4.0.1 is available - consider upgrading)
Plugin feed version : 200907171734
Type of plugin feed : HomeFeed (Non-commercial use only)
ERROR: Your plugin feed has not been updated since 2009/7/17
Performing a scan with an older plugin set will yield out of date results and
produce an incomplete audit. Please run nessus-update-plugins to get the
newest vulnerability checks from Nessus.org.
Scanner IP : 164.115.2.148
Port scanner(s) : nessus_tcp_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
CGI scanning : enabled
Web application tests : disabled
Max hosts : 20
Max checks : 4
Recv timeout : 5
Backports : None
Scan Start Date : 2009/9/1 4:47
Scan duration : 2794 sec
Nessus ID : 19506 |
| Informational |
general/tcp |
164.115.10.8 resolves as example.com.
Nessus ID : 12053 |
|