Scribd Logo
Upload

Welcome to Scribd!

  • 121 views

    KilatHosting Vulnerability Report

    Uploaded by

    Dondy Bappedyanto
    The Nessus vulnerability scan report found 19 total issues on the dondy.be host, including that the remote web server was an Apache server and that certain CGI parameters may be injectable. The report provides information on the Nessus scan such as the version and plugin feed used. It also identifies open TCP ports and lists external URLs and directories discovered on the site.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    KilatHosting Vulnerability Report

    Uploaded by

    Dondy Bappedyanto
    121 views14 pages
    The Nessus vulnerability scan report found 19 total issues on the dondy.be host, including that the remote web server was an Apache server and that certain CGI parameters may be injectable. The report provides information on the Nessus scan such as the version and plugin feed used. It also identifies open TCP ports and lists external URLs and directories discovered on the site.

    Original Description:

    KilatHosting vulnerability report with site running Wordpress

    Original Title

    KilatHosting vulnerability report

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The Nessus vulnerability scan report found 19 total issues on the dondy.be host, including that the remote web server was an Apache server and that certain CGI parameters may be injectable. The report provides information on the Nessus scan such as the version and plugin feed used. It also identifies open TCP ports and lists external URLs and directories discovered on the site.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    121 views14 pages

    KilatHosting Vulnerability Report

    Uploaded by

    Dondy Bappedyanto
    The Nessus vulnerability scan report found 19 total issues on the dondy.be host, including that the remote web server was an Apache server and that certain CGI parameters may be injectable. The report provides information on the Nessus scan such as the version and plugin feed used. It also identifies open TCP ports and lists external URLs and directories discovered on the site.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 14

    Nessus Report

    Nessus Scan Report 08/Jul/2013:13:45:39

    Table Of Contents
    Vulnerabilities By Host......................................................................................................... 3

    dondy.be...................................................................................................................................................................... 4

    Vulnerabilities By Host

    dondy.be Scan Information


    Start time: End time: Mon Jul 8 12:26:41 2013 Mon Jul 8 13:45:37 2013

    Host Information
    DNS Name: IP: dondy.be 103.23.20.231

    Results Summary
    Critical 0 High 0 Medium 0 Low 0 Info 19 Total 19

    Results Details 0/icmp 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis
    It is possible to determine the exact time set on the remote host.

    Description
    The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.

    Solution
    Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

    Risk Factor
    None

    References
    CVE XREF XREF CVE-1999-0524 OSVDB:94 CWE:200

    Plugin Information:
    Publication date: 1999/08/01, Modification date: 2012/06/18

    Ports icmp/0
    The difference between the local and remote clocks is 692 seconds.

    0/tcp 25220 - TCP/IP Timestamps Supported Synopsis


    The remote service implements TCP timestamps.

    Description
    The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.

    See Also
    http://www.ietf.org/rfc/rfc1323.txt

    Solution

    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2007/05/16, Modification date: 2011/03/20

    Ports tcp/0 12053 - Host Fully Qualified Domain Name (FQDN) Resolution Synopsis
    It was possible to resolve the name of the remote host.

    Description
    Nessus was able to resolve the FQDN of the remote host.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2004/02/11, Modification date: 2012/09/28

    Ports tcp/0
    103.23.20.231 resolves as dondy.be.

    45590 - Common Platform Enumeration (CPE) Synopsis


    It is possible to enumerate CPE names that matched on the remote system.

    Description
    By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.

    See Also
    http://cpe.mitre.org/

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2010/04/21, Modification date: 2013/05/13

    Ports tcp/0
    Following application CPE matched on the remote system : cpe:/a:wordpress:wordpress:3.5.2

    19506 - Nessus Scan Information Synopsis


    Information about the Nessus scan.

