Audit Report: Audited On December 02 2011

Audit Report
Grupo Canton
Audited on December 02 2011
Reported on December 02 2011
Audit Report
1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of your network. Access to this information by unauthorized personnel may allow them to compromise your network. Site Name Grupo Canton Start Time December 02, 2011 13:06, COT End Time December 02, 2011 13:16, COT Total Time 10 minutes Status Success
There is not enough historical data to display overall asset trend.

The audit was performed on one system which was found to be active and was scanned.
There were 56 vulnerabilities found during this scan. Of these, 8 were critical vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 42 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems. There were 6 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
There were 3 occurrences of the certificate-common-name-mismatch, tls-server-cert-expired and ssl-self-signed-certificate vulnerabilities, making them the most common vulnerabilities. There were 72 vulnerabilities in the Web category, making it the most common vulnerability category.
Page 1
Audit Report
The http-apache-apr_palloc-heap-overflow vulnerability poses the highest risk to the organization with a risk score of 450. Vulnerability risk scores are calculated by looking at the likelihood of attack and impact, based upon CVSS metrics. The impact and likelihood are then multiplied by the number of instances of the vulnerability to come up with the final risk score. One operating system was identified during this scan. There were 5 services found to be running during this scan.
The HTTP, HTTPS, MySQL, SMTP and SSH services were found on 1 systems, making them the most common services. The HTTPS and HTTP services were found to have the most vulnerabilities during this scan, each with 37 vulnerabilities.
Page 2
Audit Report
2. Discovered Systems
Node 174.143.96.250 Operating System Red Hat Linux Risk 33,173 Aliases grupocanton.com 228605-web1.www.tabascohoy.com
Page 3
Audit Report
3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities
3.1.1. Apache httpd APR apr_palloc heap overflow (CVE-2009-2412) (http-apache-apr_palloc-heap-overflow)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if a non-Apache application can be passed unsanitized userprovided sizes to the apr_palloc() function. Review your Web server configuration for validation. A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.
Affected Nodes:
Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source APPLE BID CVE OSVDB OSVDB OVAL OVAL SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE Reference APPLE-SA-2009-11-09 35949 CVE-2009-2412 56765 56766 OVAL8394 OVAL9958 36138 36140 36166 36233 37152 37221 SUSE-SA:2009:050
Page 4
Audit Report Source URL Reference http://httpd.apache.org/security/vulnerabilities_22.html
Vulnerability Solution:
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.13.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.1.2. MySQL dispatch_command() Multiple Format String Vulnerabilities (mysql-dispatch_command-multipleformat-string)
Description:
Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service: MySQL 5.0.77.
References:
Source APPLE BID CVE OSVDB OVAL REDHAT SECUNIA SECUNIA XF Reference APPLE-SA-2010-03-29 35609 CVE-2009-2446 55734 OVAL11857 RHSA-2010:0110 35767 38517 mysql-dispatchcommand-format-string(51614)
MySQL >= 5.0.0 and < 5.0.84 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
Page 5
Audit Report
3.1.3. Apache httpd mod_proxy_ftp FTP command injection (CVE-2009-3095) (apache-httpd-2_2_xmod_proxy_ftp-ftp-command-injection-cve-2009-3095)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server.
Affected Nodes:
References:
Source APPLE CVE DEBIAN OVAL OVAL SECUNIA SUSE URL Reference APPLE-SA-2010-03-29 CVE-2009-3095 DSA-1934 OVAL8662 OVAL9363 37152 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html
3.1.4. Apache httpd Range header remote DoS (CVE-2011-3192) (apache-httpd-cve-2011-3192)
Page 6
Audit Report
Description:
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack.
Affected Nodes:
Affected Nodes: 174.143.96.250:443 Additional Information: Server responded with partial content to a request with malicious Range headers
References:
Source APPLE BID CERT-VN CVE OSVDB REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2011-10-12 49303 405811 CVE-2011-3192 74721 RHSA-2011:1245 RHSA-2011:1294 RHSA-2011:1300 RHSA-2011:1329 RHSA-2011:1330 RHSA-2011:1369 45606 45937 46000 46125 46126 http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html apache-http-byterange-dos(69396)
Apache >= 2.0 and < 2.1 Upgrade to Apache version 2.0.65 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for
Page 7
Audit Report more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Apache >= 2.2 and < 2.3 Upgrade to Apache version 2.2.20 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.20.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.1.5. Apache httpd APR-util XML DoS (CVE-2009-1955) (http-apache-apr-util-xml-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker could convince Apache to consume a specially crafted XML document. Review your Web server configuration for validation. A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT REDHAT SECUNIA Reference APPLE-SA-2009-11-09 35253 CVE-2009-1955 DSA-1812 OVAL10270 OVAL12473 RHSA-2009:1107 RHSA-2009:1108 34724
Page 8
Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference 35284 35360 35395 35444 35487 35565 35710 35797 35843 36473 37221 http://httpd.apache.org/security/vulnerabilities_22.html
3.1.6. PHP Multiple Vulnerabilities Fixed in version 5.3.1 (http-php-multiple-vulns-5-3-1)
Description:
Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. Added missing sanity checks around exif processing. Fixed a safe_mode bypass in tempnam(). Fixed a open_basedir bypass in posix_mkfifo(). Fixed bug #50063 (safe_mode_include_dir fails).
Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3.
Page 9
Audit Report
References:
Source APPLE APPLE CVE CVE CVE CVE CVE DEBIAN OSVDB OVAL OVAL OVAL OVAL OVAL SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2009-11-09 APPLE-SA-2010-03-29 CVE-2009-3292 CVE-2009-3557 CVE-2009-3558 CVE-2009-3559 CVE-2009-4017 DSA-1940 58186 OVAL10483 OVAL6667 OVAL7396 OVAL7652 OVAL9982 36791 37412 37482 37821 40262 41480 41490 http://www.php.net/ChangeLog-5.php#5.3.1 http://www.php.net/releases/5_3_1.php php-multipart-formdata-dos(54455)
Download and apply the upgrade from: http://www.php.net/get/php-5.3.1.tar.gz/from/a/mirror Upgrade to PHP v5.3.1 (released on November 19th, 2009).
3.1.7. MySQL yaSSL CertDecoder::GetName Multiple Buffer Overflows (mysql-yassl-certdecodergetnamemultiple-bofs)
Description:
Page 10
Audit Report
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11.
Affected Nodes:
References:
Source BID BID BID CVE DEBIAN OSVDB SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL URL XF Reference 37640 37943 37974 CVE-2009-4484 DSA-1997 61956 37493 38344 38364 38517 38573 http://bugs.mysql.com/bug.php?id=50227 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html mysql-unspecified-bo(55416)
MySQL >= 5.0.0 and < 5.0.90 Upgrade to MySQL v5.0.90 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.43 Upgrade to MySQL v5.1.43
Page 11
Audit Report Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.1.8. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)
Description:
Before version 4.7, OpenSSH did not properly handle when an untrusted cookie could not be created. In its place, it uses a trusted X11 cookie. This allows attackers to violate intended policy and gain user privileges by causing an X client to be treated as trusted.
Affected Nodes:
Affected Nodes: 174.143.96.250:22 Additional Information: Running vulnerable SSH service: OpenSSH 4.3.
References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA XF Reference APPLE-SA-2008-03-18 25628 CVE-2007-4752 DSA-1576 OVAL10809 OVAL5599 RHSA-2008:0855 27399 29420 30249 31575 32241 openssh-x11cookie-privilege-escalation(36637)
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz Version 4.7 of OpenSSH was released on September 4th, 2007. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
Page 12
Audit Report
3.2. Severe Vulnerabilities

3.2.1. Apache httpd mod_deflate DoS (CVE-2009-1891) (http-apache-mod_deflate-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_deflate. Review your Web server configuration for validation. A denial of service flaw was found in the mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file.
Affected Nodes:
References:
Source APPLE CVE DEBIAN OSVDB OVAL OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE Reference APPLE-SA-2009-11-09 CVE-2009-1891 DSA-1834 55782 OVAL12361 OVAL8632 OVAL9248 RHSA-2009:1148 RHSA-2009:1156 35721 35781 35793 35865 37152 37221 SUSE-SA:2009:050
Page 13
Audit Report Source URL Reference http://httpd.apache.org/security/vulnerabilities_22.html
3.2.2. Apache httpd mod_proxy reverse proxy DoS (CVE-2009-1890) (http-apache-mod_proxy-reverse-proxy-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server configuration for validation. A denial of service flaw was found in the mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN OSVDB OVAL OVAL OVAL REDHAT REDHAT SECUNIA Reference APPLE-SA-2009-11-09 35565 CVE-2009-1890 DSA-1834 55553 OVAL12330 OVAL8616 OVAL9403 RHSA-2009:1148 RHSA-2009:1156 35691
Page 14
Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL Reference 35721 35793 35865 37152 37221 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.3. MySQL Directory Traversal and Arbitrary Table Access Vulnerability (mysql-directory-traversal-andarbitrary-table-access)
Description:
Directory traversal vulnerability in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name.
