HackerVaccine Report

Report

26/Jun/2012:16:45:33 GMT

Table Of Contents
Vulnerabilities By Plugin
33850 (1) - Unsupported Unix Operating System
22466 (1) - OpenSSH < 4.4 Multiple Vulnerabilities
44077 (1) - OpenSSH < 4.5 Multiple Vulnerabilities
44078 (1) - OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass
45411 (2) - SSL Certificate with Wrong Hostname
51192 (2) - SSL Certificate Cannot Be Trusted
57582 (2) - SSL Self-Signed Certificate
12213 (1) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS
17703 (1) - OpenSSH < 5.9 Multiple DoS
17704 (1) - OpenSSH S/KEY Authentication Account Enumeration
17705 (1) - OPIE w/ OpenSSH Account Enumeration
17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing
20007 (1) - SSL Version 2 (v2) Protocol Detection
26928 (1) - SSL Weak Cipher Suites Supported
31737 (1) - OpenSSH X11 Forwarding Session Hijacking
42873 (1) - SSL Medium Strength Cipher Suites Supported
44065 (1) - OpenSSH < 5.2 CBC Plaintext Disclosure
44076 (1) - OpenSSH < 4.3 scp Command Line Filename Processing Command Injection
44079 (1) - OpenSSH < 4.9 'ForceCommand' Directive Bypass
44081 (1) - OpenSSH < 5.7 Multiple Vulnerabilities
56306 (1) - Web Server Allows Password Auto-Completion (PCI-DSS variant)
44080 (1) - OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
47830 (1) - CGI Generic Injectable Parameter
53841 (1) - Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
22964 (5) - Service Detection
11219 (4) - hackervaccine SYN scanner
10107 (2) - HTTP Server Type and Version
10863 (2) - SSL Certificate Information
21643 (2) - SSL Cipher Suites Supported
45410 (2) - SSL Certificate commonName Mismatch
51891 (2) - SSL Session Resume Supported
56984 (2) - SSL / TLS Versions Supported
57041 (2) - SSL Perfect Forward Secrecy Cipher Suites Supported
10267 (1) - SSH Server Type and Version Information
10287 (1) - Traceroute Information
10662 (1) - Web mirroring
11002 (1) - DNS Server Detection
11032 (1) - Web Server Directory Enumeration
11936 (1) - OS Identification
12053 (1) - Host Fully Qualified Domain Name (FQDN) Resolution
19506 (1) - hackervaccine Scan Information
24260 (1) - HyperText Transfer Protocol (HTTP) Information
25220 (1) - TCP/IP Timestamps Supported
27576 (1) - Firewall Detection
33817 (1) - CGI Generic Tests Load Estimation (all tests)
39463 (1) - HTTP Server Cookies Set
43111 (1) - HTTP Methods Allowed (per directory)
45590 (1) - Common Platform Enumeration (CPE)
54615 (1) - Device Type
56209 (1) - PCI DSS compliance : Remote Access Software Has Been Detected

Vulnerabilities By Plugin

[-] Collapse All
[+] Expand All

33850 (1) - Unsupported Unix Operating System

Synopsis

The remote host is running an obsolete operating system.

Description

According to its version, the remote Unix operating system is obsolete and no longer maintained by its vendor or provider.

Lack of support implies that no new security patches will be released for it.

Solution

Upgrade to a newer version.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:

Publication date: 2008/08/08, Modification date: 2012/06/13

Hosts

testphp.vulnweb.com (tcp/0)


Ubuntu 6.06 support ended on 2011-06-01.
Upgrade to Ubuntu 12.04.

For more information, see : https://wiki.ubuntu.com/Releases

22466 (1) - OpenSSH < 4.4 Multiple Vulnerabilities

Synopsis

The remote SSH server is affected by multiple vulnerabilities.

Description

According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities :

- A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled.

- A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled.

- When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service.

- On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs.

See Also

http://www.openssh.com/txt/release-4.4

Solution

Upgrade to OpenSSH 4.4 or later.

Risk Factor

High

CVSS Base Score

9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

6.9 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

References

BID

20216

BID

20241

BID

20245

CVE

CVE-2006-4924

CVE

CVE-2006-4925

CVE

CVE-2006-5051

CVE

CVE-2006-5052

CVE

CVE-2006-5229

CVE

CVE-2007-3102

CVE

CVE-2008-4109

XREF

OSVDB:29152

XREF

OSVDB:29264

XREF

OSVDB:29266

XREF

OSVDB:29494

XREF

OSVDB:32721

XREF

OSVDB:39214

XREF

CWE:362

Plugin Information:

Publication date: 2006/09/28, Modification date: 2011/11/16

Hosts

testphp.vulnweb.com (tcp/22)

44077 (1) - OpenSSH < 4.5 Multiple Vulnerabilities

Synopsis

The remote SSH service is affected by multiple vulnerabilities.

Description

According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities :

- A client-side null pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925)

- A privilege separation vulnerability that could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. (CVE-2006-5794)

- An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that rely on a trust relationship with the server. This issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726) Note that the authentication bypass vulnerability is only exploitable when other vulnerabilities are present.

See Also

http://www.openssh.org/txt/release-4.5
http://support.apple.com/kb/TA24626
http://openssh.com/security.html

Solution

Upgrade to OpenSSH 4.5 or later.
For Mac OS X 10.3, apply Security Update 2007-003.
For Mac OS X 10.4, upgrade to 10.4.9.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID

20956

CVE

CVE-2006-4925

CVE

CVE-2006-5794

CVE

CVE-2007-0726

XREF

OSVDB:29494

XREF

OSVDB:30232

XREF

OSVDB:34850

Plugin Information:

Publication date: 2011/10/04, Modification date: 2011/11/16

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.5

44078 (1) - OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass

Synopsis

Remote attackers may be able to bypass authentication.