    Description
    This script displays, for each tested host, information about the scan itself :

    - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - Whether credentialed or third-party patch management checks are possible - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2005/08/26, Modification date: 2013/05/31

    Ports tcp/0
    Information about this scan : Nessus version : 5.0.1 (Nessus 5.2.1 is available - consider upgrading) Plugin feed version : 201307080115 Type of plugin feed : ProfessionalFeed (Direct) Scanner IP : 173.45.249.14 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : enabled Web application tests : enabled Web app tests - Test mode : some_pairs Web app tests - Try all HTTP methods : no Web app tests - Maximum run time : 60 minutes. Web app tests - Stop at first flaw : CGI Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan Start Date : 2013/7/8 12:26 Scan duration : 4736 sec

    0/udp 10287 - Traceroute Information Synopsis


    It was possible to obtain traceroute information.

    Description
    Makes a traceroute to the remote host.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 1999/11/27, Modification date: 2013/04/11

    Ports udp/0
    For your information, here is the traceroute from 173.45.249.14 to 103.23.20.231 : 173.45.249.14 108.166.76.2 50.56.129.198 74.205.108.22 74.205.108.37 4.59.36.49 4.69.145.205 77.67.71.221 89.149.182.213 213.254.227.170 103.22.139.246 202.81.52.38 202.81.52.6 103.23.23.130 103.23.20.231

    80/tcp 11219 - Nessus SYN scanner Synopsis


    It is possible to determine which TCP ports are open.

    Description
    This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scanners are less intrusive than TCP (full connect) scanners against broken services, but they might kill lame misconfigured firewalls. They might also leave unclosed connections on the remote target, if the network is loaded.

    Solution
    Protect your target with an IP filter.

    Risk Factor
    None

    Ports tcp/80
    Port 80/tcp was found to be open

    22964 - Service Detection Synopsis


    The remote service could be identified.

    Description
    It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2007/08/19, Modification date: 2013/07/02

    Ports tcp/80
    A web server is running on this port.

    11032 - Web Server Directory Enumeration Synopsis


    It is possible to enumerate directories on the web server.

    Description 7

    This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.

    See Also
    http://projects.webappsec.org/Predictable-Resource-Location

    Solution
    n/a

    Risk Factor
    None

    References
    XREF OWASP:OWASP-CM-006

    Plugin Information:
    Publication date: 2002/06/26, Modification date: 2013/04/02

    Ports tcp/80
    The following directories were discovered: /archives, /cgi-bin, /test, /tmp, /css, /error, /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards

    10662 - Web mirroring Synopsis


    Nessus crawled the remote web site.

    Description
    This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host. It is suggested that you change the number of pages to mirror in the 'Options' section of the client.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2001/05/04, Modification date: 2013/04/11

    Ports tcp/80
    The following CGI have been discovered : Syntax : cginame (arguments [default value]) / (p [1] ) /hello-world/ (D [A] ) /wp-comments-post.php (comment_parent [0] author [] email [] submit [Submit Comment] comment_...) /xmlrpc.php (rsd [] )

    49704 - External URLs Synopsis


    Links to external sites were gathered.

    Description
    Nessus gathered HREF links to external sites by crawling the remote web server.

    Solution
    n/a

    Risk Factor 8

    None

    Plugin Information:
    Publication date: 2010/10/04, Modification date: 2011/08/19

    Ports tcp/80
    18 external URLs were gathered on this web server : URL... - Seen on...

    http://cloudkilat.com - / http://facebook.com/dondyb - / http://infinyscloud.com - / http://static.dondy.be/wp-content/themes/notes/images/favicon.ico - / http://static.dondy.be/wp-content/themes/notes/js/app.js?ver=1.0 - / http://static.dondy.be/wp-content/themes/notes/js/jquery.fitvids.js?ver=1.0 - / http://static.dondy.be/wp-content/themes/notes/js/jquery.responsive-classes.js?ver=1.0 - / http://static.dondy.be/wp-content/themes/notes/js/jquery.sticky.js?ver=1.0 - / http://static.dondy.be/wp-content/themes/notes/js/snap.min.js?ver=3.5.2 - / http://static.dondy.be/wp-content/uploads/2013/06/about-900x400.jpg - /about/ http://static.dondy.be/wp-content/uploads/2013/06/cloudkilat.com - /feed/ http://static.dondy.be/wp-content/uploads/2013/06/hello1-900x400.jpg - / http://static.dondy.be/wp-content/uploads/2013/06/hello1-900x885.jpg - /hello-world/ http://static.dondy.be/wp-includes/images/smilies/icon_biggrin.gif - /feed/ http://static.dondy.be/wp-includes/js/comment-reply.min.js?ver=3.5.2 - /about/ http://static.dondy.be/wp-includes/js/jquery/jquery.js?ver=1.8.3 - / http://static.dondy.be/wp-includes/wlwmanifest.xml - / http://twitter.com/dondyb - /

