Audit Report: Audited On December 02 2011

Download as pdf or txt
Download as pdf or txt
You are on page 1of 76

Audit Report

Grupo Canton

Audited on December 02 2011

Reported on December 02 2011

Audit Report

1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of your network. Access to this information by unauthorized personnel may allow them to compromise your network. Site Name Grupo Canton Start Time December 02, 2011 13:06, COT End Time December 02, 2011 13:16, COT Total Time 10 minutes Status Success

There is not enough historical data to display overall asset trend.


The audit was performed on one system which was found to be active and was scanned.

There were 56 vulnerabilities found during this scan. Of these, 8 were critical vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 42 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems. There were 6 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

There were 3 occurrences of the certificate-common-name-mismatch, tls-server-cert-expired and ssl-self-signed-certificate vulnerabilities, making them the most common vulnerabilities. There were 72 vulnerabilities in the Web category, making it the most common vulnerability category.

Page 1

Audit Report

The http-apache-apr_palloc-heap-overflow vulnerability poses the highest risk to the organization with a risk score of 450. Vulnerability risk scores are calculated by looking at the likelihood of attack and impact, based upon CVSS metrics. The impact and likelihood are then multiplied by the number of instances of the vulnerability to come up with the final risk score. One operating system was identified during this scan. There were 5 services found to be running during this scan.

The HTTP, HTTPS, MySQL, SMTP and SSH services were found on 1 systems, making them the most common services. The HTTPS and HTTP services were found to have the most vulnerabilities during this scan, each with 37 vulnerabilities.

Page 2

Audit Report

2. Discovered Systems
Node 174.143.96.250 Operating System Red Hat Linux Risk 33,173 Aliases grupocanton.com 228605-web1.www.tabascohoy.com

Page 3

Audit Report

3. Discovered and Potential Vulnerabilities


3.1. Critical Vulnerabilities
3.1.1. Apache httpd APR apr_palloc heap overflow (CVE-2009-2412) (http-apache-apr_palloc-heap-overflow)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if a non-Apache application can be passed unsanitized userprovided sizes to the apr_palloc() function. Review your Web server configuration for validation. A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE OSVDB OSVDB OVAL OVAL SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE Reference APPLE-SA-2009-11-09 35949 CVE-2009-2412 56765 56766 OVAL8394 OVAL9958 36138 36140 36166 36233 37152 37221 SUSE-SA:2009:050

Page 4

Audit Report Source URL Reference http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.13.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.1.2. MySQL dispatch_command() Multiple Format String Vulnerabilities (mysql-dispatch_command-multipleformat-string)

Description:
Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source APPLE BID CVE OSVDB OVAL REDHAT SECUNIA SECUNIA XF Reference APPLE-SA-2010-03-29 35609 CVE-2009-2446 55734 OVAL11857 RHSA-2010:0110 35767 38517 mysql-dispatchcommand-format-string(51614)

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.84 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

Page 5

Audit Report

3.1.3. Apache httpd mod_proxy_ftp FTP command injection (CVE-2009-3095) (apache-httpd-2_2_xmod_proxy_ftp-ftp-command-injection-cve-2009-3095)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE CVE DEBIAN OVAL OVAL SECUNIA SUSE URL Reference APPLE-SA-2010-03-29 CVE-2009-3095 DSA-1934 OVAL8662 OVAL9363 37152 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.14.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.1.4. Apache httpd Range header remote DoS (CVE-2011-3192) (apache-httpd-cve-2011-3192)

Page 6

Audit Report

Description:
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack.

Affected Nodes:
Affected Nodes: 174.143.96.250:443 Additional Information: Server responded with partial content to a request with malicious Range headers

References:
Source APPLE BID CERT-VN CVE OSVDB REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2011-10-12 49303 405811 CVE-2011-3192 74721 RHSA-2011:1245 RHSA-2011:1294 RHSA-2011:1300 RHSA-2011:1329 RHSA-2011:1330 RHSA-2011:1369 45606 45937 46000 46125 46126 http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html apache-http-byterange-dos(69396)

Vulnerability Solution:
Apache >= 2.0 and < 2.1 Upgrade to Apache version 2.0.65 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for

Page 7

Audit Report more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Apache >= 2.2 and < 2.3 Upgrade to Apache version 2.2.20 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.20.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.1.5. Apache httpd APR-util XML DoS (CVE-2009-1955) (http-apache-apr-util-xml-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker could convince Apache to consume a specially crafted XML document. Review your Web server configuration for validation. A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT REDHAT SECUNIA Reference APPLE-SA-2009-11-09 35253 CVE-2009-1955 DSA-1812 OVAL10270 OVAL12473 RHSA-2009:1107 RHSA-2009:1108 34724

Page 8

Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference 35284 35360 35395 35444 35487 35565 35710 35797 35843 36473 37221 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.1.6. PHP Multiple Vulnerabilities Fixed in version 5.3.1 (http-php-multiple-vulns-5-3-1)

Description:
Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. Added missing sanity checks around exif processing. Fixed a safe_mode bypass in tempnam(). Fixed a open_basedir bypass in posix_mkfifo(). Fixed bug #50063 (safe_mode_include_dir fails).

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

Page 9

Audit Report

References:
Source APPLE APPLE CVE CVE CVE CVE CVE DEBIAN OSVDB OVAL OVAL OVAL OVAL OVAL SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2009-11-09 APPLE-SA-2010-03-29 CVE-2009-3292 CVE-2009-3557 CVE-2009-3558 CVE-2009-3559 CVE-2009-4017 DSA-1940 58186 OVAL10483 OVAL6667 OVAL7396 OVAL7652 OVAL9982 36791 37412 37482 37821 40262 41480 41490 http://www.php.net/ChangeLog-5.php#5.3.1 http://www.php.net/releases/5_3_1.php php-multipart-formdata-dos(54455)

Vulnerability Solution:
Download and apply the upgrade from: http://www.php.net/get/php-5.3.1.tar.gz/from/a/mirror Upgrade to PHP v5.3.1 (released on November 19th, 2009).

