Beispiel Report

Hier finden Sie einen echten, pseudonymisierten Schwachstellenscan-Report.

Summary

The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization.


Network & Service

Web Application

Wordpress


This testing examines external IT systems for any security weakness that could be used by an external attacker to compromise the environment.COCUS performs this by using a framework, which uses various tools, and includes theuse of both Commercial and Open Source tools.

It is also important to note that testing relates to the state of the system during testing, and any subsequent changes may either remove or add vulnerabilities.

Furthermore, it is not possible to identify all vulnerabilities through vulnerability scanning, and while a vulnerability may not have been detected, the absence of a reported vulnerability does not imply that the vulnerability does not exist.

Open Ports

Below is a list of all open ports discovered by our scanning engine, grouped by protocol. Please review all these open ports to make sure that they are necessary to expose to the entire Internet.

Port Protocol Name
22 TCP ssh
53 TCP domain
80 TCP http
111 TCP sunrpc
4569 TCP iax
53 UDP domain
5060 UDP sip

1. Cleartext submission of password

There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


1.1 http://customer.com/admin/config.php^ back to top

Severity: High Confidence: Certain

Issue Detail

The response asks the user to enter credentials for Basic HTTP authentication. If these are supplied, they will be submitted over clear-text HTTP (in Base64-encoded form).

Request

GET /admin/config.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:20:12 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/
<span class="HIGHLIGHT">WWW-Authenticate: Basic realm="FreePBX Administration"</span>
Content-Length: 2278
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

1.2 http://customer.com/admin/panel.php^ back to top

Severity: High Confidence: Certain

Issue Detail

The response asks the user to enter credentials for Basic HTTP authentication. If these are supplied, they will be submitted over clear-text HTTP (in Base64-encoded form).

Request

GET /admin/panel.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/config.php
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:20:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:20:13 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
<span class="HIGHLIGHT">WWW-Authenticate: Basic realm="FreePBX Administration"</span>
Content-Length: 2269
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

1.3 http://customer.com/admin/reports.php^ back to top

Severity: High Confidence: Certain

Issue Detail

The response asks the user to enter credentials for Basic HTTP authentication. If these are supplied, they will be submitted over clear-text HTTP (in Base64-encoded form).

Request

GET /admin/reports.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/config.php
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:21:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:21:46 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
<span class="HIGHLIGHT">WWW-Authenticate: Basic realm="FreePBX Administration"</span>
Content-Length: 2269
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

1.4 http://customer.com/recordings/^ back to top

Severity: High Confidence: Certain

Issue Detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

  • http://customer.com/recordings/index.php
The form contains the following password field:
  • password

Request

GET /recordings/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5139
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>
<table id='login'>
 <span class="HIGHLIGHT">&lt;form id='login' name='login' action=index.php method='POST'&gt;</span>
          <tr>
<b>...[SNIP]...</b>
<td colspan=1>
 <span class="HIGHLIGHT">&lt;input type='password' name='password' maxlength=20 tabindex=2&gt;</span>
            </td>
<b>...[SNIP]...</b>

1.5 http://customer.com/recordings/index.php^ back to top

Severity: High Confidence: Certain

Issue Detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

  • http://customer.com/recordings/index.php
The form contains the following password field:
  • password

Request

POST /recordings/index.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/recordings/
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

remember=on&username=Peter+Winter&btnSubmit=Submit&password=555-555-0199@example.com

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5242
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>
<table id='login'>
 <span class="HIGHLIGHT">&lt;form id='login' name='login' action=index.php method='POST'&gt;</span>
          <tr>
<b>...[SNIP]...</b>
<td colspan=1>
 <span class="HIGHLIGHT">&lt;input type='password' name='password' maxlength=20 tabindex=2&gt;</span>
            </td>
<b>...[SNIP]...</b>

2. Dnsmasq Remote Denial of Service Vulnerability^ back to top

Severity: High Port: 53/tcp

Issue Description

Summary

Dnsmasq is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions through a stream of spoofed DNS queries producing large results. Dnsmasq versions 2.62 and prior are vulnerable.

