Scribd
Upload
113 views

Developer Report

An Acunetix vulnerability scan found 5 medium severity issues on the website http://localhost/TextDataSync/DataSync.svc. The scan tested various SOAP request parameters and found that the service returned internal server errors, indicating potential injection issues. The report provides details of the requests made and error messages returned for further investigation.

Uploaded by

Raheel
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
113 views

Developer Report

An Acunetix vulnerability scan found 5 medium severity issues on the website http://localhost/TextDataSync/DataSync.svc. The scan tested various SOAP request parameters and found that the service returned internal server errors, indicating potential injection issues. The report provides details of the requests made and error messages returned for further investigation.

Uploaded by

Raheel
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Acunetix Website Audit

24 July, 2014
Developer Report
Generated by Acunetix WVS Reporter (v9.0 Build 20131107)
Scan of http://localhost/TextDataSync/DataSync.svc?singleWsdl
Scan information
Scan details
Start time 7/24/2014 12:55:23 PM
Finish time 7/24/2014 12:55:53 PM
Scan time 31 seconds
Profile ws_default
Server information
Responsive True
Server banner N/A
Server OS Unknown
Server technologies
Threat level
Acunetix Threat Level 2
One or more medium-severity type vulnerabilities have been by the scanner. You should
investigate each of these vulnerabilities to ensure they will not escalate to more severe
problems.
Alerts distribution
High
Medium
Low
Informational
0
0
5
0
5 Total alerts found
Alerts summary
Application error message
Affects Variation
s
5 http://localhost/TextDataSync/DataSync.svc
2 Acunetix Website Audit
Alert details
Application error message
Medium Severity
Validation Type
Scripting (Error_Message.script) Reported by module
Impact
Description
This page contains an error/warning message that may disclose sensitive information.The message can also contain the
location of the file that produced the unhandled exception.

This may be a false positive if the error message is found in documentation pages.
The error messages may disclose sensitive information. This information can be used to launch further attacks.
Recommendation
Review the source code for this script.
References
PHP Runtime Configuration
Affected items
Details
http://localhost/TextDataSync/DataSync.svc
WSDL input DataSync.BasicHttpBinding_IDataSync.GetData.value was set to '"\'\");|]*{%0d%0a<%00>%bf%27'
Error message found: Internal Server Error
POST /TextDataSync/DataSync.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://tempuri.org/IDataSync/GetData"
Content-Length: 915
Referer: http://localhost/TextDataSync/DataSync.svc?singleWsdl
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

(line truncated) ...9/XMLSchema-instance" xmlns:m0="http://tempuri.org/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:urn="http://tempuri.org/"
xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:urn3="http://schemas.datacontract.org/2004/07/TextIt.WebServices.DataSync"
xmlns:urn4="http://schemas.datacontract.org/2004/07/TextIt.Model"
xmlns:urn5="http://schemas.datacontract.org/2004/07/CrystalMapper.Generic"
xmlns:urn6="http://schemas.datacontract.org/2004/07/CrystalMapper">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:GetData>
<urn:value>'"\'\");|]*{%0d%0a<%00>%bf%27'</urn:value>
</urn:GetData>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Request headers
3 Acunetix Website Audit
Details
http://localhost/TextDataSync/DataSync.svc
WSDL input DataSync.BasicHttpBinding_IDataSync.SyncDLR.CampaignMessageId was set to
Error message found: Internal Server Error
POST /TextDataSync/DataSync.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://tempuri.org/IDataSync/SyncDLR"
Content-Length: 1185
Referer: http://localhost/TextDataSync/DataSync.svc?singleWsdl
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

(line truncated) ...9/XMLSchema-instance" xmlns:m0="http://tempuri.org/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:urn="http://tempuri.org/"
xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:urn3="http://schemas.datacontract.org/2004/07/TextIt.WebServices.DataSync"
xmlns:urn4="http://schemas.datacontract.org/2004/07/TextIt.Model"
xmlns:urn5="http://schemas.datacontract.org/2004/07/CrystalMapper.Generic"
xmlns:urn6="http://schemas.datacontract.org/2004/07/CrystalMapper">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SyncDLR>
<urn:message>
<urn3:DLRMessage>
<urn3:CampaignMessageId></urn3:CampaignMessageId>
<urn3:DeliveryStatus>1</urn3:DeliveryStatus>
<urn3:Telco>555-666-0606</urn3:Telco>
</urn3:DLRMessage>
</urn:message>
<urn:token>1</urn:token>
</urn:SyncDLR>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Request headers
Details
http://localhost/TextDataSync/DataSync.svc
WSDL input DataSync.BasicHttpBinding_IDataSync.SyncDLR.DeliveryStatus was set to
Error message found: Internal Server Error
POST /TextDataSync/DataSync.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://tempuri.org/IDataSync/SyncDLR"
Content-Length: 1186
Referer: http://localhost/TextDataSync/DataSync.svc?singleWsdl
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