Description

According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

See Also

http://www.openssh.com/txt/release-4.7

Solution

Upgrade to OpenSSH 4.7 or later.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID

25628

CVE

CVE-2007-4752

CVE

CVE-2007-2243

XREF

OSVDB:34600

XREF

OSVDB:43371

XREF

CWE:20

Plugin Information:

Publication date: 2011/10/04, Modification date: 2011/11/16

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.7

45411 (2) - SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Description

The commonName (CN) of the SSL certificate presented on this port is for a different machine.

Solution

Purchase or generate a proper certificate for this service.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information:

Publication date: 2010/04/03, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/4643)


The following hostnames were checked :
lvps83-169-53-201.dedicated.hosteurope.de

testphp.vulnweb.com (tcp/8443)


The following hostnames were checked :
lvps83-169-53-201.dedicated.hosteurope.de

51192 (2) - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

Third, the certificate chain may contain a signature that either didn't match the certificate's information, or was not possible to verify. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that hackervaccine either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host.

Solution

Purchase or generate a proper certificate for this service.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information:

Publication date: 2010/12/15, Modification date: 2012/01/28

Hosts

testphp.vulnweb.com (tcp/4643)


The following certificates were at the top of the certificate
chain sent by the remote host, but are signed by an unknown
certificate authority :

|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, [email protected]/L=Herndon/C=US/ST=VA
|-Issuer : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, [email protected]/L=Herndon/C=US/ST=VA

testphp.vulnweb.com (tcp/8443)


The following certificates were at the top of the certificate
chain sent by the remote host, but are signed by an unknown
certificate authority :

|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, [email protected]/L=Herndon/C=US/ST=VA
|-Issuer : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, [email protected]/L=Herndon/C=US/ST=VA

57582 (2) - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper certificate for this service.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information:

Publication date: 2012/01/17, Modification date: 2012/01/17

Hosts

testphp.vulnweb.com (tcp/4643)


The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, [email protected]/L=Herndon/C=US/ST=VA

testphp.vulnweb.com (tcp/8443)


The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, [email protected]/L=Herndon/C=US/ST=VA

12213 (1) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS

Synopsis

It may be possible to send spoofed RST packets to the remote system.

Description

The remote host might be vulnerable to a sequence number approximation bug, which may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc...).

Solution

See http://www.securityfocus.com/bid/10183/solution/

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References

BID

10183

CVE

CVE-2004-0230

XREF

OSVDB:4030

Plugin Information:

Publication date: 2004/04/25, Modification date: 2012/06/14

Hosts

testphp.vulnweb.com (tcp/0)

17703 (1) - OpenSSH < 5.9 Multiple DoS

Synopsis

The SSH server on the remote host has multiple denial of service vulnerabilities.

Description

According to its banner, the version of OpenSSH running on the remote host is prior to version 5.9. Such versions are affected by multiple denial of service vulnerabilities :

- A denial of service vulnerability exists in the gss-serv.c 'ssh_gssapi_parse_ename' function. A remote attacker may be able to trigger this vulnerability if gssapi-with-mic is enabled to create a denial of service condition via a large value in a certain length field.
(CVE-2011-5000)

- On FreeBSD, NetBSD, OpenBSD, and other products, a remote, authenticated attacker could exploit the remote_glob() and process_put() functions to cause a denial of service (CPU and memory consumption).
(CVE-2010-4755)

See Also

http://cxsecurity.com/research/89
http://site.pi3.com.pl/adv/ssh_1.txt

Solution

Upgrade to OpenSSH 5.9 or later.

Risk Factor

Medium

CVSS Base Score

4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Temporal Score

3.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)

References

BID

54114

CVE

CVE-2010-4755

CVE

CVE-2011-5000

XREF

OSVDB:75248

XREF

OSVDB:75249

XREF

OSVDB:81500

Plugin Information:

Publication date: 2011/11/18, Modification date: 2012/06/26

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.9

17704 (1) - OpenSSH S/KEY Authentication Account Enumeration

Synopsis

The remote host is susceptible to an information disclosure attack.

Description

When OpenSSH has S/KEY authentication enabled, it is possible to determine remotely if an account configured for S/KEY authentication exists.

Note that hackervaccine has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host. As a result, it will not detect if the remote host has implemented a workaround.

See Also

http://www.hackervaccine.org/u?87921f08

Solution

A patch currently does not exist for this issue. As a workaround, either set 'ChallengeResponseAuthentication' in the OpenSSH config to 'no' or use a version of OpenSSH without S/KEY support compiled in.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

4.8 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID

23601

CVE

CVE-2007-2243

XREF

OSVDB:34600

XREF

CWE:287

Plugin Information:

Publication date: 2011/11/18, Modification date: 2011/11/18

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1

17705 (1) - OPIE w/ OpenSSH Account Enumeration

Synopsis

The remote host is susceptible to an information disclosure attack.

Description

When using OPIE for PAM and OpenSSH, it is possible for remote attackers to determine the existence of certain user acounts.