References

https://bugzilla.redhat.com/show_bug.cgi?id=833033

3. WPScan information

The following information was extracted from WPScan:

XML-RPC Interface available under: https://www.customer.com/xmlrpc.php

  • This may allow the GHOST vulnerability to be exploited, please see: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
  • WordPress version can not be detected

WordPress theme in use: sample - v1.0

Name: sample - v1.0

  • Location: https://www.customer.com/wp-content/themes/sample/
  • Style URL: https://www.customer.com/wp-content/themes/sample/style.css
  • Theme Name: customer.com 2014
  • Theme URI: http://www.client.de
  • Description: The customer.com theme for WordPress
  • Author: Client GmbH
  • Author URI: http://www.client.de

There are 6 plugins detected and are listed below.


3.1 Plugin name: cforms^ back to top

Location

https://www.customer.com/wp-content/plugins/cforms/


3.2 Plugin name: contact-bank-pro-edition^ back to top

Location

https://www.customer.com/wp-content/plugins/contact-bank-pro-edition/


3.3 Plugin name: ninja-forms^ back to top

Location

https://www.customer.com/wp-content/plugins/ninja-forms/

Info

We could not determine a version so all vulnerabilities are printed out

Title: Ninja Forms 2.8.6 - Reflected Cross-Site Scripting (XSS)

  • Reference: https://wpvulndb.com/vulnerabilities/7684
  • Reference: http://security.szurek.pl/ninja-forms-286-reflected-xss.html
  • Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8815

Fixed in: 2.8.7

Title: Ninja Forms <= 2.8.8 - Stored & Reflected XSS

  • Reference: https://wpvulndb.com/vulnerabilities/7788
  • Reference: http://seclists.org/bugtraq/2015/Feb/94
  • Reference: http://packetstormsecurity.com/files/130369/
  • Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2220

Fixed in: 2.8.9

Title: Ninja Forms <= 2.8.10 - Unspecified Issue Affecting Admin Users

  • Reference: https://wpvulndb.com/vulnerabilities/7836
  • Reference: https://wordpress.org/plugins/ninja-forms/changelog/
  • Reference: http://packetstormsecurity.com/files/130369/
  • Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9688

3.4 Plugin name: page-list^ back to top

Location

https://www.customer.com/wp-content/plugins/page-list/


3.5 Plugin name: taxonomy-images^ back to top

Location

https://www.customer.com/wp-content/plugins/taxonomy-images/


3.6 Plugin name: wp-pagenavi^ back to top

Location

https://www.customer.com/wp-content/plugins/wp-pagenavi/

4. Apache Web Server ETag Header Information Disclosure Weakness^ back to top

Severity: Medium Port: 80/tcp

Issue Description

Information that was gathered: Inode: 98932 Size: 561

Summary

A weakness has been discovered in Apache web servers that are configured to use the FileETag directive. Due to the way in which Apache generates ETag response headers, it may be possible for an attacker to obtain sensitive information regarding server files. Specifically, ETag header fields returned to a client contain the file's inode number. Exploitation of this issue may provide an attacker with information that may be used to launch further attacks against a target network. OpenBSD has released a patch that addresses this issue. Inode numbers returned from the server are now encoded using a private hash to avoid the release of sensitive information.

Solution

OpenBSD has released a patch to address this issue. Novell has released TID10090670 to advise users to apply the available workaround of disabling the directive in the configuration file for Apache releases on NetWare. Please see the attached Technical Information Document for further details.

References

CVE: http://support.novell.com/docs/Tids/Solutions/10090670.html

5. Asterisk SIP Response Username Enumeration Remote Information Disclosure Vulnerability^ back to top

Severity: Medium Port: 5060/udp

Issue Description

Summary

Asterisk is prone to an information-disclosure vulnerability because it doesn't provide safe responses to failed authentication attempts. Attackers can exploit this issue to discover whether specific usernames exist. Information harvested may aid in launching further attacks.