(line truncated) ...9/XMLSchema-instance" xmlns:m0="http://tempuri.org/"
Request headers
4 Acunetix Website Audit
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:urn="http://tempuri.org/"
xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:urn3="http://schemas.datacontract.org/2004/07/TextIt.WebServices.DataSync"
xmlns:urn4="http://schemas.datacontract.org/2004/07/TextIt.Model"
xmlns:urn5="http://schemas.datacontract.org/2004/07/CrystalMapper.Generic"
xmlns:urn6="http://schemas.datacontract.org/2004/07/CrystalMapper">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SyncDLR>
<urn:message>
<urn3:DLRMessage>
<urn3:CampaignMessageId>20</urn3:CampaignMessageId>
<urn3:DeliveryStatus></urn3:DeliveryStatus>
<urn3:Telco>555-666-0606</urn3:Telco>
</urn3:DLRMessage>
</urn:message>
<urn:token>1</urn:token>
</urn:SyncDLR>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Details
http://localhost/TextDataSync/DataSync.svc
WSDL input DataSync.BasicHttpBinding_IDataSync.SyncDLR.Telco was set to '"\'\");|]*{%0d%0a<%00>%bf%27'
Error message found: Internal Server Error
POST /TextDataSync/DataSync.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://tempuri.org/IDataSync/SyncDLR"
Content-Length: 1205
Referer: http://localhost/TextDataSync/DataSync.svc?singleWsdl
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

(line truncated) ...9/XMLSchema-instance" xmlns:m0="http://tempuri.org/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:urn="http://tempuri.org/"
xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:urn3="http://schemas.datacontract.org/2004/07/TextIt.WebServices.DataSync"
xmlns:urn4="http://schemas.datacontract.org/2004/07/TextIt.Model"
xmlns:urn5="http://schemas.datacontract.org/2004/07/CrystalMapper.Generic"
xmlns:urn6="http://schemas.datacontract.org/2004/07/CrystalMapper">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SyncDLR>
<urn:message>
<urn3:DLRMessage>
<urn3:CampaignMessageId>20</urn3:CampaignMessageId>
<urn3:DeliveryStatus>1</urn3:DeliveryStatus>
<urn3:Telco>'"\'\");|]*{%0d%0a<%00>%bf%27'</urn3:Telco>
</urn3:DLRMessage>
</urn:message>
<urn:token>1</urn:token>
</urn:SyncDLR>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Request headers
5 Acunetix Website Audit
Details
http://localhost/TextDataSync/DataSync.svc
WSDL input DataSync.BasicHttpBinding_IDataSync.SyncDLR.token was set to '"\'\");|]*{%0d%0a<%00>%bf%27'
Error message found: Internal Server Error
POST /TextDataSync/DataSync.svc HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://tempuri.org/IDataSync/SyncDLR"
Content-Length: 1216
Referer: http://localhost/TextDataSync/DataSync.svc?singleWsdl
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

(line truncated) ...9/XMLSchema-instance" xmlns:m0="http://tempuri.org/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:urn="http://tempuri.org/"
xmlns:urn2="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:urn3="http://schemas.datacontract.org/2004/07/TextIt.WebServices.DataSync"
xmlns:urn4="http://schemas.datacontract.org/2004/07/TextIt.Model"
xmlns:urn5="http://schemas.datacontract.org/2004/07/CrystalMapper.Generic"
xmlns:urn6="http://schemas.datacontract.org/2004/07/CrystalMapper">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:SyncDLR>
<urn:message>
<urn3:DLRMessage>
<urn3:CampaignMessageId>20</urn3:CampaignMessageId>
<urn3:DeliveryStatus>1</urn3:DeliveryStatus>
<urn3:Telco>555-666-0606</urn3:Telco>
</urn3:DLRMessage>
</urn:message>
<urn:token>'"\'\");|]*{%0d%0a<%00>%bf%27'</urn:token>
</urn:SyncDLR>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Request headers
6 Acunetix Website Audit
Scanned items (coverage report)
Scanned 1 URLs. Found False vulnerable.
No vulnerabilities has been identified for this URL
URL: http://localhost/TextDataSync/DataSync.svc
16 input(s) found for this URL
Inputs
Input scheme 0
Input name Input type
DataSync.BasicHttpBinding_IDataSync.GetData.value WSDL
Input scheme 1
Input name Input type
DataSync.BasicHttpBinding_IDataSync.SyncDLR.CampaignMessageId WSDL
DataSync.BasicHttpBinding_IDataSync.SyncDLR.DeliveryStatus WSDL
DataSync.BasicHttpBinding_IDataSync.SyncDLR.Telco WSDL
DataSync.BasicHttpBinding_IDataSync.SyncDLR.token WSDL
Input scheme 2
Input name Input type
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.AllocatedChannelCode WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.ChannelCode WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.ChannelMessageId WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.CreatedBy WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.CreatedOn WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.ErrorFlag WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.MessageID WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.SenderNumber WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.Telco WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.Text WSDL
DataSync.BasicHttpBinding_IDataSync.PushIncomingMessages.token WSDL
7 Acunetix Website Audit

You might also like