Hier finden Sie einen echten, pseudonymisierten Schwachstellenscan-Report.
The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization.
This testing examines external IT systems for any security weakness that could be used by an external attacker to compromise the environment.COCUS performs this by using a framework, which uses various tools, and includes theuse of both Commercial and Open Source tools.
It is also important to note that testing relates to the state of the system during testing, and any subsequent changes may either remove or add vulnerabilities.
Furthermore, it is not possible to identify all vulnerabilities through vulnerability scanning, and while a vulnerability may not have been detected, the absence of a reported vulnerability does not imply that the vulnerability does not exist.
Below is a list of all open ports discovered by our scanning engine, grouped by protocol. Please review all these open ports to make sure that they are necessary to expose to the entire Internet.
Port | Protocol | Name |
---|---|---|
22 | TCP | ssh |
53 | TCP | domain |
80 | TCP | http |
111 | TCP | sunrpc |
4569 | TCP | iax |
53 | UDP | domain |
5060 | UDP | sip |
There are 5 instances of this issue:
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
The response asks the user to enter credentials for Basic HTTP authentication. If these are supplied, they will be submitted over clear-text HTTP (in Base64-encoded form).
GET /admin/config.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:20:12 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/ <span class="HIGHLIGHT">WWW-Authenticate: Basic realm="FreePBX Administration"</span> Content-Length: 2278 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
The response asks the user to enter credentials for Basic HTTP authentication. If these are supplied, they will be submitted over clear-text HTTP (in Base64-encoded form).
GET /admin/panel.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/config.php Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:20:13 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:20:13 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache <span class="HIGHLIGHT">WWW-Authenticate: Basic realm="FreePBX Administration"</span> Content-Length: 2269 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
The response asks the user to enter credentials for Basic HTTP authentication. If these are supplied, they will be submitted over clear-text HTTP (in Base64-encoded form).
GET /admin/reports.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/config.php Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:21:46 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:21:46 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache <span class="HIGHLIGHT">WWW-Authenticate: Basic realm="FreePBX Administration"</span> Content-Length: 2269 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
The form contains the following password field:
GET /recordings/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:10 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5139 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b> <table id='login'> <span class="HIGHLIGHT"><form id='login' name='login' action=index.php method='POST'></span> <tr> <b>...[SNIP]...</b> <td colspan=1> <span class="HIGHLIGHT"><input type='password' name='password' maxlength=20 tabindex=2></span> </td> <b>...[SNIP]...</b>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
The form contains the following password field:
POST /recordings/index.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/recordings/ Content-Type: application/x-www-form-urlencoded Content-Length: 84 Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6 remember=on&username=Peter+Winter&btnSubmit=Submit&password=555-555-0199@example.com
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5242 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b> <table id='login'> <span class="HIGHLIGHT"><form id='login' name='login' action=index.php method='POST'></span> <tr> <b>...[SNIP]...</b> <td colspan=1> <span class="HIGHLIGHT"><input type='password' name='password' maxlength=20 tabindex=2></span> </td> <b>...[SNIP]...</b>
Dnsmasq is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions through a stream of spoofed DNS queries producing large results. Dnsmasq versions 2.62 and prior are vulnerable.
The following information was extracted from WPScan:
XML-RPC Interface available under: https://www.customer.com/xmlrpc.php
WordPress theme in use: sample - v1.0
Name: sample - v1.0
There are 6 plugins detected and are listed below.
https://www.customer.com/wp-content/plugins/cforms/
https://www.customer.com/wp-content/plugins/contact-bank-pro-edition/
https://www.customer.com/wp-content/plugins/ninja-forms/
We could not determine a version so all vulnerabilities are printed out
Title: Ninja Forms 2.8.6 - Reflected Cross-Site Scripting (XSS)
Fixed in: 2.8.7
Title: Ninja Forms <= 2.8.8 - Stored & Reflected XSS
Fixed in: 2.8.9
Title: Ninja Forms <= 2.8.10 - Unspecified Issue Affecting Admin Users
https://www.customer.com/wp-content/plugins/page-list/
https://www.customer.com/wp-content/plugins/taxonomy-images/
https://www.customer.com/wp-content/plugins/wp-pagenavi/
Information that was gathered: Inode: 98932 Size: 561
A weakness has been discovered in Apache web servers that are configured to use the FileETag directive. Due to the way in which Apache generates ETag response headers, it may be possible for an attacker to obtain sensitive information regarding server files. Specifically, ETag header fields returned to a client contain the file's inode number. Exploitation of this issue may provide an attacker with information that may be used to launch further attacks against a target network. OpenBSD has released a patch that addresses this issue. Inode numbers returned from the server are now encoded using a private hash to avoid the release of sensitive information.