Solution

The vendor has released an advisory and updates. Please see the references for details.

References

CVE: http://downloads.asterisk.org/pub/security/AST-2009-008.html

6. Dnsmasq TFTP Service multiple vulnerabilities^ back to top

Severity: Medium Port: 53/tcp

Issue Description

Summary: Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer. Dnsmasq is also prone to a NULL-pointer dereference vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. NOTE: The TFTP service must be enabled for this issue to be exploitable; this is not the default. Versions *prior to* Dnsmasq 2.50 are vulnerable. Solution: Updates are available. Please see the references for more information.

Summary

Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer. Dnsmasq is also prone to a NULL-pointer dereference vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. NOTE: The TFTP service must be enabled for this issue to be exploitable this is not the default. Versions *prior to* Dnsmasq 2.50 are vulnerable.

Solution

Updates are available. Please see the references for more information.

References

CVE: http://www.coresecurity.com/content/dnsmasq-vulnerabilities

7. Password field with autocomplete enabled

There are 2 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


7.1 http://customer.com/recordings/^ back to top

Severity: Low Confidence: Certain

Issue Detail

The page contains a form with the following action URL:

  • http://customer.com/recordings/index.php
The form contains the following password field with autocomplete enabled:
  • password

Request

GET /recordings/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5139
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>
<table id='login'>
 <span class="HIGHLIGHT">&lt;form id='login' name='login' action=index.php method='POST'&gt;</span>
          <tr>
<b>...[SNIP]...</b>
<td colspan=1>
 <span class="HIGHLIGHT">&lt;input type='password' name='password' maxlength=20 tabindex=2&gt;</span>
            </td>
<b>...[SNIP]...</b>

7.2 http://customer.com/recordings/index.php^ back to top

Severity: Low Confidence: Certain

Issue Detail

The page contains a form with the following action URL:

  • http://customer.com/recordings/index.php
The form contains the following password field with autocomplete enabled:
  • password

Request

POST /recordings/index.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/recordings/
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

remember=on&username=Peter+Winter&btnSubmit=Submit&password=555-555-0199@example.com

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5242
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>
<table id='login'>
 <span class="HIGHLIGHT">&lt;form id='login' name='login' action=index.php method='POST'&gt;</span>
          <tr>
<b>...[SNIP]...</b>
<td colspan=1>
 <span class="HIGHLIGHT">&lt;input type='password' name='password' maxlength=20 tabindex=2&gt;</span>
            </td>
<b>...[SNIP]...</b>

8. Cookie without HttpOnly flag set

There are 1 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.


8.1 Cookie without HttpOnly flag set^ back to top

Severity: Low Confidence: Firm

Issue Detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

  • PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /admin/config.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:20:12 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
<span class="HIGHLIGHT">Set-Cookie: PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/</span>
WWW-Authenticate: Basic realm="FreePBX Administration"
Content-Length: 2278
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

9. Content type incorrectly stated

There are 2 instances of this issue:

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyze the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


9.1 http://customer.com/admin/images/LICENCE^ back to top

Severity: Information Confidence: Firm

Issue Detail

The response contains the following Content-type statement:

  • Content-Type: text/plain; charset=UTF-8
The response states that it contains plain text. However, it actually appears to contain script.

Request

GET /admin/images/LICENCE HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/images/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT
ETag: "1817e-329-c508f540"
Accept-Ranges: bytes
Content-Length: 809
Connection: close
<span class="HIGHLIGHT">Content-Type: text/plain; charset=UTF-8</span>

// This is the license for all files in this dashboard/images directory
// These files are part of FreePBX.
//
//    FreePBX is free software: you can redistribute it and/or modify
//    it under the
<b>...[SNIP]...</b>

9.2 http://customer.com/robots.txt^ back to top

Severity: Information Confidence: Firm

Issue Detail

The response contains the following Content-type statement:

  • Content-Type: text/plain; charset=UTF-8
The response states that it contains plain text. However, it actually appears to contain script.