3.1.7. MySQL yaSSL CertDecoder::GetName Multiple Buffer Overflows (mysql-yassl-certdecodergetnamemultiple-bofs)

Description:

Page 10

Audit Report

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source BID BID BID CVE DEBIAN OSVDB SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL URL XF Reference 37640 37943 37974 CVE-2009-4484 DSA-1997 61956 37493 38344 38364 38517 38573 http://bugs.mysql.com/bug.php?id=50227 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html mysql-unspecified-bo(55416)

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.90 Upgrade to MySQL v5.0.90 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.43 Upgrade to MySQL v5.1.43

Page 11

Audit Report Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

3.1.8. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)

Description:
Before version 4.7, OpenSSH did not properly handle when an untrusted cookie could not be created. In its place, it uses a trusted X11 cookie. This allows attackers to violate intended policy and gain user privileges by causing an X client to be treated as trusted.

Affected Nodes:
Affected Nodes: 174.143.96.250:22 Additional Information: Running vulnerable SSH service: OpenSSH 4.3.

References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA XF Reference APPLE-SA-2008-03-18 25628 CVE-2007-4752 DSA-1576 OVAL10809 OVAL5599 RHSA-2008:0855 27399 29420 30249 31575 32241 openssh-x11cookie-privilege-escalation(36637)

Vulnerability Solution:
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz Version 4.7 of OpenSSH was released on September 4th, 2007. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Page 12

Audit Report

3.2. Severe Vulnerabilities


3.2.1. Apache httpd mod_deflate DoS (CVE-2009-1891) (http-apache-mod_deflate-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_deflate. Review your Web server configuration for validation. A denial of service flaw was found in the mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE CVE DEBIAN OSVDB OVAL OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE Reference APPLE-SA-2009-11-09 CVE-2009-1891 DSA-1834 55782 OVAL12361 OVAL8632 OVAL9248 RHSA-2009:1148 RHSA-2009:1156 35721 35781 35793 35865 37152 37221 SUSE-SA:2009:050

Page 13

Audit Report Source URL Reference http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.2. Apache httpd mod_proxy reverse proxy DoS (CVE-2009-1890) (http-apache-mod_proxy-reverse-proxy-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server configuration for validation. A denial of service flaw was found in the mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE DEBIAN OSVDB OVAL OVAL OVAL REDHAT REDHAT SECUNIA Reference APPLE-SA-2009-11-09 35565 CVE-2009-1890 DSA-1834 55553 OVAL12330 OVAL8616 OVAL9403 RHSA-2009:1148 RHSA-2009:1156 35691

Page 14

Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL Reference 35721 35793 35865 37152 37221 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.3. MySQL Directory Traversal and Arbitrary Table Access Vulnerability (mysql-directory-traversal-andarbitrary-table-access)

Description:
Directory traversal vulnerability in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source APPLE CVE OVAL OVAL REDHAT REDHAT URL Reference APPLE-SA-2010-11-10 CVE-2010-1848 OVAL10258 OVAL7210 RHSA-2010:0442 RHSA-2010:0824 http://bugs.mysql.com/bug.php?id=53371

Page 15

Audit Report Source URL URL Reference http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.91 Upgrade to MySQL v5.0.91 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.47 Upgrade to MySQL v5.1.47 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

3.2.4. MySQL vio_verify_callback() Zero-Depth X.509 Certificate Vulnerability (mysql-vio_verify_callback-zerodepth-x-509-certificate)

Description:
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 accepts a value of zero for the depth of X.509 certificates when OpenSSL is used. This allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source CVE OVAL OVAL REDHAT URL URL URL Reference CVE-2009-4028 OVAL10940 OVAL8510 RHSA-2010:0109 http://bugs.mysql.com/bug.php?id=47320 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

Page 16

Audit Report

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.88 Upgrade to MySQL v5.0.88 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.41 Upgrade to MySQL v5.1.41 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

3.2.5. OpenSSH X11 Forwarding Information Disclosure Vulnerability (ssh-openssh-x11-fowarding-infodisclosure)

Description:
Certain versions of OpenSSH do not properly bind TCP ports on the local IPv6 interface if the required IPv4 ports are in use. This could allow a local attacker to hijack a forwarded X11 session via opening TCP port 6010 (IPv4).

Affected Nodes:
Affected Nodes: 174.143.96.250:22 Additional Information: Running vulnerable SSH service: OpenSSH 4.3.

References:
Source APPLE BID CERT CVE DEBIAN NETBSD OVAL SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-09-15 28444 TA08-260A CVE-2008-1483 DSA-1576 NetBSD-SA2008-005 OVAL6085 29522 29537 29554 29626

Page 17

Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference 29676 29683 29686 29721 29735 29873 29939 30086 30230 30249 30347 30361 31531 31882 http://www.openssh.org/txt/release-5.0 openssh-sshd-session-hijacking(41438)

Vulnerability Solution:
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz Version 5.0 of OpenSSH was released on April 3rd, 2008. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.6. Apache httpd APR-util off-by-one overflow (CVE-2009-1956) (http-apache-apr-util-off-by-one-overflow)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can provide a specially crafted string to a function that handles a variable list of arguments on big-endian platforms. Review your Web server configuration for validation. An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service.

Affected Nodes:
Affected Nodes: Additional Information:

Page 18

Audit Report Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2009-11-09 35251 CVE-2009-1956 OVAL11567 OVAL12237 RHSA-2009:1107 RHSA-2009:1108 34724 35284 35395 35487 35565 35710 35797 35843 37221 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.7. PHP Multiple Vulnerabilities Fixed in version 5.3.2 (http-php-multiple-vulns-5-3-2)

Description:
Improved LCG entropy. Fixed safe_mode validation inside tempnam() when the directory path does not end with a /.