Note that hackervaccine has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host. As a result, it does not detect if the remote host actually has OPIE for PAM installed.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html

Solution

A patch currently does not exist for this issue. As a workaround, ensure that OPIE for PAM is not installed.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

CVE

CVE-2007-2768

XREF

OSVDB:34601

Plugin Information:

Publication date: 2011/11/18, Modification date: 2011/11/18

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1

17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing

Synopsis

The remote SSH server may permit anonymous port bouncing.

Description

According to its banner, the remote host is running OpenSSH, version 2.3.0 or later. Such versions of OpenSSH allow forwarding TCP connections. If the OpenSSH server is configured to allow anonymous connections (e.g. AnonCVS), remote, unauthenticated users could use the host as a proxy.

See Also

http://marc.info/?l=bugtraq&m=109413637313484&w=2
http://www.hackervaccine.org/u?2c86d008

Solution

Disallow anonymous users, set AllowTcpForwarding to 'no', or use the Match directive to restrict anonymous users.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

References

CVE

CVE-2004-1653

XREF

OSVDB:9562

Plugin Information:

Publication date: 2011/12/01, Modification date: 2011/12/01

Hosts

testphp.vulnweb.com (tcp/22)


Version source : ssh-2.0-openssh_4.2p1 debian-7ubuntu3.2
Installed version : 4.2p1

20007 (1) - SSL Version 2 (v2) Protocol Detection

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

See Also

http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2

Solution

Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE

CVE-2005-2969

Plugin Information:

Publication date: 2005/10/12, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/8443)

26928 (1) - SSL Weak Cipher Suites Supported

Synopsis

The remote service supports the use of weak SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also

http://www.openssl.org/docs/apps/ciphers.html

Solution

Reconfigure the affected application if possible to avoid use of weak ciphers.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

XREF

CWE:327

XREF

CWE:326

XREF

CWE:753

XREF

CWE:803

XREF

CWE:720

Plugin Information:

Publication date: 2007/10/08, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/8443)


Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

31737 (1) - OpenSSH X11 Forwarding Session Hijacking

Synopsis

The remote SSH service is prone to an X11 session hijacking vulnerability.

Description

According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
http://www.openssh.org/txt/release-5.0

Solution

Upgrade to OpenSSH version 5.0 or later.

Risk Factor

Medium

CVSS Base Score

6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

5.7 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

References

BID

28444

CVE

CVE-2008-1483

CVE

CVE-2008-3234

XREF

OSVDB:43745

XREF

OSVDB:48791

XREF

Secunia:29522

XREF

CWE:264

Plugin Information:

Publication date: 2008/04/03, Modification date: 2011/11/16

Hosts

testphp.vulnweb.com (tcp/22)


The remote OpenSSH server returned the following banner :

SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2

42873 (1) - SSL Medium Strength Cipher Suites Supported

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin Information:

Publication date: 2009/11/23, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/8443)


Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

44065 (1) - OpenSSH < 5.2 CBC Plaintext Disclosure

Synopsis

The SSH service running on the remote host has an information disclosure vulnerability.

Description

The version of OpenSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.

See Also

http://www.hackervaccine.org/u?4984aeb9
http://www.openssh.com/txt/cbc.adv
http://www.openssh.com/txt/release-5.2

Solution

Upgrade to OpenSSH 5.2 or later.

Risk Factor

Medium

CVSS Base Score

4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVSS Temporal Score

3.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)

References

BID

32319

CVE

CVE-2008-5161

XREF

OSVDB:50036

XREF

CERT:958563

XREF

CWE:200

Plugin Information:

Publication date: 2011/09/27, Modification date: 2011/09/28

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.2

44076 (1) - OpenSSH < 4.3 scp Command Line Filename Processing Command Injection

Synopsis

The version of SSH running on the remote host has a command injection vulnerability.

Description

According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp.

See Also

https://bugzilla.mindrot.org/show_bug.cgi?id=1094
http://www.openssh.com/txt/release-4.3

Solution

Upgrade to OpenSSH 4.3 or later.

Risk Factor

Medium

CVSS Base Score

4.6 (CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

3.8 (CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

References

BID

16369

CVE

CVE-2006-0225

XREF

OSVDB:22692

Plugin Information:

Publication date: 2011/10/04, Modification date: 2012/04/10

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.3

44079 (1) - OpenSSH < 4.9 'ForceCommand' Directive Bypass

Synopsis

The remote SSH service is affected by a security bypass vulnerability.

Description

According to its banner, the version of OpenSSH installed on the remote host is earlier than 4.9. It may allow a remote, authenticated user to bypass the 'sshd_config' 'ForceCommand' directive by modifying the '.ssh/rc' session file.

See Also

http://www.openssh.org/txt/release-4.9

Solution

Upgrade to OpenSSH version 4.9 or later.

Risk Factor

Medium

CVSS Base Score

6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Temporal Score

5.4 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

References

BID

28531

CVE

CVE-2008-1657

XREF

OSVDB:43911

XREF

CWE:264

Plugin Information:

Publication date: 2011/10/04, Modification date: 2011/10/05

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.9

44081 (1) - OpenSSH < 5.7 Multiple Vulnerabilities

Synopsis

The remote SSH service may be affected by multiple vulnerabilities.

Description

According to its banner, the version of OpenSSH running on the remote host is earlier than 5.7. Versions before 5.7 may be affected by the following vulnerabilities :

- A security bypass vulnerability because OpenSSH does not properly validate the public parameters in the J-PAKE protocol. This could allow an attacker to authenticate without the shared secret. Note that this issue is only exploitable when OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default, and that hackervaccine has not checked whether J-PAKE support is indeed enabled. (CVE-2010-4478)

- The auth_parse_options function in auth-options.c in sshd provides debug messages containing authorized_keys command options, which allows remote, authenticated users to obtain potentially sensitive information by reading these messages. (CVE-2012-0814)

See Also

http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5
http://www.hackervaccine.org/u?3f1722f0

Solution

Upgrade to OpenSSH 5.7 or later.