Request

GET /robots.txt HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:09 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT
ETag: "18275-169-c508f540"
Accept-Ranges: bytes
Content-Length: 361
Connection: close
<span class="HIGHLIGHT">Content-Type: text/plain; charset=UTF-8</span>

# This robots.txt file requests that search engines and other
# automated web-agents don't try to index the files in this
# directory (/www/images/).
#
# This file is included in the event that an ins
<b>...[SNIP]...</b>

10. Robots.txt file

There are 1 instances of this issue:

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.


10.1 Robots.txt file^ back to top

Severity: Information Confidence: Certain

Issue Detail

The web server contains a robots.txt file.

Request

GET <span class="HIGHLIGHT">/robots.txt</span> HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:09 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT
ETag: "18275-169-c508f540"
Accept-Ranges: bytes
Content-Length: 361
Connection: close
Content-Type: text/plain; charset=UTF-8

# This robots.txt file requests that search engines and other
# automated web-agents don't try to index the files in this
# directory (/www/images/).
#
# This file is included in the event that an ins
<b>...[SNIP]...</b>

11. Email addresses disclosed

There are 3 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


11.1 http://customer.com/admin/common/jquery.cookie.js^ back to top

Severity: Information Confidence: Certain

Issue Detail

The following email address was disclosed in the response:

  • klaus.hartl@stilbuero.de

Request

GET /admin/common/jquery.cookie.js HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/common/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:22 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT
ETag: "17f92-1097-c508f540"
Accept-Ranges: bytes
Content-Length: 4247
Connection: close
Content-Type: application/x-javascript

/**
 * Cookie plugin
 *
 * Copyright (c) 2006 Klaus Hartl (stilbuero.de)
 * Dual licensed under the MIT and GPL licenses:
 * http://www.opensource.org/licenses/mit-license.php
 * http://www.gnu.org/li
<b>...[SNIP]...</b>
kie will be set and the cookie transmission will
 *                        require a secure protocol (like HTTPS).
 * @type undefined
 *
 * @name $.cookie
 * @cat Plugins/Cookie
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */

/**
 * Get the value of a cookie with the given name.
 *
 * @example $.cookie('the_cookie');
 * @desc Get the value of a cookie.
 *
 * @param String name The name of the cookie.
 * @return The value of the cookie.
 * @type String
 *
 * @name $.cookie
 * @cat Plugins/Cookie
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */
jQuery.cookie = function(name, value, options) {
    if (typeof value != 'undefined') { // name and value given, set cookie
        options = options || {};
        if (value === null) {

<b>...[SNIP]...</b>

11.2 http://customer.com/admin/common/jquery.dimensions.js^ back to top

Severity: Information Confidence: Certain

Issue Detail

The following email addresses were disclosed in the response:

  • brandon.aaron@gmail.com
  • paul.bakaus@googlemail.com

Request

GET /admin/common/jquery.dimensions.js HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/common/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:23 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT
ETag: "17f95-5043-c508f540"
Accept-Ranges: bytes
Content-Length: 20547
Connection: close
Content-Type: application/x-javascript

/* Copyright (c) 2007 Paul Bakaus (<span class="HIGHLIGHT">paul.bakaus@googlemail.com</span>) and Brandon Aaron (<span class="HIGHLIGHT">brandon.aaron@gmail.com</span> || http://brandonaaron.net)
 * Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php)
 * and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses.
 *
 * $LastCha
<b>...[SNIP]...</b>

11.3 http://customer.com/admin/common/jquery.tabs-2.7.4.js^ back to top

Severity: Information Confidence: Certain

Issue Detail

The following email address was disclosed in the response:

  • klaus.hartl@stilbuero.de

Request

GET /admin/common/jquery.tabs-2.7.4.js HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/common/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:22 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT
ETag: "17fa1-7bf8-c508f540"
Accept-Ranges: bytes
Content-Length: 31736
Connection: close
Content-Type: application/x-javascript