Page 19

Audit Report

Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

References:
Source URL URL Reference http://www.php.net/releases/5_3_2.php http://www.php.net/ChangeLog-5.php#5.3.2

Vulnerability Solution:
Download and apply the upgrade from: http://www.php.net/get/php-5.3.2.tar.gz/from/a/mirror Upgrade to PHP v5.3.2 (released on March 4th, 2010).

3.2.8. MySQL COM_FIELD_LIST Command Buffer Overflow Vulnerability (mysql-com_field_list-command-bof)

Description:
A buffer overflow in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source APPLE CVE OVAL OVAL REDHAT URL URL URL Reference APPLE-SA-2010-11-10 CVE-2010-1850 OVAL10846 OVAL6693 RHSA-2010:0442 http://bugs.mysql.com/bug.php?id=53237 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

Page 20

Audit Report

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.91 Upgrade to MySQL v5.0.91 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.47 Upgrade to MySQL v5.1.47 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

3.2.9. Apache httpd expat DoS (CVE-2009-3560) (apache-httpd-2_2_x-cve-2009-3560)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker is able to get Apache to parse an untrusted XML document. Review your Web server configuration for validation. A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source BID CVE DEBIAN OVAL OVAL OVAL REDHAT SECUNIA Reference 37203 CVE-2009-3560 DSA-1953 OVAL10613 OVAL12942 OVAL6883 RHSA-2011:0896 37537

Page 21

Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference 38231 38794 38832 38834 39478 41701 43300 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.17.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.10. Apache httpd expat DoS (CVE-2009-3720) (apache-httpd-2_2_x-cve-2009-3720)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker is able to get Apache to parse an untrusted XML document. Review your Web server configuration for validation. A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source CVE OVAL OVAL OVAL Reference CVE-2009-3720 OVAL11019 OVAL12719 OVAL7112

Page 22

Audit Report Source REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference RHSA-2010:0002 RHSA-2011:0896 37324 37537 37925 38050 38231 38794 38832 38834 39478 41701 42326 42338 43300 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.17.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.11. Apache httpd apr_bridage_split_line DoS (CVE-2010-1623) (apache-httpd-2_2_x-cve-2010-1623)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if if Apache processes non-SSL requests. Review your Web server configuration for validation. A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service.

Affected Nodes:
Affected Nodes: Additional Information:

Page 23

Audit Report Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source BID CVE OVAL REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference 43673 CVE-2010-1623 OVAL12800 RHSA-2010:0950 RHSA-2011:0896 RHSA-2011:0897 41701 42015 42361 42367 42403 42537 43211 43285 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.17.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.12. Apache httpd mod_cache and mod_dav DoS (CVE-2010-1452) (apache-httpd-2_2_x-mod_cache-andmod_dav-dos-cve-2010-1452)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_cache or mod_dav. Review your Web server configuration for validation. A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the

Page 24

Audit Report uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.Acknowledgements: This issue was reported by Mark Drayton.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE CVE OVAL OVAL REDHAT REDHAT REDHAT SECUNIA URL Reference APPLE-SA-2011-03-21 CVE-2010-1452 OVAL11683 OVAL12341 RHSA-2010:0659 RHSA-2011:0896 RHSA-2011:0897 42367 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.16.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.13. Apache httpd mod_proxy crash (CVE-2007-3847) (apache-httpd-2_2_x-mod_proxy-crash-cve-2007-3847)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server configuration for validation. A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module.

Page 25

Audit Report

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE APPLE BID CERT CVE OVAL REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 25489 TA08-150A CVE-2007-3847 OVAL10525 RHSA-2007:0746 RHSA-2007:0747 RHSA-2007:0911 RHSA-2008:0005 26636 26722 26790 26842 26952 26993 27209 27563 27593 27732 27882 27971 28467 28606 28749 28922 29420

Page 26

Audit Report Source SECUNIA SUSE URL Reference 30430 SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.14. Apache httpd mod_proxy_http DoS (CVE-2008-2364) (apache-httpd-2_2_x-mod_proxy_http-dos-cve-20082364)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_http. Review your Web server configuration for validation. A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http. A remote attacker could cause a denial of service or high memory usage.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID BID CVE OVAL OVAL OVAL REDHAT Reference APPLE-SA-2008-10-09 29653 31681 CVE-2008-2364 OVAL11713 OVAL6084 OVAL9577 RHSA-2008:0966

Page 27

Audit Report Source REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference RHSA-2008:0967 30621 31026 31404 31416 31651 31904 32222 32685 32838 33156 33797 34219 34259 34418 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxy-module-dos(42987)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.9.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.15. Apache httpd Signals to arbitrary processes (CVE-2007-3304) (apache-httpd-2_2_x-signals-to-arbitraryprocesses-cve-2007-3304)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if a local attacker can run scripts on the HTTP server. Review your Web server configuration for validation. The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service.