Affected Nodes:
References:
Source APPLE CVE OVAL OVAL REDHAT REDHAT URL Reference APPLE-SA-2010-11-10 CVE-2010-1848 OVAL10258 OVAL7210 RHSA-2010:0442 RHSA-2010:0824 http://bugs.mysql.com/bug.php?id=53371
Page 15
Audit Report Source URL URL Reference http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
MySQL >= 5.0.0 and < 5.0.91 Upgrade to MySQL v5.0.91 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL >= 5.1.0 and < 5.1.47 Upgrade to MySQL v5.1.47 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.2.4. MySQL vio_verify_callback() Zero-Depth X.509 Certificate Vulnerability (mysql-vio_verify_callback-zerodepth-x-509-certificate)
Description:
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 accepts a value of zero for the depth of X.509 certificates when OpenSSL is used. This allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate.
Affected Nodes:
References:
Source CVE OVAL OVAL REDHAT URL URL URL Reference CVE-2009-4028 OVAL10940 OVAL8510 RHSA-2010:0109 http://bugs.mysql.com/bug.php?id=47320 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
Page 16
Audit Report
3.2.5. OpenSSH X11 Forwarding Information Disclosure Vulnerability (ssh-openssh-x11-fowarding-infodisclosure)
Description:
Certain versions of OpenSSH do not properly bind TCP ports on the local IPv6 interface if the required IPv4 ports are in use. This could allow a local attacker to hijack a forwarded X11 session via opening TCP port 6010 (IPv4).
Affected Nodes:
References:
Source APPLE BID CERT CVE DEBIAN NETBSD OVAL SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-09-15 28444 TA08-260A CVE-2008-1483 DSA-1576 NetBSD-SA2008-005 OVAL6085 29522 29537 29554 29626
Page 17
Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference 29676 29683 29686 29721 29735 29873 29939 30086 30230 30249 30347 30361 31531 31882 http://www.openssh.org/txt/release-5.0 openssh-sshd-session-hijacking(41438)
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz Version 5.0 of OpenSSH was released on April 3rd, 2008. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.2.6. Apache httpd APR-util off-by-one overflow (CVE-2009-1956) (http-apache-apr-util-off-by-one-overflow)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can provide a specially crafted string to a function that handles a variable list of arguments on big-endian platforms. Review your Web server configuration for validation. An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service.
Affected Nodes:
Affected Nodes: Additional Information:
Page 18
Audit Report Affected Nodes: 174.143.96.250:80 174.143.96.250:443 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source APPLE BID CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2009-11-09 35251 CVE-2009-1956 OVAL11567 OVAL12237 RHSA-2009:1107 RHSA-2009:1108 34724 35284 35395 35487 35565 35710 35797 35843 37221 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.7. PHP Multiple Vulnerabilities Fixed in version 5.3.2 (http-php-multiple-vulns-5-3-2)
Description:
Improved LCG entropy. Fixed safe_mode validation inside tempnam() when the directory path does not end with a /.
Page 19
Audit Report
Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak.
Affected Nodes:
References:
Source URL URL Reference http://www.php.net/releases/5_3_2.php http://www.php.net/ChangeLog-5.php#5.3.2
Download and apply the upgrade from: http://www.php.net/get/php-5.3.2.tar.gz/from/a/mirror Upgrade to PHP v5.3.2 (released on March 4th, 2010).
3.2.8. MySQL COM_FIELD_LIST Command Buffer Overflow Vulnerability (mysql-com_field_list-command-bof)
Description:
A buffer overflow in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Affected Nodes:
References:
Source APPLE CVE OVAL OVAL REDHAT URL URL URL Reference APPLE-SA-2010-11-10 CVE-2010-1850 OVAL10846 OVAL6693 RHSA-2010:0442 http://bugs.mysql.com/bug.php?id=53237 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
Page 20
Audit Report
3.2.9. Apache httpd expat DoS (CVE-2009-3560) (apache-httpd-2_2_x-cve-2009-3560)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker is able to get Apache to parse an untrusted XML document. Review your Web server configuration for validation. A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
Affected Nodes:
References:
Source BID CVE DEBIAN OVAL OVAL OVAL REDHAT SECUNIA Reference 37203 CVE-2009-3560 DSA-1953 OVAL10613 OVAL12942 OVAL6883 RHSA-2011:0896 37537
Page 21
Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference 38231 38794 38832 38834 39478 41701 43300 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.10. Apache httpd expat DoS (CVE-2009-3720) (apache-httpd-2_2_x-cve-2009-3720)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker is able to get Apache to parse an untrusted XML document. Review your Web server configuration for validation. A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
Affected Nodes:
References:
Source CVE OVAL OVAL OVAL Reference CVE-2009-3720 OVAL11019 OVAL12719 OVAL7112
Page 22
Audit Report Source REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference RHSA-2010:0002 RHSA-2011:0896 37324 37537 37925 38050 38231 38794 38832 38834 39478 41701 42326 42338 43300 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.11. Apache httpd apr_bridage_split_line DoS (CVE-2010-1623) (apache-httpd-2_2_x-cve-2010-1623)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if if Apache processes non-SSL requests. Review your Web server configuration for validation. A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service.