/**
 * Tabs - jQuery plugin for accessible, unobtrusive tabs
 * @requires jQuery v1.0.3
 *
 * http://stilbuero.de/tabs/
 *
 * Copyright (c) 2006 Klaus Hartl (stilbuero.de)
 * Dual licensed under the M
<b>...[SNIP]...</b>
up the several tab containers such a structure is expressed by "div>div".
 *                          Default value: "div".
 * @type jQuery
 *
 * @name tabs
 * @cat Plugins/Tabs
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */
$.fn.tabs = function(initial, settings) {

    // settings
    if (typeof initial == 'object') settings = initial; // no initial tab given but a settings object
    settings = $.extend({
        i
<b>...[SNIP]...</b>
             be activated. If this parameter is omitted, the first tab
 *                          will be activated.
 * @type jQuery
 *
 * @name triggerTab
 * @cat Plugins/Tabs
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */

/**
 * Disable a tab, so that clicking it has no effect.
 *
 * @example $('#container').disableTab(2);
 * @desc Disable the second tab of the tab interface contained in <div id="container">
<b>...[SNIP]...</b>
               be disabled. If this parameter is omitted, the first tab
 *                          will be disabled.
 * @type jQuery
 *
 * @name disableTab
 * @cat Plugins/Tabs
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */

/**
 * Enable a tab that has been disabled.
 *
 * @example $('#container').enableTab(2);
 * @desc Enable the second tab of the tab interface contained in <div id="container">
<b>...[SNIP]...</b>
                  be enabled. If this parameter is omitted, the first tab
 *                          will be enabled.
 * @type jQuery
 *
 * @name enableTab
 * @cat Plugins/Tabs
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */

var tabEvents = ['triggerTab', 'disableTab', 'enableTab'];
for (var i = 0; i < tabEvents.length; i++) {
    $.fn[tabEvents[i]] = (function(tabEvent) {
        return function(tab) {
            r
<b>...[SNIP]...</b>
<div id="container">.
 *
 * @type Number
 *
 * @name activeTab
 * @cat Plugins/Tabs
 * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span>
 */

$.fn.activeTab = function() {
    var selectedTabs = [];
    this.each(function() {
        var nav = $('ul.tabs-nav' , this);
        nav = nav.size() && nav || $('>
<b>...[SNIP]...</b>

12. Directory listing

There are 6 instances of this issue:

Issue remediation

There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:Configure your web server to prevent directory listings for all paths beneath the web root; Place into each directory a default file (such as index.htm) which the web server will display instead of returning a directory listing.


12.1 http://customer.com/admin/common/^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/common/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 5600
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
 <span class="HIGHLIGHT">&lt;title&gt;Index of /admin/common</span></title>
 </head>
 <body>
<h1>Index of /admin/common</h1>
<table><tr><th><img src="/icons/blank.gi
<b>...[SNIP]...</b>
<th><span class="HIGHLIGHT">&lt;a href="?C=N;O=D"&gt;Name</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=M;O=A"&gt;Last modified</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=S;O=A"&gt;Size</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=D;O=A"&gt;Description</span></a>
<b>...[SNIP]...</b>
<td><span class="HIGHLIGHT">&lt;a href="/admin/"&gt;Parent Directory</span></a>
<b>...[SNIP]...</b>

12.2 http://customer.com/admin/images/^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/images/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:09 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 16312

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
 <span class="HIGHLIGHT">&lt;title&gt;Index of /admin/images</span></title>
 </head>
 <body>
<h1>Index of /admin/images</h1>
<table><tr><th><img src="/icons/blank.gi
<b>...[SNIP]...</b>
<th><span class="HIGHLIGHT">&lt;a href="?C=N;O=D"&gt;Name</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=M;O=A"&gt;Last modified</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=S;O=A"&gt;Size</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=D;O=A"&gt;Description</span></a>
<b>...[SNIP]...</b>
<td><span class="HIGHLIGHT">&lt;a href="/admin/"&gt;Parent Directory</span></a>
<b>...[SNIP]...</b>