OpenBSD has released a patch to address this issue. Novell has released TID10090670 to advise users to apply the available workaround of disabling the directive in the configuration file for Apache releases on NetWare. Please see the attached Technical Information Document for further details.
CVE: http://support.novell.com/docs/Tids/Solutions/10090670.html
Asterisk is prone to an information-disclosure vulnerability because it doesn't provide safe responses to failed authentication attempts. Attackers can exploit this issue to discover whether specific usernames exist. Information harvested may aid in launching further attacks.
The vendor has released an advisory and updates. Please see the references for details.
CVE: http://downloads.asterisk.org/pub/security/AST-2009-008.html
Summary: Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer. Dnsmasq is also prone to a NULL-pointer dereference vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. NOTE: The TFTP service must be enabled for this issue to be exploitable; this is not the default. Versions *prior to* Dnsmasq 2.50 are vulnerable. Solution: Updates are available. Please see the references for more information.
Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer. Dnsmasq is also prone to a NULL-pointer dereference vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. NOTE: The TFTP service must be enabled for this issue to be exploitable this is not the default. Versions *prior to* Dnsmasq 2.50 are vulnerable.
Updates are available. Please see the references for more information.
CVE: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
There are 2 instances of this issue:
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The page contains a form with the following action URL:
The form contains the following password field with autocomplete enabled:
GET /recordings/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:10 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5139 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b> <table id='login'> <span class="HIGHLIGHT"><form id='login' name='login' action=index.php method='POST'></span> <tr> <b>...[SNIP]...</b> <td colspan=1> <span class="HIGHLIGHT"><input type='password' name='password' maxlength=20 tabindex=2></span> </td> <b>...[SNIP]...</b>
The page contains a form with the following action URL:
The form contains the following password field with autocomplete enabled:
POST /recordings/index.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/recordings/ Content-Type: application/x-www-form-urlencoded Content-Length: 84 Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6 remember=on&username=Peter+Winter&btnSubmit=Submit&password=555-555-0199@example.com
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5242 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b> <table id='login'> <span class="HIGHLIGHT"><form id='login' name='login' action=index.php method='POST'></span> <tr> <b>...[SNIP]...</b> <td colspan=1> <span class="HIGHLIGHT"><input type='password' name='password' maxlength=20 tabindex=2></span> </td> <b>...[SNIP]...</b>
There are 1 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The following cookie was issued by the application and does not have the HttpOnly flag set:
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
GET /admin/config.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:20:12 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache <span class="HIGHLIGHT">Set-Cookie: PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/</span> WWW-Authenticate: Basic realm="FreePBX Administration" Content-Length: 2278 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
There are 2 instances of this issue:
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyze the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
The response contains the following Content-type statement:
The response states that it contains plain text. However, it actually appears to contain script.
GET /admin/images/LICENCE HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/images/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT ETag: "1817e-329-c508f540" Accept-Ranges: bytes Content-Length: 809 Connection: close <span class="HIGHLIGHT">Content-Type: text/plain; charset=UTF-8</span> // This is the license for all files in this dashboard/images directory // These files are part of FreePBX. // // FreePBX is free software: you can redistribute it and/or modify // it under the <b>...[SNIP]...</b>
The response contains the following Content-type statement:
The response states that it contains plain text. However, it actually appears to contain script.
GET /robots.txt HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:09 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT ETag: "18275-169-c508f540" Accept-Ranges: bytes Content-Length: 361 Connection: close <span class="HIGHLIGHT">Content-Type: text/plain; charset=UTF-8</span> # This robots.txt file requests that search engines and other # automated web-agents don't try to index the files in this # directory (/www/images/). # # This file is included in the event that an ins <b>...[SNIP]...</b>
There are 1 instances of this issue:
The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.