Risk Factor

Medium

CVSS Base Score

6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

References

BID

45304

BID

51702

CVE

CVE-2010-4478

CVE

CVE-2012-0814

XREF

OSVDB:69658

Plugin Information:

Publication date: 2011/10/04, Modification date: 2012/05/04

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.7

56306 (1) - Web Server Allows Password Auto-Completion (PCI-DSS variant)

Synopsis

Auto-complete is not disabled on password fields.

Description

The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' is not set to 'off'.

While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point.

Solution

Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Risk Factor

Medium

CVSS Base Score

4.7 (CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N)

Plugin Information:

Publication date: 2011/09/27, Modification date: 2011/09/28

Hosts

testphp.vulnweb.com (tcp/4643)

Page : /vz/cp
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=en&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?doReturn=Return&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=ja&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=es&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=en&doLogin
=ログインボタン&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=ru&doLogin
=Iniciar sesión&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=de&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=en&doLogin
=Вход&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=zh_TW&doLo
gin=Anmelden&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass




Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=ja&doLogin
=Login_button&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass



44080 (1) - OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking

Synopsis

The remote SSH service may be affected by an X11 forwarding port hijacking vulnerability.

Description

According to its banner, the version of SSH installed on the remote host is older than 5.1 and may allow a local user to hijack the X11 forwarding port. The application improperly sets the 'SO_REUSEADDR'
socket option when the 'X11UseLocalhost' configuration option is disabled.

Note that most operating systems, when attempting to bind to a port that has previously been bound with the 'SO_REUSEADDR' option, will check that either the effective user-id matches the previous bind (common BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). This is not the case with other operating systems such as HP/UX.

See Also

http://www.openssh.org/txt/release-5.1

Solution

Upgrade to OpenSSH version 5.1 or later.

Risk Factor

Low

CVSS Base Score

1.2 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

1.0 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)

References

BID

30339

CVE

CVE-2008-3259

XREF

OSVDB:47227

XREF

CWE:200

Plugin Information:

Publication date: 2011/10/04, Modification date: 2011/10/05

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.1

47830 (1) - CGI Generic Injectable Parameter

Synopsis

Some CGIs are candidate for extended injection tests.

Description

hackervaccine was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

Solution

n/a

Risk Factor

Low

References

XREF

CWE:86

Plugin Information:

Publication date: 2010/07/26, Modification date: 2011/09/21

Hosts

testphp.vulnweb.com (tcp/4643)


Using the GET HTTP method, hackervaccine found that :

+ The following resources may be vulnerable to injectable parameter :

+ The 'LoginUser' parameter of the /vz/cp/login-wrapper CGI :

/vz/cp/login-wrapper?LoginUser=acnetf

-------- output --------
<td><img src="/vz/skins/winxp.new/images/1x1.gif" width="10" heigh [...]
<td width="40%"><font style="color:#111111">Username</font></td>
<td align="left" width="60%"><input type="text" name="LoginUser" class="
FlatInput" title="Username" value="acnetf"></td>
</tr>
<tr>
------------------------

/vz/cp/login-wrapper?doReturn=Return&LoginUser=acnetf&LoginPass=&js_mode
=0&doLogin=Login_button&java_mode='notdef'&active_lang=zh_TW

-------- output --------
<td><img src="/vz/skins/winxp.new/images/1x1.gif" width="10" heigh [...]
<td width="40%"><font style="color:#111111">使用者名稱</font></td>
<td align="left" width="60%"><input type="text" name="LoginUser" class="
FlatInput" title="使用者名稱" value="acnetf"></td>
</tr>
<tr>
------------------------

Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)

https://testphp.vulnweb.com:4643/vz/cp/login-wrapper?LoginUser=acnetf

53841 (1) - Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure

Synopsis

Local attackers may be able to access sensitive information.

Description

According to its banner, the version of OpenSSH running on the remote host is earlier than 5.8p2. Such versions may be affected by a local information disclosure vulnerability that could allow the contents of the host's private key to be accessible by locally tracing the execution of the ssh-keysign utility. Having the host's private key may allow the impersonation of the host.

Note that installations are only vulnerable if ssh-rand-helper was enabled during the build process, which is not the case for *BSD, OS X, Cygwin and Linux.

See Also

http://www.openssh.com/txt/portable-keysign-rand-helper.adv
http://www.openssh.com/txt/release-5.8p2

Solution

Upgrade to Portable OpenSSH 5.8p2 or later.

Risk Factor

Low

CVSS Base Score

2.1 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

1.6 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

References

BID

47691

XREF

OSVDB:72183

XREF

Secunia:44347

Plugin Information:

Publication date: 2011/05/09, Modification date: 2011/11/15

Hosts

testphp.vulnweb.com (tcp/22)


Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.8p2

22964 (5) - Service Detection

Synopsis

The remote service could be identified.

Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/08/19, Modification date: 2012/06/25

Hosts

testphp.vulnweb.com (tcp/22)

An SSH server is running on this port.

testphp.vulnweb.com (tcp/4643)

A TLSv1 server answered on this port.

testphp.vulnweb.com (tcp/4643)

A web server is running on this port through TLSv1.

testphp.vulnweb.com (tcp/8443)

A TLSv1 server answered on this port.

testphp.vulnweb.com (tcp/8443)

A web server is running on this port through TLSv1.