12.3 http://customer.com/icons/^ back to top

Severity: Information Confidence: Firm

Request

GET /icons/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 30032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
 <span class="HIGHLIGHT">&lt;title&gt;Index of /icons</span></title>
 </head>
 <body>
<h1>Index of /icons</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"
<b>...[SNIP]...</b>
<th><span class="HIGHLIGHT">&lt;a href="?C=N;O=D"&gt;Name</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=M;O=A"&gt;Last modified</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=S;O=A"&gt;Size</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=D;O=A"&gt;Description</span></a>
<b>...[SNIP]...</b>
<td><span class="HIGHLIGHT">&lt;a href="/"&gt;Parent Directory</span></a>
<b>...[SNIP]...</b>

12.4 http://customer.com/icons/small/^ back to top

Severity: Information Confidence: Firm

Request

GET /icons/small/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/icons/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:16 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 12542

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
 <span class="HIGHLIGHT">&lt;title&gt;Index of /icons/small</span></title>
 </head>
 <body>
<h1>Index of /icons/small</h1>
<table><tr><th><img src="/icons/blank.gif"
<b>...[SNIP]...</b>
<th><span class="HIGHLIGHT">&lt;a href="?C=N;O=D"&gt;Name</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=M;O=A"&gt;Last modified</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=S;O=A"&gt;Size</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=D;O=A"&gt;Description</span></a>
<b>...[SNIP]...</b>
<td><span class="HIGHLIGHT">&lt;a href="/icons/"&gt;Parent Directory</span></a>
<b>...[SNIP]...</b>

12.5 http://customer.com/recordings/theme/^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/theme/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 2933
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
 <span class="HIGHLIGHT">&lt;title&gt;Index of /recordings/theme</span></title>
 </head>
 <body>
<h1>Index of /recordings/theme</h1>
<table><tr><th><img src="/icons/
<b>...[SNIP]...</b>
<th><span class="HIGHLIGHT">&lt;a href="?C=N;O=D"&gt;Name</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=M;O=A"&gt;Last modified</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=S;O=A"&gt;Size</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=D;O=A"&gt;Description</span></a>
<b>...[SNIP]...</b>
<td><span class="HIGHLIGHT">&lt;a href="/recordings/"&gt;Parent Directory</span></a>
<b>...[SNIP]...</b>

12.6 http://customer.com/recordings/theme/images/^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/theme/images/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/recordings/theme/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:21 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 1697
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
 <span class="HIGHLIGHT">&lt;title&gt;Index of /recordings/theme/images</span></title>
 </head>
 <body>
<h1>Index of /recordings/theme/images</h1>
<table><tr><th><im
<b>...[SNIP]...</b>
<th><span class="HIGHLIGHT">&lt;a href="?C=N;O=D"&gt;Name</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=M;O=A"&gt;Last modified</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=S;O=A"&gt;Size</span></a></th><th><span class="HIGHLIGHT">&lt;a href="?C=D;O=A"&gt;Description</span></a>
<b>...[SNIP]...</b>
<td><span class="HIGHLIGHT">&lt;a href="/recordings/theme/"&gt;Parent Directory</span></a>
<b>...[SNIP]...</b>

13. Frameable response (potential Clickjacking)

There are 13 instances of this issue:

Issue remediation

You should review the application functions that are accessible from within the response, and determine whether they can be used by application users to perform any sensitive actions within the application. If so, then a framing attack targeting this response may result in unauthorized actions.To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.