Page 28

Audit Report

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source BID CVE OVAL REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA Reference 24215 CVE-2007-3304 OVAL11589 RHSA-2007:0532 RHSA-2007:0556 RHSA-2007:0557 RHSA-2007:0662 RHSA-2008:0261 25827 25830 25920 26211 26273 26443 26508 26611 26759 26790 26822 26842 26993 27121 27209 27563 27732 28212 28224

Page 29

Audit Report Source SECUNIA SGI SUSE URL XF Reference 28606 20070701-01-P SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html apache-child-process-dos(35095)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.16. Apache httpd mod_proxy reverse proxy exposure (CVE-2011-3368) (apache-httpd-cve-2011-3368)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server configuration for validation. An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.Acknowledgements: This issue was reported by Context Information Security Ltd

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source BID CVE REDHAT REDHAT SECUNIA SECUNIA Reference 49957 CVE-2011-3368 RHSA-2011:1391 RHSA-2011:1392 46288 46414

Page 30

Audit Report Source URL URL XF Reference http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxy-information-disclosure(70336)

Vulnerability Solution:
Apache >= 2.0 and < 2.1 Upgrade to Apache version 2.0.65 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Apache >= 2.2 and < 2.3 Upgrade to Apache version 2.2.22 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.2.22 is currently not available for download. Please check the Apache HTTP server download page for more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.17. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)

Description:
The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate. Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com". In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname). A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.

Affected Nodes:
Affected Nodes: 174.143.96.250:25 Additional Information: The subject common name found in the X.509 certificate ('CN=plesk') does not seem to

Page 31

Audit Report Affected Nodes: Additional Information: match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name '174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com' 174.143.96.250:443 The subject common name found in the X.509 certificate ('CN=plesk') does not seem to match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name '174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com' The subject common name found in the X.509 certificate ('CN=plesk') does not seem to match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name '174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com'

174.143.96.250:587

References:
None

Vulnerability Solution:
The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.

3.2.18. Apache httpd AllowOverride Options handling bypass (CVE-2009-1195) (http-apache-allowoverideoptions-handling-bypass)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if the AllowOverride directive with certin Options are used. Review your Web server configuration for validation. A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE DEBIAN Reference APPLE-SA-2009-11-09 35115 CVE-2009-1195 DSA-1816

Page 32

Audit Report Source OSVDB OVAL OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference 54733 OVAL11094 OVAL12377 OVAL8704 RHSA-2009:1075 RHSA-2009:1156 35261 35264 35395 35453 35721 37152 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html apache-allowoverrides-security-bypass(50808)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.19. Apache httpd mod_cache proxy DoS (CVE-2007-1863) (http-apache-mod_cache-proxy-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_cache. Review your Web server configuration for validation. A bug was found in the mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

Page 33

Audit Report Affected Nodes: 174.143.96.250:443 Additional Information: Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CERT CVE OVAL REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL Reference APPLE-SA-2008-05-28 24649 TA08-150A CVE-2007-1863 OVAL9824 RHSA-2007:0533 RHSA-2007:0534 RHSA-2007:0556 RHSA-2007:0557 25830 25873 25920 26273 26443 26508 26822 26842 26993 27037 27563 27732 28606 30430 SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Page 34

Audit Report

3.2.20. Apache httpd mod_proxy_ajp DoS (CVE-2010-0408) (http-apache-mod_proxy_ajp-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ajp. Review your Web server configuration for validation. mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service.Acknowledgements: We would like to thank Niku Toivola of Sulake Corporation for reporting and proposing a patch fix for this issue.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2010-11-10 38491 CVE-2010-0408 DSA-2035 OVAL8619 OVAL9935 RHSA-2010:0168 39100 39501 39628 39632 39656 40096 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3

Page 35

Audit Report Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.21. MySQL my_net_skip_rest Packet Length Denial of Service Vulnerability (mysql-my_net_skip_rest-packetlength-dos)

Description:
The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source APPLE CVE OVAL URL URL URL Reference APPLE-SA-2010-11-10 CVE-2010-1849 OVAL7328 http://bugs.mysql.com/bug.php?id=50974 http://bugs.mysql.com/bug.php?id=53371 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.91 Upgrade to MySQL v5.0.91 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.47 Upgrade to MySQL v5.1.47 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

Page 36

Audit Report

3.2.22. PHP PHP hangs on numeric value 2.2250738585072011e-308 (php-cve-2010-4645)

Description:
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows contextdependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

References:
Source BID CVE REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA XF Reference 45668 CVE-2010-4645 RHSA-2011:0195 RHSA-2011:0196 42812 42843 43051 43189 php-zendstrtod-dos(64470)

Vulnerability Solution:
Upgrade to PHP v5.2.17 Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.17.tar.gz Upgrade to PHP v5.2.17. Upgrade to PHP v5.3.5 Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.5.tar.gz Upgrade to PHP v5.3.5.

3.2.23. PHP Fixed possible flaw in open_basedir (php-fixed-possible-flaw-in-open-basedir)

Description:
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.

Page 37

Audit Report

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

References:
Source APPLE BID CVE SECUNIA SECUNIA Reference APPLE-SA-2011-03-21 44723 CVE-2010-3436 42729 42812

Vulnerability Solution:
Upgrade to PHP v5.2.15 Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.15.tar.gz Upgrade to PHP v5.2.15. Upgrade to PHP v5.3.4 Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.4.tar.gz Upgrade to PHP v5.3.4.

3.2.24. PHP possible double free in imap extension (php-possible-double-free-in-imap-extension)

Description:
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

References:
Source APPLE Reference APPLE-SA-2011-03-21

Page 38

Audit Report Source BID CVE OVAL SECUNIA XF Reference 44980 CVE-2010-4150 OVAL12489 42729 php-phpimapc-dos(63390)

Vulnerability Solution:
Upgrade to PHP v5.2.15 Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.15.tar.gz Upgrade to PHP v5.2.15. Upgrade to PHP v5.3.4 Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.4.tar.gz Upgrade to PHP v5.3.4.

3.2.25. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)

Description:
The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak: So called "null" ciphers, because they do not encrypt data. Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the cipher suite. Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.