The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.
The web server contains a robots.txt file.
GET <span class="HIGHLIGHT">/robots.txt</span> HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:09 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT ETag: "18275-169-c508f540" Accept-Ranges: bytes Content-Length: 361 Connection: close Content-Type: text/plain; charset=UTF-8 # This robots.txt file requests that search engines and other # automated web-agents don't try to index the files in this # directory (/www/images/). # # This file is included in the event that an ins <b>...[SNIP]...</b>
There are 3 instances of this issue:
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
GET /admin/common/jquery.cookie.js HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/common/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:22 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT ETag: "17f92-1097-c508f540" Accept-Ranges: bytes Content-Length: 4247 Connection: close Content-Type: application/x-javascript /** * Cookie plugin * * Copyright (c) 2006 Klaus Hartl (stilbuero.de) * Dual licensed under the MIT and GPL licenses: * http://www.opensource.org/licenses/mit-license.php * http://www.gnu.org/li <b>...[SNIP]...</b> kie will be set and the cookie transmission will * require a secure protocol (like HTTPS). * @type undefined * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ /** * Get the value of a cookie with the given name. * * @example $.cookie('the_cookie'); * @desc Get the value of a cookie. * * @param String name The name of the cookie. * @return The value of the cookie. * @type String * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ jQuery.cookie = function(name, value, options) { if (typeof value != 'undefined') { // name and value given, set cookie options = options || {}; if (value === null) { <b>...[SNIP]...</b>
The following email addresses were disclosed in the response:
GET /admin/common/jquery.dimensions.js HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/common/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:23 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT ETag: "17f95-5043-c508f540" Accept-Ranges: bytes Content-Length: 20547 Connection: close Content-Type: application/x-javascript /* Copyright (c) 2007 Paul Bakaus (<span class="HIGHLIGHT">paul.bakaus@googlemail.com</span>) and Brandon Aaron (<span class="HIGHLIGHT">brandon.aaron@gmail.com</span> || http://brandonaaron.net) * Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php) * and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses. * * $LastCha <b>...[SNIP]...</b>
The following email address was disclosed in the response:
GET /admin/common/jquery.tabs-2.7.4.js HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/common/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:22 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:14:05 GMT ETag: "17fa1-7bf8-c508f540" Accept-Ranges: bytes Content-Length: 31736 Connection: close Content-Type: application/x-javascript /** * Tabs - jQuery plugin for accessible, unobtrusive tabs * @requires jQuery v1.0.3 * * http://stilbuero.de/tabs/ * * Copyright (c) 2006 Klaus Hartl (stilbuero.de) * Dual licensed under the M <b>...[SNIP]...</b> up the several tab containers such a structure is expressed by "div>div". * Default value: "div". * @type jQuery * * @name tabs * @cat Plugins/Tabs * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ $.fn.tabs = function(initial, settings) { // settings if (typeof initial == 'object') settings = initial; // no initial tab given but a settings object settings = $.extend({ i <b>...[SNIP]...</b> be activated. If this parameter is omitted, the first tab * will be activated. * @type jQuery * * @name triggerTab * @cat Plugins/Tabs * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ /** * Disable a tab, so that clicking it has no effect. * * @example $('#container').disableTab(2); * @desc Disable the second tab of the tab interface contained in <div id="container"> <b>...[SNIP]...</b> be disabled. If this parameter is omitted, the first tab * will be disabled. * @type jQuery * * @name disableTab * @cat Plugins/Tabs * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ /** * Enable a tab that has been disabled. * * @example $('#container').enableTab(2); * @desc Enable the second tab of the tab interface contained in <div id="container"> <b>...[SNIP]...</b> be enabled. If this parameter is omitted, the first tab * will be enabled. * @type jQuery * * @name enableTab * @cat Plugins/Tabs * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ var tabEvents = ['triggerTab', 'disableTab', 'enableTab']; for (var i = 0; i < tabEvents.length; i++) { $.fn[tabEvents[i]] = (function(tabEvent) { return function(tab) { r <b>...[SNIP]...</b> <div id="container">. * * @type Number * * @name activeTab * @cat Plugins/Tabs * @author Klaus Hartl/<span class="HIGHLIGHT">klaus.hartl@stilbuero.de</span> */ $.fn.activeTab = function() { var selectedTabs = []; this.each(function() { var nav = $('ul.tabs-nav' , this); nav = nav.size() && nav || $('> <b>...[SNIP]...</b>
There are 6 instances of this issue:
There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:Configure your web server to prevent directory listings for all paths beneath the web root; Place into each directory a default file (such as index.htm) which the web server will display instead of returning a directory listing.