13.1 http://customer.com/^ back to top

Severity: Information Confidence: Firm

Request

GET / HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:09 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Oct 2012 18:26:16 GMT
ETag: "18274-231-f09b2200"
Accept-Ranges: bytes
Content-Length: 561
Connection: close
Content-Type: text/html; charset=UTF-8

<HTML>
<HEAD>
<head>
    <title>FreePBX</title>
    <meta http-equiv="Content-Type" content="text/html">
    <link href="mainstyle.css" rel="stylesheet" type="text/css">
</head>

<body>
<div id="page
<b>...[SNIP]...</b>

13.2 http://customer.com/admin/common/^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/common/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 5600
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /admin/common</title>
 </head>
 <body>
<h1>Index of /admin/common</h1>
<table><tr><th><img src="/icons/blank.gi
<b>...[SNIP]...</b>

13.3 http://customer.com/admin/config.php^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/config.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:20:12 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/
WWW-Authenticate: Basic realm="FreePBX Administration"
Content-Length: 2278
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

13.4 http://customer.com/admin/images/^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/images/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:09 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 16312

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /admin/images</title>
 </head>
 <body>
<h1>Index of /admin/images</h1>
<table><tr><th><img src="/icons/blank.gi
<b>...[SNIP]...</b>

13.5 http://customer.com/admin/panel.php^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/panel.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/config.php
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:20:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:20:13 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
WWW-Authenticate: Basic realm="FreePBX Administration"
Content-Length: 2269
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

13.6 http://customer.com/admin/reports.php^ back to top

Severity: Information Confidence: Firm

Request

GET /admin/reports.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/admin/config.php
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 401 Unauthorized
Date: Thu, 11 Jun 2015 12:21:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Last-Modified: Thu, 11 Jun 2015 12:21:46 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
WWW-Authenticate: Basic realm="FreePBX Administration"
Content-Length: 2269
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
<b>...[SNIP]...</b>

13.7 http://customer.com/icons/^ back to top

Severity: Information Confidence: Firm

Request

GET /icons/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 30032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /icons</title>
 </head>
 <body>
<h1>Index of /icons</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"
<b>...[SNIP]...</b>

13.8 http://customer.com/icons/small/^ back to top

Severity: Information Confidence: Firm

Request

GET /icons/small/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/icons/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:16 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 12542

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /icons/small</title>
 </head>
 <body>
<h1>Index of /icons/small</h1>
<table><tr><th><img src="/icons/blank.gif"
<b>...[SNIP]...</b>

13.9 http://customer.com/recordings/^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5139
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>

13.10 http://customer.com/recordings/index.php^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/index.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5139
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>

13.11 http://customer.com/recordings/theme/^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/theme/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:12 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 2933
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /recordings/theme</title>
 </head>
 <body>
<h1>Index of /recordings/theme</h1>
<table><tr><th><img src="/icons/
<b>...[SNIP]...</b>

13.12 http://customer.com/recordings/theme/images/^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/theme/images/ HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/recordings/theme/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:21 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 1697
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /recordings/theme/images</title>
 </head>
 <body>
<h1>Index of /recordings/theme/images</h1>
<table><tr><th><im
<b>...[SNIP]...</b>

13.13 http://customer.com/recordings/theme/page.tpl.php^ back to top

Severity: Information Confidence: Firm

Request

GET /recordings/theme/page.tpl.php HTTP/1.1
Host: customer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://customer.com/recordings/theme/
Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91

Response

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2015 12:20:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 2018
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <TITLE>FreePBX User P
<b>...[SNIP]...</b>

14. Cross-site request forgery

There are 1 instances of this issue:

Issue background

Cross-site request forgery (CSRF) vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of their origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application. For a request to be vulnerable to CSRF, the following conditions must hold:The request can be issued cross-domain, for example using an HTML form. If the request contains non-standard headers or body content, then it may only be issuable from a page that originated on the same domain.The application relies solely on HTTP cookies to identify the user that issued the request. If the application places session-related tokens elsewhere within the request, then it may not be vulnerable.The request performs some privileged action within the application, which modifies the application's state based on the identity of the issuing user.The attacker can determine all the parameters required to construct a request that performs the action. If the request contains any values that the attacker cannot determine or predict, then it is not vulnerable.