11219 (4) - hackervaccine SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner.
It shall be reasonably quick even against a firewalled target.

Note that SYN scanners are less intrusive than TCP (full connect) scanners against broken services, but they might kill lame misconfigured firewalls. They might also leave unclosed connections on the remote target, if the network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Hosts

testphp.vulnweb.com (tcp/22)

Port 22/tcp was found to be open

testphp.vulnweb.com (tcp/80)

Port 80/tcp was found to be open

testphp.vulnweb.com (tcp/4643)

Port 4643/tcp was found to be open

testphp.vulnweb.com (tcp/8443)

Port 8443/tcp was found to be open

10107 (2) - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2000/01/04, Modification date: 2012/06/04

Hosts

testphp.vulnweb.com (tcp/4643)

The remote web server type is :

Apache
and the 'ServerTokens' directive is ProductOnly
Apache does not offer a way to hide the server type.

testphp.vulnweb.com (tcp/8443)

The remote web server type is :

Apache
and the 'ServerTokens' directive is ProductOnly
Apache does not offer a way to hide the server type.

10863 (2) - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2008/05/19, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/4643)

Subject Name:

Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: [email protected]
Locality: Herndon
Country: US
State/Province: VA

Issuer Name:

Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: [email protected]
Locality: Herndon
Country: US
State/Province: VA

Serial Number: 00 F4 00 89 ED 2C 35 1C 8D

Version: 1

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Jun 25 10:30:23 2012 GMT
Not Valid After: Jun 25 10:30:23 2013 GMT

Public Key Info:

Algorithm: RSA Encryption
Public Key: 00 D7 5A 3E D3 68 0C B4 12 16 E0 CB 4C B3 46 DD 3B 6D 88 80
37 4E 8B C8 F2 08 10 8E 0C 41 4F D8 48 2C A3 FD 5A E4 5E 89
82 00 CA 61 E4 9F 7A 80 32 A0 D7 FA 06 44 86 3C C4 B4 E5 BC
49 DD 32 93 28 CB 9D 8E B8 80 D1 B1 2E 83 9A 08 A7 1E BB 30
E8 1B 60 35 1C 23 66 C4 95 2D B6 F2 31 B7 94 1D 65 6A 05 43
46 0E F6 97 B2 4E 25 4E BD 2D BF 90 89 D6 BC DF B1 3A DA A8
A4 22 34 A6 5C EE 5A 11 25 D3 DE 7D 0C FB C7 06 9E 5E 93 A4
B8 E6 E7 41 8B 63 4A D2 F3 75 5F A9 91 72 D9 9A 53 55 51 A0
DF B7 41 2C 24 33 05 59 73 C2 BC 11 44 06 9F 06 9E 8D CE 02
E2 5E B8 20 90 C8 93 E3 19 01 FC 6B 43 41 02 18 E6 A7 EA 17
73 FE AF 54 34 D4 42 1E E6 CB C3 0C ED 19 7B A5 18 EA A5 58
11 08 AF 92 EF 2E A5 EA D2 7A 20 36 9B BA 78 F8 9C 5D 6C C7
50 F7 04 DF 8B EC EA EC 9C 70 83 39 5F 85 CC E4 15
Exponent: 01 00 01

Signature: 00 70 12 52 44 25 5B 6E 7B B2 24 49 C4 FB E6 AB 12 18 43 EC
3F 5C 02 3B 18 A7 92 5D C3 C2 17 AC 48 0E 14 D0 B1 DC 41 EF
38 83 F4 1F 93 C7 F0 7D B2 20 FD E3 E5 53 F3 D0 AE AB DF 7B
F1 35 25 BB B2 9E CB F2 03 B8 F7 B5 E0 3A 41 63 DA 23 E9 BD
11 C2 9E F1 5D 4B B7 A9 12 1F BF 44 1B D3 5F AC 6F 16 15 E3
BB 8D 77 EF 36 26 C4 CE A1 46 51 73 58 27 1B 8C 62 4A CC 3D
AF EF AC CD 04 0A 9F 4B 18 B6 C7 0C B9 EA 10 4F D5 64 DD A9
47 1B 67 F2 6A 49 88 2A 17 58 38 51 60 DE 52 68 CA 9C D5 AE
01 6E A2 12 65 6F FF C2 05 18 EE 55 41 CF 74 92 16 4A EA A2
16 68 2F 8F 37 E0 30 78 7C 05 08 08 B1 3D FB 95 B4 CE 66 13
47 B3 83 BD 82 91 20 31 29 F6 93 51 13 4B BA 08 19 6E 36 B2
43 B7 F3 EC F7 32 00 0F 63 0A B2 BA 6A 4E 1D 61 B4 F2 2A C2
A6 ED 1A 92 88 FE DD FB C2 ED 96 D5 0D 58 81 CA 0B

testphp.vulnweb.com (tcp/8443)

Subject Name:

Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: [email protected]
Locality: Herndon
Country: US
State/Province: VA

Issuer Name:

Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: [email protected]
Locality: Herndon
Country: US
State/Province: VA

Serial Number: 00 F4 00 89 ED 2C 35 1C 8D

Version: 1

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Jun 25 10:30:23 2012 GMT
Not Valid After: Jun 25 10:30:23 2013 GMT

Public Key Info:

Algorithm: RSA Encryption
Public Key: 00 D7 5A 3E D3 68 0C B4 12 16 E0 CB 4C B3 46 DD 3B 6D 88 80
37 4E 8B C8 F2 08 10 8E 0C 41 4F D8 48 2C A3 FD 5A E4 5E 89
82 00 CA 61 E4 9F 7A 80 32 A0 D7 FA 06 44 86 3C C4 B4 E5 BC
49 DD 32 93 28 CB 9D 8E B8 80 D1 B1 2E 83 9A 08 A7 1E BB 30
E8 1B 60 35 1C 23 66 C4 95 2D B6 F2 31 B7 94 1D 65 6A 05 43
46 0E F6 97 B2 4E 25 4E BD 2D BF 90 89 D6 BC DF B1 3A DA A8
A4 22 34 A6 5C EE 5A 11 25 D3 DE 7D 0C FB C7 06 9E 5E 93 A4
B8 E6 E7 41 8B 63 4A D2 F3 75 5F A9 91 72 D9 9A 53 55 51 A0
DF B7 41 2C 24 33 05 59 73 C2 BC 11 44 06 9F 06 9E 8D CE 02
E2 5E B8 20 90 C8 93 E3 19 01 FC 6B 43 41 02 18 E6 A7 EA 17
73 FE AF 54 34 D4 42 1E E6 CB C3 0C ED 19 7B A5 18 EA A5 58
11 08 AF 92 EF 2E A5 EA D2 7A 20 36 9B BA 78 F8 9C 5D 6C C7
50 F7 04 DF 8B EC EA EC 9C 70 83 39 5F 85 CC E4 15
Exponent: 01 00 01

Signature: 00 70 12 52 44 25 5B 6E 7B B2 24 49 C4 FB E6 AB 12 18 43 EC
3F 5C 02 3B 18 A7 92 5D C3 C2 17 AC 48 0E 14 D0 B1 DC 41 EF
38 83 F4 1F 93 C7 F0 7D B2 20 FD E3 E5 53 F3 D0 AE AB DF 7B
F1 35 25 BB B2 9E CB F2 03 B8 F7 B5 E0 3A 41 63 DA 23 E9 BD
11 C2 9E F1 5D 4B B7 A9 12 1F BF 44 1B D3 5F AC 6F 16 15 E3
BB 8D 77 EF 36 26 C4 CE A1 46 51 73 58 27 1B 8C 62 4A CC 3D
AF EF AC CD 04 0A 9F 4B 18 B6 C7 0C B9 EA 10 4F D5 64 DD A9
47 1B 67 F2 6A 49 88 2A 17 58 38 51 60 DE 52 68 CA 9C D5 AE
01 6E A2 12 65 6F FF C2 05 18 EE 55 41 CF 74 92 16 4A EA A2
16 68 2F 8F 37 E0 30 78 7C 05 08 08 B1 3D FB 95 B4 CE 66 13
47 B3 83 BD 82 91 20 31 29 F6 93 51 13 4B BA 08 19 6E 36 B2
43 B7 F3 EC F7 32 00 0F 63 0A B2 BA 6A 4E 1D 61 B4 F2 2A C2
A6 ED 1A 92 88 FE DD FB C2 ED 96 D5 0D 58 81 CA 0B

21643 (2) - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This script detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

http://www.openssl.org/docs/apps/ciphers.html

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2006/06/05, Modification date: 2012/05/03

Hosts

testphp.vulnweb.com (tcp/4643)


Here is the list of SSL ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
SEED-SHA Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

testphp.vulnweb.com (tcp/8443)


Here is the list of SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
SEED-SHA Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

45410 (2) - SSL Certificate commonName Mismatch

Synopsis

The SSL certificate commonName does not match the host name.

Description

This service presents an SSL certificate for which the 'commonName'
(CN) does not match the host name on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS host name that matches the common name in the certificate.

Risk Factor

None

Plugin Information:

Publication date: 2010/04/03, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/4643)


The host name known by hackervaccine is : testphp.vulnweb.com
The CommonName of the certificate is : lvps83-169-53-201.dedicated.hosteurope.de.

testphp.vulnweb.com (tcp/8443)


The host name known by hackervaccine is : testphp.vulnweb.com
The CommonName of the certificate is : lvps83-169-53-201.dedicated.hosteurope.de.

51891 (2) - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/02/07, Modification date: 2012/04/19

Hosts

testphp.vulnweb.com (tcp/4643)


This port supports resuming SSLv3 sessions.

testphp.vulnweb.com (tcp/8443)


This port supports resuming SSLv3 sessions.

56984 (2) - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/12/01, Modification date: 2012/06/23

Hosts

testphp.vulnweb.com (tcp/4643)


This port supports SSLv3/TLSv1.0.

testphp.vulnweb.com (tcp/8443)


This port supports SSLv2/SSLv3/TLSv1.0.

57041 (2) - SSL Perfect Forward Secrecy Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.

Description

The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.

See Also

http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/12/07, Modification date: 2012/04/02

Hosts

testphp.vulnweb.com (tcp/4643)


Here is the list of SSL PFS ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

testphp.vulnweb.com (tcp/8443)


Here is the list of SSL PFS ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

10267 (1) - SSH Server Type and Version Information

Synopsis

An SSH server is listening on this port.