GET /admin/common/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Content-Length: 5600 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <span class="HIGHLIGHT"><title>Index of /admin/common</span></title> </head> <body> <h1>Index of /admin/common</h1> <table><tr><th><img src="/icons/blank.gi <b>...[SNIP]...</b> <th><span class="HIGHLIGHT"><a href="?C=N;O=D">Name</span></a></th><th><span class="HIGHLIGHT"><a href="?C=M;O=A">Last modified</span></a></th><th><span class="HIGHLIGHT"><a href="?C=S;O=A">Size</span></a></th><th><span class="HIGHLIGHT"><a href="?C=D;O=A">Description</span></a> <b>...[SNIP]...</b> <td><span class="HIGHLIGHT"><a href="/admin/">Parent Directory</span></a> <b>...[SNIP]...</b>
GET /admin/images/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:09 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 16312 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <span class="HIGHLIGHT"><title>Index of /admin/images</span></title> </head> <body> <h1>Index of /admin/images</h1> <table><tr><th><img src="/icons/blank.gi <b>...[SNIP]...</b> <th><span class="HIGHLIGHT"><a href="?C=N;O=D">Name</span></a></th><th><span class="HIGHLIGHT"><a href="?C=M;O=A">Last modified</span></a></th><th><span class="HIGHLIGHT"><a href="?C=S;O=A">Size</span></a></th><th><span class="HIGHLIGHT"><a href="?C=D;O=A">Description</span></a> <b>...[SNIP]...</b> <td><span class="HIGHLIGHT"><a href="/admin/">Parent Directory</span></a> <b>...[SNIP]...</b>
GET /icons/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 30032 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <span class="HIGHLIGHT"><title>Index of /icons</span></title> </head> <body> <h1>Index of /icons</h1> <table><tr><th><img src="/icons/blank.gif" alt="[ICO]" <b>...[SNIP]...</b> <th><span class="HIGHLIGHT"><a href="?C=N;O=D">Name</span></a></th><th><span class="HIGHLIGHT"><a href="?C=M;O=A">Last modified</span></a></th><th><span class="HIGHLIGHT"><a href="?C=S;O=A">Size</span></a></th><th><span class="HIGHLIGHT"><a href="?C=D;O=A">Description</span></a> <b>...[SNIP]...</b> <td><span class="HIGHLIGHT"><a href="/">Parent Directory</span></a> <b>...[SNIP]...</b>
GET /icons/small/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/icons/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:16 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 12542 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <span class="HIGHLIGHT"><title>Index of /icons/small</span></title> </head> <body> <h1>Index of /icons/small</h1> <table><tr><th><img src="/icons/blank.gif" <b>...[SNIP]...</b> <th><span class="HIGHLIGHT"><a href="?C=N;O=D">Name</span></a></th><th><span class="HIGHLIGHT"><a href="?C=M;O=A">Last modified</span></a></th><th><span class="HIGHLIGHT"><a href="?C=S;O=A">Size</span></a></th><th><span class="HIGHLIGHT"><a href="?C=D;O=A">Description</span></a> <b>...[SNIP]...</b> <td><span class="HIGHLIGHT"><a href="/icons/">Parent Directory</span></a> <b>...[SNIP]...</b>
GET /recordings/theme/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Content-Length: 2933 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <span class="HIGHLIGHT"><title>Index of /recordings/theme</span></title> </head> <body> <h1>Index of /recordings/theme</h1> <table><tr><th><img src="/icons/ <b>...[SNIP]...</b> <th><span class="HIGHLIGHT"><a href="?C=N;O=D">Name</span></a></th><th><span class="HIGHLIGHT"><a href="?C=M;O=A">Last modified</span></a></th><th><span class="HIGHLIGHT"><a href="?C=S;O=A">Size</span></a></th><th><span class="HIGHLIGHT"><a href="?C=D;O=A">Description</span></a> <b>...[SNIP]...</b> <td><span class="HIGHLIGHT"><a href="/recordings/">Parent Directory</span></a> <b>...[SNIP]...</b>
GET /recordings/theme/images/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/recordings/theme/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:21 GMT Server: Apache/2.2.3 (CentOS) Content-Length: 1697 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <span class="HIGHLIGHT"><title>Index of /recordings/theme/images</span></title> </head> <body> <h1>Index of /recordings/theme/images</h1> <table><tr><th><im <b>...[SNIP]...</b> <th><span class="HIGHLIGHT"><a href="?C=N;O=D">Name</span></a></th><th><span class="HIGHLIGHT"><a href="?C=M;O=A">Last modified</span></a></th><th><span class="HIGHLIGHT"><a href="?C=S;O=A">Size</span></a></th><th><span class="HIGHLIGHT"><a href="?C=D;O=A">Description</span></a> <b>...[SNIP]...</b> <td><span class="HIGHLIGHT"><a href="/recordings/theme/">Parent Directory</span></a> <b>...[SNIP]...</b>
There are 13 instances of this issue:
You should review the application functions that are accessible from within the response, and determine whether they can be used by application users to perform any sensitive actions within the application. If so, then a framing attack targeting this response may result in unauthorized actions.To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.
GET / HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:09 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 13 Oct 2012 18:26:16 GMT ETag: "18274-231-f09b2200" Accept-Ranges: bytes Content-Length: 561 Connection: close Content-Type: text/html; charset=UTF-8 <HTML> <HEAD> <head> <title>FreePBX</title> <meta http-equiv="Content-Type" content="text/html"> <link href="mainstyle.css" rel="stylesheet" type="text/css"> </head> <body> <div id="page <b>...[SNIP]...</b>