Affected Nodes:
Affected Nodes: 174.143.96.250:443 Additional Information: grupocanton.com/174.143.96.250:443 negotiated the SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA cipher suite

References:
None

Vulnerability Solution:
Configure the server to disable support for weak ciphers. For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers. For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read: SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For other servers, refer to the respective vendor documentation to disable the weak ciphers

Page 39

Audit Report

3.2.26. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)

Description:
Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed between a client and the server, including the following weaknesses: No protection from against man-in-the-middle attacks during the handshake. Weak MAC construction and MAC relying solely on the MD5 hash function. Exportable cipher suites unnecessarily weaken the MACs Same cryptographic keys used for message authentication and encryption. Vulnerable to truncation attacks by forged TCP FIN packets SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment Card Industry) Data Security Standard. Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also supported.

Affected Nodes:
Affected Nodes: 174.143.96.250:443 Additional Information: SSLv2 is supported

References:
Source URL URL Reference http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf

Vulnerability Solution:
Configure the server to require clients to use at least SSLv3 or TLS. For Microsoft IIS web servers, see Microsoft Knowledgebase article Q187498 for instructions on disabling SSL 2.0. For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2 The ! (exclamation point) before SSLv2 is what disables this protocol.

3.2.27. X.509 Server Certificate Is Invalid/Expired (tls-server-cert-expired)

Page 40

Audit Report

Description:
The TLS/SSL server's X.509 certificate either contains a start date in the future or is expired. Please refer to the proof in the section below for more details.

Affected Nodes:
Affected Nodes: 174.143.96.250:25 174.143.96.250:443 174.143.96.250:587 Additional Information: The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT

References:
None

Vulnerability Solution:
Obtain a new certificate and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Please ensure that the start date and the end date on the new certificate are valid. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority. After you have received a new certificate file from the Certificate Authority, you will have to install it on the TLS/SSL server. The exact instructions for installing a certificate differ for each product. Follow their documentation.

3.2.28. Apache httpd mod_imagemap XSS (CVE-2007-5000) (apache-httpd-2_2_x-mod_imagemap-xss-cve-20075000)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_imagemap. Review your Web server configuration for validation. The affected asset is vulnerable to this Apache vulnerability ONLY if an imagemap file is publicly available. Review your Web server configuration for validation. A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

Page 41

Audit Report

References:
Source APPLE APPLE BID CERT CVE OSVDB OVAL REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 26838 TA08-150A CVE-2007-5000 39134 OVAL9539 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 RHSA-2008:0261 28046 28073 28081 28196 28375 28467 28471 28525 28526 28607 28749 28750 28922 28977 29420 29640 29806

Page 42

Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL Reference 29988 30356 30430 30732 31142 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.29. Apache httpd mod_proxy_ftp globbing XSS (CVE-2008-2939) (apache-httpd-2_2_x-mod_proxy_ftpglobbing-xss-cve-2008-2939)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A flaw was found in the handling of wildcards in the path of a FTP URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing globbing characters could lead to cross-site scripting (XSS) attacks.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CERT CERT-VN Reference APPLE-SA-2009-05-12 30560 TA09-133A 663763

Page 43

Audit Report Source CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference CVE-2008-2939 OVAL11316 OVAL7716 RHSA-2008:0966 RHSA-2008:0967 31384 31673 32685 32838 33156 33797 34219 35074 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxyftp-xss(44223)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.10.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.30. Apache httpd mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) (apache-httpd-2_2_x-mod_proxy_ftp-utf-7-xsscve-2008-0005)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.

Affected Nodes:
Affected Nodes: Additional Information:

Page 44

Audit Report Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE OVAL REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference APPLE-SA-2008-03-18 27234 CVE-2008-0005 OVAL10812 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 28467 28471 28526 28607 28749 28977 29348 29420 29640 30732 35650 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxyftp-utf7-xss(39615)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Page 45

Audit Report

3.2.31. Apache httpd mod_status XSS (CVE-2007-6388) (apache-httpd-2_2_x-mod_status-xss-cve-2007-6388)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_status. Review your Web server configuration for validation. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE APPLE BID CERT CVE OVAL REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 27237 TA08-150A CVE-2007-6388 OVAL10272 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 RHSA-2008:0261 28467 28471 28526 28607

Page 46

Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference 28749 28922 28965 28977 29420 29504 29640 29806 29988 30356 30430 30732 31142 33200 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html apache-status-page-xss(39472)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.32. Apache httpd apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE-2011-0419) (apache-httpd-cve2011-0419)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_autoindex. Review your Web server configuration for validation. A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack.Acknowledgements: This issue was reported by Maksymilian Arciemowicz

Page 47

Audit Report

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE CVE DEBIAN REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA URL URL Reference APPLE-SA-2011-10-12 CVE-2011-0419 DSA-2237 RHSA-2011:0507 RHSA-2011:0896 RHSA-2011:0897 44490 44564 44574 http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.0 and < 2.1 Upgrade to Apache version 2.0.65 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Apache >= 2.2 and < 2.3 Upgrade to Apache version 2.2.19 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.19.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.33. Apache httpd APR-util heap underwrite (CVE-2009-0023) (http-apache-apr-util-heap-underwrite)

Description:

Page 48

Audit Report

The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can provide a specially crafted search keyword to a function that handles compiled forms of search patterns. Review your Web server configuration for validation. A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2009-11-09 35221 CVE-2009-0023 DSA-1812 OVAL10968 OVAL12321 RHSA-2009:1107 RHSA-2009:1108 34724 35284 35360 35395 35444 35487 35565 35710 35797 35843 37221 http://httpd.apache.org/security/vulnerabilities_22.html

Page 49

Audit Report Source XF Reference apache-aprstrmatchprecompile-dos(50964)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.12.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.34. Apache ETag Inode Information Leakage (http-apache-etag-inode-leak)

Description:
Certain versions of Apache use the requested file's inode number to construct the 'ETag' response header. While not a vulnerability in and of itself, this information makes certain NFS attacks much simpler to execute.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. http://174.143.96.250/index.html 1: "1f20e9d-14c-48dd25a7358c0"