    10107 - HTTP Server Type and Version Synopsis


    A web server is running on the remote host.

    Description
    This plugin attempts to determine the type and the version of the remote web server.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2000/01/04, Modification date: 2013/06/03

    Ports tcp/80
    The remote web server type is : Apache and the 'ServerTokens' directive is ProductOnly Apache does not offer a way to hide the server type.

    47830 - CGI Generic Injectable Parameter Synopsis


    Some CGIs are candidate for extended injection tests.

    Description
    Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response. The affected parameters are candidates for extended injection tests like cross-site scripting attacks. This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

    Solution
    n/a

    Risk Factor 9

    None

    References
    XREF CWE:86

    Plugin Information:
    Publication date: 2010/07/26, Modification date: 2013/02/17

    Ports tcp/80
    Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to injectable parameter : + The 'D' parameter of the /hello-world/ CGI : /hello-world/?D=%00tmeixw -------- output -------<div id="respond"> <h3 id="reply-title">Leave a Reply <small><a rel="nofollow" id="cancel-c omment-reply-link" href="/hello-world/?D=%00tmeixw#respond" style="displ ay:none;">Cancel</a></small></h3> <form action="http://dondy.be/wp-comments-post.php" method="post" [...] <p class="comment-form-author"><label for="author">Name <span clas [...] -----------------------Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source) http://dondy.be/hello-world/?D=%00tmeixw

    33817 - CGI Generic Tests Load Estimation (all tests) Synopsis


    Load estimation for web application tests.

    Description
    This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself. The results can be used to estimate the duration of these tests, or the complexity of additional manual tests. Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2009/10/26, Modification date: 2013/01/29

    Ports tcp/80
    Here are the estimated number of requests in miscellaneous modes for one method only (GET or POST) : [Single / Some Pairs / All Pairs / Some Combinations / All Combinations] on site request forgery AC=1 SQL injection AC=3528 unseen parameters AC=5145 local file inclusion AC=147 : S=1 : S=240 : S=350 : S=10 SP=1 SP=960 SP=1400 SP=40 AP=1 AP=960 AP=1400 AP=40 SC=1 SC=3528 SC=5145 SC=147

    10

    web code injection : S=10 AC=147 XML injection : S=10 AC=147 format string : S=20 AC=294 script injection : S=1 AC=1 cross-site scripting (comprehensive test): S=40 AC=588 injectable parameter : S=20 AC=294 cross-site scripting (extended patterns) : S=6 AC=6 directory traversal (write access) : S=20 AC=294 SSI injection : S=30 AC=441 header injection : S=2 AC=2 directory traversal : S=250 AC=3675 HTML injection : S=5 AC=5 arbitrary command execution (time based) : S=60 AC=882 persistent XSS [...]

    SP=40 SP=40 SP=80 SP=1 SP=160 SP=80 SP=6 SP=80 SP=120 SP=2 SP=1000 SP=5 SP=240

    AP=40 AP=40 AP=80 AP=1 AP=160 AP=80 AP=6 AP=80 AP=120 AP=2 AP=1000 AP=5 AP=240

    SC=147 SC=147 SC=294 SC=1 SC=588 SC=294 SC=6 SC=294 SC=441 SC=2 SC=3675 SC=5 SC=882

    18297 - WordPress Detection Synopsis


    The remote web server contains a blog application written in PHP.