GET /admin/common/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Content-Length: 5600 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /admin/common</title> </head> <body> <h1>Index of /admin/common</h1> <table><tr><th><img src="/icons/blank.gi <b>...[SNIP]...</b>
GET /admin/config.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:20:12 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=b8p26acj90ili09sc5eip9rj51; path=/ WWW-Authenticate: Basic realm="FreePBX Administration" Content-Length: 2278 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
GET /admin/images/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:09 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 16312 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /admin/images</title> </head> <body> <h1>Index of /admin/images</h1> <table><tr><th><img src="/icons/blank.gi <b>...[SNIP]...</b>
GET /admin/panel.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/config.php Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:20:13 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:20:13 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache WWW-Authenticate: Basic realm="FreePBX Administration" Content-Length: 2269 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
GET /admin/reports.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/admin/config.php Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 401 Unauthorized Date: Thu, 11 Jun 2015 12:21:46 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Last-Modified: Thu, 11 Jun 2015 12:21:46 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache WWW-Authenticate: Basic realm="FreePBX Administration" Content-Length: 2269 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- should also validate ok with DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h <b>...[SNIP]...</b>
GET /icons/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 30032 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /icons</title> </head> <body> <h1>Index of /icons</h1> <table><tr><th><img src="/icons/blank.gif" alt="[ICO]" <b>...[SNIP]...</b>
GET /icons/small/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/icons/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:16 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 12542 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /icons/small</title> </head> <body> <h1>Index of /icons/small</h1> <table><tr><th><img src="/icons/blank.gif" <b>...[SNIP]...</b>
GET /recordings/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:10 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5139 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b>
GET /recordings/index.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5139 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b>
GET /recordings/theme/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:12 GMT Server: Apache/2.2.3 (CentOS) Content-Length: 2933 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /recordings/theme</title> </head> <body> <h1>Index of /recordings/theme</h1> <table><tr><th><img src="/icons/ <b>...[SNIP]...</b>
GET /recordings/theme/images/ HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/recordings/theme/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:21 GMT Server: Apache/2.2.3 (CentOS) Content-Length: 1697 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /recordings/theme/images</title> </head> <body> <h1>Index of /recordings/theme/images</h1> <table><tr><th><im <b>...[SNIP]...</b>
GET /recordings/theme/page.tpl.php HTTP/1.1 Host: customer.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://customer.com/recordings/theme/ Cookie: ARI=5j5sscnpbo032u2oaq5m3elkm6; PHPSESSID=uqmojlf54shd6b3egk9g365c91
HTTP/1.1 200 OK Date: Thu, 11 Jun 2015 12:20:21 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Content-Length: 2018 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>FreePBX User P <b>...[SNIP]...</b>
There are 1 instances of this issue:
Cross-site request forgery (CSRF) vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of their origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application. For a request to be vulnerable to CSRF, the following conditions must hold:The request can be issued cross-domain, for example using an HTML form. If the request contains non-standard headers or body content, then it may only be issuable from a page that originated on the same domain.The application relies solely on HTTP cookies to identify the user that issued the request. If the application places session-related tokens elsewhere within the request, then it may not be vulnerable.The request performs some privileged action within the application, which modifies the application's state based on the identity of the issuing user.The attacker can determine all the parameters required to construct a request that performs the action. If the request contains any values that the attacker cannot determine or predict, then it is not vulnerable.