174.143.96.250:443

Running vulnerable HTTPS service: Apache 2.2.3. https://174.143.96.250/ 1: "1e38016-ee7-46b9dad472100"

References:
Source BID BID CVE XF Reference 6939 6943 CVE-2003-1418 apache-mime-information-disclosure(11438)

Vulnerability Solution:
Disable inode-based ETag generation in the Apache config You can remove inode information from the ETag header by adding the following directive to your Apache config: FileETag MTime Size

Page 50

Audit Report OpenBSD Apply OpenBSD 3.2 errata #8 for Apache inode and pid leak Download and apply the patch from: http://www.openbsd.org/errata32.html#httpd The OpenBSD team has released a patch for the Apache inode and pid leak problem. This patch can be applied cleanly to 3.2 stable and rebuilt. Restart httpd for the changes to take effect. OpenBSD 3.3 will ship with the patched httpd by default. The patch can be applied to earlier 3.x versions of OpenBSD, but it may require editing of the source code.

3.2.35. Apache httpd mod_proxy_balancer CSRF (CVE-2007-6420) (http-apache-mod_proxy_balancer-csrf)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web server configuration for validation. The mod_proxy_balancer provided an administrative interface that could be vulnerable to cross-site request forgery (CSRF) attacks.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID BID CVE OVAL REDHAT SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2008-10-09 27236 31681 CVE-2007-6420 OVAL8371 RHSA-2008:0966 31026 32222 33797 34219 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.9.tar.gz

Page 51

Audit Report Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.36. Apache httpd mod_proxy_balancer DoS (CVE-2007-6422) (http-apache-mod_proxy_balancer-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web server configuration for validation. A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source BID CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference 27236 CVE-2007-6422 OVAL10181 OVAL8690 RHSA-2008:0008 RHSA-2008:0009 28526 28749 28977 29348 29640 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxybalancer-dos(39476)

Page 52

Audit Report

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.37. Apache httpd mod_proxy_balancer XSS (CVE-2007-6421) (http-apache-mod_proxy_balancer-xss)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web server configuration for validation. A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE Reference APPLE-SA-2008-03-18 27236 CVE-2007-6421 OVAL10664 OVAL8651 RHSA-2008:0008 RHSA-2008:0009 28526 28749 28977 29420 29640 SUSE-SA:2008:021

Page 53

Audit Report Source URL XF Reference http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxybalancer-xss(39474)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.38. Apache httpd mod_status cross-site scripting (CVE-2006-5752) (http-apache-mod_status-xss)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_status. Review your Web server configuration for validation. The affected asset is vulnerable to this Apache vulnerability ONLY if the server-status page is publicly accessible and ExtendedStatus is enabled. Review your Web server configuration for validation. A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source BID CVE OVAL REDHAT REDHAT REDHAT REDHAT Reference 24645 CVE-2006-5752 OVAL10154 RHSA-2007:0532 RHSA-2007:0533 RHSA-2007:0534 RHSA-2007:0556

Page 54

Audit Report Source REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference RHSA-2007:0557 RHSA-2008:0261 25827 25830 25873 25920 26273 26443 26458 26508 26822 26842 26993 27037 27563 27732 28212 28224 28606 SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html apache-modstatus-xss(35097)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.6.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.39. Apache httpd Subrequest handling of request headers (mod_headers) (CVE-2010-0434) (http-apacherequest-header-info-disclosure)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_headers. Review your Web server configuration for validation.

Page 55

Audit Report

A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest, instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying the parent request, which might not be intended, and second by leaving pointers to modified header fields in memory allocated to the subrequest scope, which could be freed before the main request processing was finished, resulting in a segfault or in revealing data from another request on threaded servers, such as the worker or winnt MPMs.Acknowledgements: We would like to thank Philip Pickett of VMware for reporting and proposing a fix for this issue.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference APPLE-SA-2010-11-10 38494 CVE-2010-0434 DSA-2035 OVAL10358 OVAL8695 RHSA-2010:0168 RHSA-2010:0175 39100 39115 39501 39628 39632 39656 40096 http://httpd.apache.org/security/vulnerabilities_22.html apache-http-rh-info-disclosure(56625)

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.gz

Page 56

Audit Report Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

3.2.40. MySQL Bug #44798: Stored Procedures Server Crash (mysql-bug-44798-stored-procedures-server-crash)

Description:
Versions of MySQL server 5.0 before 5.0.84 and 5.1 before 5.1.36 suffer from a privilege interpretation flaw that causes a server crash. A user created with the privileges to create stored procedures but not execute them will trigger this issue.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source URL Reference http://bugs.mysql.com/bug.php?id=44798

Vulnerability Solution:
MySQL >= 5.0.0 and < 5.0.84 Upgrade to MySQL v5.0.84 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL (?:^5.1.) Upgrade to MySQL v5.1.36 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

3.2.41. PHP Fixed NULL pointer dereference in ZipArchive::getArchiveComment (php-fixed-null-pointerdereference-in-ziparchivegetarchivecomment)

Description:
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.

Page 57

Audit Report

Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.

References:
Source APPLE BID CVE REDHAT SECUNIA SECUNIA Reference APPLE-SA-2011-03-21 44718 CVE-2010-3709 RHSA-2011:0195 42729 42812

Vulnerability Solution:
Upgrade to PHP v5.3.4 Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.4.tar.gz Upgrade to PHP v5.3.4. Upgrade to PHP v5.2.15 Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.15.tar.gz Upgrade to PHP v5.2.15.

3.2.42. Self-signed TLS/SSL certificate (ssl-self-signed-certificate)

Description:
The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL manin-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.