Description

It is possible to obtain information about the remote SSH server by sending an empty authentication request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2011/10/24

Hosts

testphp.vulnweb.com (tcp/22)


SSH version : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2

10287 (1) - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/11/27, Modification date: 2012/02/23

Hosts

testphp.vulnweb.com (udp/0)

For your information, here is the traceroute from 10.0.0.4 to 87.230.87.158 :
10.0.0.4
10.0.0.1
192.168.1.254
99.37.251.254
99.171.168.129
151.164.188.145
12.123.16.77
192.205.32.190
206.165.75.2
80.237.129.117
176.28.4.50
?
87.230.87.158

10662 (1) - Web mirroring

Synopsis

hackervaccine crawled the remote web site.

Description

This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host.

It is suggested that you change the number of pages to mirror in the 'Options' section of the client.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2001/05/04, Modification date: 2012/06/07

Hosts

testphp.vulnweb.com (tcp/4643)


The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/vz/cp/login-wrapper (LoginPass [] doLogin [Log in] js_mode [0] doReturn [Return] LoginUser ...)

11002 (1) - DNS Server Detection

Synopsis

A DNS server is listening on the remote host.

Description

The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP addresses.

See Also

http://en.wikipedia.org/wiki/Domain_Name_System

Solution

Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.

Risk Factor

None

Plugin Information:

Publication date: 2003/02/13, Modification date: 2011/03/11

Hosts

testphp.vulnweb.com (udp/53)

11032 (1) - Web Server Directory Enumeration

Synopsis

It is possible to enumerate directories on the web server.

Description

This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.

See Also

http://projects.webappsec.org/Predictable-Resource-Location

Solution

n/a

Risk Factor

None

References

XREF

OWASP:OWASP-CM-006

Plugin Information:

Publication date: 2002/06/26, Modification date: 2012/04/14

Hosts

testphp.vulnweb.com (tcp/4643)


The following directories were discovered:
/cgi-bin, /error, /icons

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

11936 (1) - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2003/12/09, Modification date: 2012/04/06

Hosts

testphp.vulnweb.com (tcp/0)


Remote operating system : Linux Kernel 2.6 on Ubuntu 6.06 (dapper)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.6 on Ubuntu 6.06 (dapper)

12053 (1) - Host Fully Qualified Domain Name (FQDN) Resolution

Synopsis

It was possible to resolve the name of the remote host.

Description

hackervaccine was able to resolve the FQDN of the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2004/02/11, Modification date: 2011/07/14

Hosts

testphp.vulnweb.com (tcp/0)


87.230.87.158 resolves as testphp.vulnweb.com.

19506 (1) - hackervaccine Scan Information

Synopsis

Information about the hackervaccine scan.

Description

This script displays, for each tested host, information about the scan itself :

- The version of the plugin set
- The type of plugin feed (HomeFeed or ProfessionalFeed)
- The version of the hackervaccine Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/08/26, Modification date: 2012/04/18

Hosts

testphp.vulnweb.com (tcp/0)

Information about this scan :

hackervaccine version : 5.0.1
Plugin feed version : 201206261238
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 10.0.0.4
Port scanner(s) : hackervaccine_syn_scanner
Port range : 1-65535
Thorough tests : no
Experimental tests : no
Paranoia level : 2
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests - Test mode : single
Web app tests - Try all HTTP methods : yes
Web app tests - Maximum run time : 10 minutes.
Web app tests - Stop at first flaw : param
Max hosts : 20
Max checks : 4
Recv timeout : 15
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2012/6/26 16:45
Scan duration : 12093 sec

24260 (1) - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/01/30, Modification date: 2011/05/31

Hosts

testphp.vulnweb.com (tcp/4643)


Protocol version : HTTP/1.1
SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Wed, 27 Jun 2012 00:12:38 GMT
Server: Apache
Location: https://testphp.vulnweb.com:4643/vz/cp/
Content-Length: 294
Connection: close
Content-Type: text/html; charset=iso-8859-1

25220 (1) - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/05/16, Modification date: 2011/03/20

Hosts

testphp.vulnweb.com (tcp/0)

27576 (1) - Firewall Detection

Synopsis

The remote host is behind a firewall.

Description

Based on the responses obtained by the SYN or TCP port scanner, it was possible to determine that the remote host seems to be protected by a firewall.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/10/26, Modification date: 2012/02/22

Hosts

testphp.vulnweb.com (tcp/0)

33817 (1) - CGI Generic Tests Load Estimation (all tests)

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.

Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/10/26, Modification date: 2012/02/14

Hosts

testphp.vulnweb.com (tcp/4643)

Here are the estimated number of requests in miscellaneous modes
for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

blind SQL injection : S=84 SP=516 AP=1164 SC=2016 AC=11088
directory traversal (extended test) : S=357 SP=2193 AP=4947 SC=8568 AC=47124
arbitrary command execution (time based) : S=42 SP=258 AP=582 SC=1008 AC=5544
local file inclusion : S=7 SP=43 AP=97 SC=168 AC=924
header injection : S=2 SP=2 AP=2 SC=2 AC=2
XML injection : S=7 SP=43 AP=97 SC=168 AC=924
script injection : S=1 SP=1 AP=1 SC=1 AC=1
blind SQL injection (4 requests) : S=28 SP=172 AP=388 SC=672 AC=3696
on site request forgery : S=1 SP=1 AP=1 SC=1 AC=1
cross-site scripting (comprehensive test): S=56 SP=344 AP=776 SC=1344 AC=7392
HTTP response splitting : S=9 SP=9 AP=9 SC=9 AC=9
SQL injection : S=175 SP=1075 AP=2425 SC=4200 AC=23100
arbitrary command execution : S=112 SP=688 AP=1552 SC=2688 AC=14784
cross-site scripting (extended patterns) : S=7 SP=7 AP=7 SC=7 AC=7
directory traversal : S=175 SP=1075 AP=2425 SC=4200 AC=23100
web code injection : S=7 SP=43 AP=97 SC=168 AC=924
injectable parameter : S=14 SP=86 AP=194 SC=336 AC=1848
format string : S=14 SP=86 AP=194 SC=336 AC=1848
SSI injection : S=21 SP=129 AP=291 SC=504 AC=2772
HTML injection : S=5 SP=5 AP=5 SC=5 AC=5
unseen parameters : S=245 SP=1505 AP=3395 SC=5880 AC=32340
SQL injection (2nd order) : S=7 SP=43 AP=97 SC=168 AC=924
directory traversal (write access) : S=14 SP=86 AP=194 SC=336 AC=1848
persistent XSS : S=28 SP=172 AP=388 SC=672 AC=3696