The most effective way to protect against CSRF vulnerabilities is to include in relevant requests an additional token that is not transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain sufficient entropy, and be generated using a cryptographic random number generator, such that it is not feasible for an attacker to determine or predict the value of any token that was issued to another user. The token should be associated with the user's session, and the application should validate that the correct token is received before performing any action resulting from the request.An alternative approach, which may be easier to implement, is to validate that Host and Referer headers in relevant requests are both present and contain the same domain name. However, this approach is somewhat less robust: historically, quirks in browsers and browser extensions have often enabled attackers to forge cross-domain requests that manipulate these headers to bypass such defenses.
The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however it may facilitate exploitation of other vulnerabilities affecting application users.
Summary: A Voice Over IP service is listening on the remote port. Description : The remote host is running SIP (Session Initiation Protocol), a protocol used for Internet conferencing and telephony. Make sure the use of this program is done in accordance with your corporate security policy. Solution: If this service is not needed, disable it or filter incoming traffic to this port. Plugin output : Asterisk PBX 1.6.2.11 Supported Options: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
A Voice Over IP service is listening on the remote port. Description : The remote host is running SIP (Session Initiation Protocol), a protocol used for Internet conferencing and telephony. Make sure the use of this program is done in accordance with your corporate security policy.
If this service is not needed, disable it or filter incoming traffic to this port.
The remote system is running a server that speaks the Inter-Asterisk eXchange Protocol. Description : The Inter-Asterisk eXchange protocol (IAX2) is used by the Asterisk PBX Server and other IP Telephony clients/servers to enable voice communication between them.
If possible, filter incoming connections to the port so that it is used by trusted sources only.
These are the registered RPC programs:\ \ RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) on port 111/TCP RPC program #100024 version 1 'status' on port 643/TCP RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) on port 111/UDP RPC program #100024 version 1 'status' on port 640/UDP
This script calls the DUMP RPC on the port mapper, to obtain the list of all registered programs.
The file 'robots.txt' contains the following: # This robots.txt file requests that search engines and other # automated web-agents don't try to index the files in this # directory (/www/images/). # # This file is included in the event that an installation has in-appropriately # exposed their GUI to the outside internet as it will help to stop # the indexing of their system. # User-agent: * Disallow: /
Web Servers can use a file called /robot(s).txt to ask search engines to ignore certain files and directories. By nature this file can not be used to protect private files from public read access.
Review the content of the robots file and consider removing the files from the server or protect them in other ways in case you actually intended non-public availability.
Microsoft DNS server seems to be running on this port. \t Internal hostname disclosed (0.in-addr.arpa/SOA/IN): 0.IN-ADDR.ARPA
Microsoft DNS server internal hostname disclosure detection Microsoft DNS server may disclose the internal hostname of the server in response to requests for the hardcoded zones 0.in-addr.arpa and 255.in-addr.arpa. On the following platforms, we recommend you resolve in the described manner: All default Microsoft DNS server configurations
http://support.microsoft.com/default.aspx?id=198410