Affected Nodes:
Affected Nodes: 174.143.96.250:25 174.143.96.250:443 174.143.96.250:587 Additional Information: TLS/SSL certificate is self-signed. TLS/SSL certificate is self-signed. TLS/SSL certificate is self-signed.

References:
None

Page 58

Audit Report

Vulnerability Solution:
Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority, such as Thawte or Verisign.

3.3. Moderate Vulnerabilities


3.3.1. Apache httpd mod_proxy_ftp DoS (CVE-2009-3094) (http-apache-mod_proxy_ftp-dos)

Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A NULL pointer dereference flaw was found in the mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
Source CVE DEBIAN OVAL OVAL SECUNIA SECUNIA SUSE URL Reference CVE-2009-3094 DSA-1934 OVAL10981 OVAL8087 36549 37152 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html

Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.14.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your

Page 59

Audit Report operating system.

3.3.2. MySQL HTML Output Script Insertion Vulnerability (mysql-html-output-script-insertion)

Description:
A cross-site scripting (XSS) vulnerability exists in the command-line client when the "--html" option is enabled. This could allow attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by the client when composing an HTML document.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.

References:
Source APPLE BID CVE DEBIAN OVAL REDHAT SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2010-03-29 31486 CVE-2008-4456 DSA-1783 OVAL11456 RHSA-2010:0110 32072 34907 38517 http://bugs.mysql.com/bug.php?id=27884 http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability mysql-commandline-xss(45590)

Vulnerability Solution:
MySQL (?:^5.1.) Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

3.3.3. OpenSSH CBC Mode Information Disclosure Vulnerability (ssh-openssh-cbc-mode-info-disclosure)

Page 60

Audit Report

Description:
Certain versions of OpenSSH ship with a flawed implementation of the block cipher algorithm in the Cipher Block Chaining (CBC) mode. This could allow a remote attacker to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

Affected Nodes:
Affected Nodes: 174.143.96.250:22 Additional Information: Running vulnerable SSH service: OpenSSH 4.3.

References:
Source APPLE BID CERT-VN CVE OSVDB OSVDB OSVDB OVAL SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2009-11-09 32319 958563 CVE-2008-5161 49872 50035 50036 OVAL11279 32740 32760 32833 33121 33308 34857 http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt http://www.openssh.com/txt/cbc.adv openssh-sshtectia-cbc-info-disclosure(46620)

Vulnerability Solution:
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz Version 5.2 of OpenSSH was released on February 22nd, 2009. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Page 61

Audit Report

3.3.4. Database Open Access (database-open-access)

Description:
The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.

Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service.

References:
Source URL Reference https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

Vulnerability Solution:
Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ

3.3.5. TCP timestamp response (generic-tcp-timestamp)

Description:
The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

Affected Nodes:
Affected Nodes: 174.143.96.250 Additional Information: Apparent system boot time: Fri Nov 18 18:17:26 COT 2011

References:
Source URL URL URL Reference http://www.forensicswiki.org/wiki/TCP_timestamps http://www.ietf.org/rfc/rfc1323.txt http://uptime.netcraft.com

Page 62

Audit Report

Vulnerability Solution:
Cisco Disable TCP timestamp responses on Cisco Run the following command to disable TCP timestamps:

no ip tcp timestamp

FreeBSD Disable TCP timestamp responses on FreeBSD Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:

sysctl -w net.inet.tcp.rfc1323=0

Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:

net.inet.tcp.rfc1323=0

Linux Disable TCP timestamp responses on Linux Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:

sysctl -w net.ipv4.tcp_timestamps=0

Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:

net.ipv4.tcp_timestamps=0

OpenBSD Disable TCP timestamp responses on OpenBSD Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:

sysctl -w net.inet.tcp.rfc1323=0

Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:

net.inet.tcp.rfc1323=0

Page 63

Audit Report Microsoft Windows Disable TCP timestamp responses on Windows Set the Tcp1323Opts value in the following key to 1:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

3.3.6. WebDAV Extensions are Enabled (http-generic-webdav-enabled)

Description:
WebDAV is a set of extensions to the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. Many web servers enable WebDAV extensions by default, even when they are not needed. Because of its added complexity, it is considered good practice to disable WebDAV if it is not currently in use.

Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.

References:
None

Vulnerability Solution:
IIS, PWS, Microsoft-IIS, Internet Information Services, Internet Information Services, Microsoft-PWS Disable WebDAV for IIS For Microsoft IIS, follow Microsoft's instructions to disable WebDAV for the entire server. Apache Disable WebDAV for Apache Make sure the mod_dav module is disabled, or ensure that authentication is required on directories where DAV is required.

Apache Tomcat, Tomcat, Tomcat Web Server Disable WebDAV for Apache Tomcat Disable the WebDAV Servlet for all web applications found on the web server. This can be done by removing the servlet definition for WebDAV (the org.apache.catalina.servlets.WebdavServlet class) and remove all servlet mappings referring to the WebDAV servlet.

Java System Web Server, iPlanet, SunONE WebServer, Sun-ONE-Web-Server Disable WebDAV for iPlanet/Sun ONE Disable WebDAV on the web server. This can be done by disabling WebDAV for the server instance and for all virtual servers.

Page 64

Audit Report To disable WebDAV for the server instance, enter the Server Manager and uncheck the "Enable WebDAV Globally" checkbox then click the "OK" button. To disable WebDAV for each virtual server, enter the Class Manager and uncheck the "Enable WebDAV Globally" checkbox next to each server instance then click the "OK" button.

Page 65

Audit Report

4. Discovered Services
4.1. HTTP
HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files commonly used with HTTP include text, sound, images and video.

4.1.1. General Security Issues

Simple authentication scheme


Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL) connections to transmit the authentication data.