    Description
    The remote host is running WordPress, a free blog application written in PHP with a MySQL back-end.

    See Also
    http://www.wordpress.org/

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2005/05/18, Modification date: 2012/11/27

    Ports tcp/80
    The following instance of WordPress was detected on the remote host : Version : 3.5.2 URL : http://dondy.be/hello-world/

    10302 - Web Server robots.txt Information Disclosure Synopsis


    The remote web server contains a 'robots.txt' file.

    Description
    The remote host contains a file named 'robots.txt' that is intended to prevent web 'robots' from visiting certain directories in a web site for maintenance or indexing purposes. A malicious user may also be able to use the contents of this file to learn of sensitive documents or directories on the affected site and either retrieve them directly or target them for other attacks.

    See Also
    http://www.robotstxt.org/wc/exclusion.html

    Solution

    11

    Review the contents of the site's robots.txt file, use Robots META tags instead of entries in the robots.txt file, and/or adjust the web server's access controls to limit access to sensitive material.

    Risk Factor
    None

    References
    XREF OSVDB:238

    Plugin Information:
    Publication date: 1999/10/12, Modification date: 2011/03/14

    Ports tcp/80
    Contents of robots.txt : User-agent: * Disallow: /wp-admin/ Disallow: /wp-includes/

    24260 - HyperText Transfer Protocol (HTTP) Information Synopsis


    Some information about the remote HTTP configuration can be extracted.

    Description
    This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2007/01/30, Modification date: 2011/05/31

    Ports tcp/80
    Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Mon, 08 Jul 2013 12:37:03 GMT Server: Apache X-Pingback: http://dondy.be/xmlrpc.php X-Powered-By: PleskLin Vary: User-Agent,Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8

    43111 - HTTP Methods Allowed (per directory) Synopsis


    This plugin determines which HTTP methods are allowed on various CGI directories.

    Description
    By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.

    12

    Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

    Solution
    n/a

    Risk Factor
    None

    Plugin Information:
    Publication date: 2009/12/10, Modification date: 2013/05/09

    Ports tcp/80
    Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST are allowed on : /css /error /icons

    Based on tests of each method : - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL are allowed on : /tag/hi/feed - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on : / /2013 /2013/06 /2013/06/14 /about /about/feed /archives /archives/feed /category/blog /category/blog/feed /cgi-bin /comments/feed /css /hello-world /hello-world/feed /tag/greetings /tag/greetings/feed /tag/hello /tag/hello/feed /tag/hi - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on : /feed - HTTP methods GET HEAD OPTIONS POST are allowed on : /error /icons

    13

    - Invalid/unknown HTTP methods are allowed on : / /2013 /2013/06 /2013/06/14 /about /about/feed /archives /archives/feed /category/blog /category/blog/feed /cgi-bin /comments/feed /css /feed /hello-world /hello-world/feed /tag/greetings /tag/greetings/feed /tag/hello /tag/hello/feed /tag/hi

    40406 - CGI Generic Tests HTTP Errors Synopsis


    Nessus encountered errors while running its generic CGI attacks.

    Description
    Nessus ran into trouble while running its generic CGI tests against the remote web server (for example, connection refused, timeout, etc). When this happens, Nessus aborts the current test and switches to the next CGI script on the same port or to another web server. Thus, test results may be incomplete.

    Solution
    Rescan with a longer network timeout or less parallelism for example, by changing the following options in the scan policy : - Network -> Network Receive Timeout (check_read_timeout) - Options -> Number of hosts in parallel (max_hosts) - Options -> Number of checks in parallel (max_checks)

    Risk Factor
    None

    Plugin Information:
    Publication date: 2009/07/28, Modification date: 2011/09/21

    Ports tcp/80
    Nessus encountered : - 1 error involving cross-site scripting (comprehensive test) checks : . reading the HTTP status line: errno=1 (operation timed out)

    14

    You might also like