All tests : S=1418 SP=8582 AP=19328 SC=33457 AC=183901

Here are the estimated number of requests in miscellaneous modes
for both methods (GET and POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

blind SQL injection : S=168 SP=1032 AP=2328 SC=4032 AC=22176
directory traversal (extended test) : S=714 SP=4386 AP=9894 SC=17136 AC=94248
arbitrary command execution (time based) : S=84 SP=516 AP=1164 SC=2016 AC=11088
local file inclusion : S=14 SP=86 AP=194 SC=336 AC=1848
header injection : S=4 SP=4 AP=4 SC=4 AC=4
XML injection : S=14 SP=86 AP=194 SC=336 AC=1848
script injection : S=2 SP=2 AP=2 SC=2 AC=2
blind SQL injection (4 requests) : S=56 SP=344 AP=776 SC=1344 AC=7392
on site request forgery : S=2 SP=2 AP=2 SC=2 AC=2
cross-site scripting (comprehensive test): S=112 SP=688 AP=1552 SC=2688 AC=14784
HTTP response splitting : S=18 SP=18 AP=18 SC=18 AC=18
SQL injection : S=350 SP=2150 AP=4850 SC=8400 AC=46200
arbitrary command execution : S=224 SP=1376 AP=3104 SC=5376 AC=29568
cross-site scripting (extended patterns) : S=14 SP=14 AP=14 SC=14 AC=14
directory traversal : S=350 SP=2150 AP=4850 SC=8400 AC=46200
web code injection : S=14 SP=86 AP=194 SC=336 AC=1848
injectable parameter : S=28 SP=172 AP=388 SC=672 AC=3696
format string : S=28 SP=172 AP=388 SC=672 AC=3696
SSI injection : S=42 SP=258 AP=582 SC=1008 AC=5544
HTML injection : S=10 SP=10 AP=10 SC=10 AC=10
unseen parameters : S=490 SP=3010 AP=6790 SC=11760 AC=64680
SQL injection (2nd order) : S=14 SP=86 AP=194 SC=336 AC=1848
directory traversal (write access) : S=28 SP=172 AP=388 SC=672 AC=3696
persistent XSS : S=56 SP=344 AP=776 SC=1344 AC=7392

All tests : S=2836 SP=17164 AP=38656 SC=66914 AC=367802

Your mode : single, GET and POST, Paranoid.
Maximum number of requests : 2836

39463 (1) - HTTP Server Cookies Set

Synopsis

Some cookies have been set by the web server.

Description

HTTP cookies are pieces of information that are presented by web servers and are sent back by the browser.
As HTTP is a stateless protocol, cookies are a possible mechanism to keep track of sessions.

This plugin displays the list of the HTTP cookies that were set by the web server when it was crawled.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/06/19, Modification date: 2011/03/15

Hosts

testphp.vulnweb.com (tcp/4643)


path = /
name = vzcpLang
value = ja
version = 1
secure = 1
httponly = 0

43111 (1) - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/12/10, Modification date: 2011/07/08

Hosts

testphp.vulnweb.com (tcp/4643)

Based on the response to an OPTIONS request :

- HTTP methods GET HEAD OPTIONS POST are allowed on :

/error
/icons
/vz/cp
/vz/js
/vz/skins/winxp.new/images


Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND
BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX
LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS
ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

/cgi-bin
/vz/cp

- HTTP methods GET HEAD OPTIONS POST are allowed on :

/
/error
/icons
/vz/js
/vz/skins/winxp.new/images

- Invalid/unknown HTTP methods are allowed on :

/cgi-bin
/vz/cp

45590 (1) - Common Platform Enumeration (CPE)

Synopsis

It is possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a hackervaccine scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.

See Also

http://cpe.mitre.org/

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2010/04/21, Modification date: 2012/05/21

Hosts

testphp.vulnweb.com (tcp/0)


The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:6.06 -> Canonical Ubuntu Linux 6.06

Following application CPE matched on the remote system :

cpe:/a:openbsd:openssh:4.2 -> OpenBSD OpenSSH 4.2

54615 (1) - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/05/23, Modification date: 2011/05/23

Hosts

testphp.vulnweb.com (tcp/0)

Remote device type : general-purpose
Confidence level : 95

56209 (1) - PCI DSS compliance : Remote Access Software Has Been Detected

Synopsis

A remote access software has been detected.

Description

Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C in the ASV Program Guide, or disabled / removed. Please consult your ASV if you have questions about this Special Note.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/09/15, Modification date: 2012/01/24

Hosts

testphp.vulnweb.com (tcp/0)


An SSH server (remote terminal) is running on the remote host.