4.1.2. Discovered Instances of this Service


Device 174.143.96.250 Protocol tcp Port 80 Vulnerabilities 8 Additional Information Apache 2.2.3 PHP: 5.2.14 WebDAV: http.banner: Apache/2.2.3 (Red Hat) http.banner.server: Apache/2.2.3 (Red Hat) http.banner.x-powered-by: PHP/5.2.14

4.2. HTTPS
HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange multimedia content on the World Wide Web using encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard HTTP protocol is used. The multimedia files commonly used with HTTP include text, sound, images and video.

4.2.1. Discovered Instances of this Service


Device 174.143.96.250 Protocol tcp Port 443 Vulnerabilities 8 Additional Information Apache 2.2.3 WebDAV: http.banner: Apache/2.2.3 (Red Hat) http.banner.server: Apache/2.2.3 (Red Hat) ssl: true ssl.cert.issuer.dn: [email protected], CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.key.alg.name: RSA ssl.cert.key.rsa.modulusBits: 2048

Page 66

Audit Report Device Protocol Port Vulnerabilities Additional Information ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT ssl.cert.selfsigned: true ssl.cert.serial.number: 1243874497 ssl.cert.sig.alg.name: SHA1withRSA ssl.cert.subject.dn: [email protected], CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.validsignature: true ssl.version.ssl20: true verbs-1: GET verbs-2: HEAD verbs-3: OPTIONS verbs-4: POST verbs-count: 4

4.3. MySQL
4.3.1. Discovered Instances of this Service
Device 174.143.96.250 Protocol tcp Port 3306 Vulnerabilities 8 Additional Information MySQL 5.0.77 logging: disabled protocolVersion: 10

4.4. SMTP
SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail messages between hosts. Clients typically submit outgoing e-mail to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final destination.

4.4.1. General Security Issues

Installed by default
By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP server to handle mail for the local host (e.g. the output of some cron jobs is sent to the root account via email). Check your workstations to see if sendmail is running, by telnetting to port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying 192.168.0.1... Connected to mybox. Escape character is '^]'. 220 mybox. ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT) If sendmail is running and you don't need it, then disable it via /etc/rc.conf or your operating system's equivalent startup configuration file. If you do need SMTP for the localhost, make sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable by other hosts. Also be sure to check port 587/tcp, which some versions of sendmail use for outgoing mail submissions.

Promiscuous relay

Page 67

Audit Report Perhaps the most common security issue with SMTP servers is servers which act as a "promiscuous relay", or "open relay". This describes servers which accept and relay mail from anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers) to use your mail server to send their spam to unwitting recipients. Promiscuous relay checks are performed on all discovered SMTP servers. See "smtp-general-openrelay" for more information on this vulnerability and how to fix it.

4.4.2. Discovered Instances of this Service


Device 174.143.96.250 Protocol tcp Port 25 Vulnerabilities 2 Additional Information Unknown advertise-esmtp: 1 advertised-esmtp-extension-count: 5 advertises-esmtp: TRUE smtp.banner: 220 228605-web1.www.tabascohoy.com ESMTP ssl.cert.issuer.dn: [email protected], CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.key.alg.name: RSA ssl.cert.key.rsa.modulusBits: 2048 ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT ssl.cert.selfsigned: true ssl.cert.serial.number: 1243874497 ssl.cert.sig.alg.name: SHA1withRSA ssl.cert.subject.dn: [email protected], CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.validsignature: true supported-auth-method-count: 3 supported-auth-method:1: LOGIN supported-auth-method:2: CRAM-MD5 supported-auth-method:3: PLAIN supports-8bitmime: TRUE supports-auth: TRUE supports-auth=login: TRUE supports-debug: FALSE supports-expand: FALSE supports-pipelining: TRUE supports-starttls: TRUE supports-turn: FALSE supports-verify: FALSE

Page 68

Audit Report Device 174.143.96.250 Protocol tcp Port 587 Vulnerabilities 2 Additional Information Unknown advertise-esmtp: 1 advertised-esmtp-extension-count: 5 advertises-esmtp: TRUE smtp.banner: 220 228605-web1.www.tabascohoy.com ESMTP ssl.cert.issuer.dn: [email protected], CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.key.alg.name: RSA ssl.cert.key.rsa.modulusBits: 2048 ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT ssl.cert.selfsigned: true ssl.cert.serial.number: 1243874497 ssl.cert.sig.alg.name: SHA1withRSA ssl.cert.subject.dn: [email protected], CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.validsignature: true supported-auth-method-count: 3 supported-auth-method:1: LOGIN supported-auth-method:2: CRAM-MD5 supported-auth-method:3: PLAIN supports-8bitmime: TRUE supports-auth: TRUE supports-auth=login: TRUE supports-debug: FALSE supports-expand: FALSE supports-pipelining: TRUE supports-starttls: TRUE supports-turn: FALSE supports-verify: FALSE

4.5. SSH
SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol. It primarily adds encryption and data integrity to Telnet, but can also provide superior authentication mechanisms such as public key authentication.

4.5.1. Discovered Instances of this Service


Device Protocol Port Vulnerabilities Additional Information

Page 69

Audit Report Device 174.143.96.250 Protocol tcp Port 22 Vulnerabilities 3 Additional Information OpenSSH 4.3 ssh.banner: SSH-2.0-OpenSSH_4.3 ssh.protocol.version: 2.0 ssh.rsa.pubkey.fingerprint: 68155186A79E9D58FA0BA9D1B132D88F

Page 70

Audit Report

5. Discovered Users and Groups


No user or group information was discovered during the scan.

Page 71

Audit Report

6. Discovered Databases
No database information was discovered during the scan.

Page 72

Audit Report

7. Discovered Files and Directories


No file or directory information was discovered during the scan.

Page 73

Audit Report

8. Policy Evaluations
No policy evaluations were performed.

Page 74

Audit Report

9. Spidered Web Sites


No web sites were spidered during the scan.

Page 75

You might also like