Issue remediation

The most effective way to protect against CSRF vulnerabilities is to include in relevant requests an additional token that is not transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain sufficient entropy, and be generated using a cryptographic random number generator, such that it is not feasible for an attacker to determine or predict the value of any token that was issued to another user. The token should be associated with the user's session, and the application should validate that the correct token is received before performing any action resulting from the request.An alternative approach, which may be easier to implement, is to validate that Host and Referer headers in relevant requests are both present and contain the same domain name. However, this approach is somewhat less robust: historically, quirks in browsers and browser extensions have often enabled attackers to forge cross-domain requests that manipulate these headers to bypass such defenses.


14.1 Cross-site request forgery^ back to top

Severity: Information Confidence: Tentative

Issue Detail

The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however it may facilitate exploitation of other vulnerabilities affecting application users.

15. Detect SIP Compatible Hosts^ back to top

Severity: Information Port: 5060/udp

Issue Description

Summary: A Voice Over IP service is listening on the remote port. Description : The remote host is running SIP (Session Initiation Protocol), a protocol used for Internet conferencing and telephony. Make sure the use of this program is done in accordance with your corporate security policy. Solution: If this service is not needed, disable it or filter incoming traffic to this port. Plugin output : Asterisk PBX 1.6.2.11 Supported Options: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO

Summary

A Voice Over IP service is listening on the remote port. Description : The remote host is running SIP (Session Initiation Protocol), a protocol used for Internet conferencing and telephony. Make sure the use of this program is done in accordance with your corporate security policy.

Solution

If this service is not needed, disable it or filter incoming traffic to this port.

References

http://www.cs.columbia.edu/sip/

16. Inter-Asterisk eXchange Protocol Detection^ back to top

Severity: Information Port: 4569/tcp

Issue Description

Summary

The remote system is running a server that speaks the Inter-Asterisk eXchange Protocol. Description : The Inter-Asterisk eXchange protocol (IAX2) is used by the Asterisk PBX Server and other IP Telephony clients/servers to enable voice communication between them.

Solution

If possible, filter incoming connections to the port so that it is used by trusted sources only.

References

http://en.wikipedia.org/wiki/IAX

17. rpcinfo -p^ back to top

Severity: Information Port: 111/tcp

Issue Description

These are the registered RPC programs:\ \ RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) on port 111/TCP RPC program #100024 version 1 'status' on port 643/TCP RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) on port 111/UDP RPC program #100024 version 1 'status' on port 640/UDP

Summary

This script calls the DUMP RPC on the port mapper, to obtain the list of all registered programs.

18. robot(s).txt exists on the Web Server^ back to top

Severity: Information Port: 80/tcp

Issue Description

The file 'robots.txt' contains the following: # This robots.txt file requests that search engines and other # automated web-agents don't try to index the files in this # directory (/www/images/). # # This file is included in the event that an installation has in-appropriately # exposed their GUI to the outside internet as it will help to stop # the indexing of their system. # User-agent: * Disallow: /

Summary

Web Servers can use a file called /robot(s).txt to ask search engines to ignore certain files and directories. By nature this file can not be used to protect private files from public read access.

Solution

Review the content of the robots file and consider removing the files from the server or protect them in other ways in case you actually intended non-public availability.

19. Microsoft DNS server internal hostname disclosure detection^ back to top

Severity: Information Port: 53/tcp

Issue Description

Microsoft DNS server seems to be running on this port. \t Internal hostname disclosed (0.in-addr.arpa/SOA/IN): 0.IN-ADDR.ARPA

Summary

Microsoft DNS server internal hostname disclosure detection Microsoft DNS server may disclose the internal hostname of the server in response to requests for the hardcoded zones 0.in-addr.arpa and 255.in-addr.arpa. On the following platforms, we recommend you resolve in the described manner: All default Microsoft DNS server configurations

Solution

http://support.microsoft.com/default.aspx?id=198410

References

http://www.openvas.org/blog.php?id=31