Affected Nodes:
Page 23
References:
Source BID CVE OVAL REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference 43673 CVE-2010-1623 OVAL12800 RHSA-2010:0950 RHSA-2011:0896 RHSA-2011:0897 41701 42015 42361 42367 42403 42537 43211 43285 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.12. Apache httpd mod_cache and mod_dav DoS (CVE-2010-1452) (apache-httpd-2_2_x-mod_cache-andmod_dav-dos-cve-2010-1452)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_cache or mod_dav. Review your Web server configuration for validation. A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the
Page 24
Audit Report uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.Acknowledgements: This issue was reported by Mark Drayton.
Affected Nodes:
References:
Source APPLE CVE OVAL OVAL REDHAT REDHAT REDHAT SECUNIA URL Reference APPLE-SA-2011-03-21 CVE-2010-1452 OVAL11683 OVAL12341 RHSA-2010:0659 RHSA-2011:0896 RHSA-2011:0897 42367 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.13. Apache httpd mod_proxy crash (CVE-2007-3847) (apache-httpd-2_2_x-mod_proxy-crash-cve-2007-3847)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server configuration for validation. A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module.
Page 25
Audit Report
Affected Nodes:
References:
Source APPLE APPLE BID CERT CVE OVAL REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 25489 TA08-150A CVE-2007-3847 OVAL10525 RHSA-2007:0746 RHSA-2007:0747 RHSA-2007:0911 RHSA-2008:0005 26636 26722 26790 26842 26952 26993 27209 27563 27593 27732 27882 27971 28467 28606 28749 28922 29420
Page 26
Audit Report Source SECUNIA SUSE URL Reference 30430 SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.14. Apache httpd mod_proxy_http DoS (CVE-2008-2364) (apache-httpd-2_2_x-mod_proxy_http-dos-cve-20082364)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_http. Review your Web server configuration for validation. A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http. A remote attacker could cause a denial of service or high memory usage.
Affected Nodes:
References:
Source APPLE BID BID CVE OVAL OVAL OVAL REDHAT Reference APPLE-SA-2008-10-09 29653 31681 CVE-2008-2364 OVAL11713 OVAL6084 OVAL9577 RHSA-2008:0966
Page 27
Audit Report Source REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference RHSA-2008:0967 30621 31026 31404 31416 31651 31904 32222 32685 32838 33156 33797 34219 34259 34418 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxy-module-dos(42987)
3.2.15. Apache httpd Signals to arbitrary processes (CVE-2007-3304) (apache-httpd-2_2_x-signals-to-arbitraryprocesses-cve-2007-3304)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if a local attacker can run scripts on the HTTP server. Review your Web server configuration for validation. The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service.
Page 28
Audit Report
Affected Nodes:
References:
Source BID CVE OVAL REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA Reference 24215 CVE-2007-3304 OVAL11589 RHSA-2007:0532 RHSA-2007:0556 RHSA-2007:0557 RHSA-2007:0662 RHSA-2008:0261 25827 25830 25920 26211 26273 26443 26508 26611 26759 26790 26822 26842 26993 27121 27209 27563 27732 28212 28224
Page 29
Audit Report Source SECUNIA SGI SUSE URL XF Reference 28606 20070701-01-P SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html apache-child-process-dos(35095)
3.2.16. Apache httpd mod_proxy reverse proxy exposure (CVE-2011-3368) (apache-httpd-cve-2011-3368)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy. Review your Web server configuration for validation. An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.Acknowledgements: This issue was reported by Context Information Security Ltd
Affected Nodes:
References:
Source BID CVE REDHAT REDHAT SECUNIA SECUNIA Reference 49957 CVE-2011-3368 RHSA-2011:1391 RHSA-2011:1392 46288 46414
Page 30
Audit Report Source URL URL XF Reference http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxy-information-disclosure(70336)
Apache >= 2.0 and < 2.1 Upgrade to Apache version 2.0.65 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Apache >= 2.2 and < 2.3 Upgrade to Apache version 2.2.22 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.2.22 is currently not available for download. Please check the Apache HTTP server download page for more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.2.17. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
Description:
The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate. Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com". In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname). A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.
Affected Nodes:
Affected Nodes: 174.143.96.250:25 Additional Information: The subject common name found in the X.509 certificate ('CN=plesk') does not seem to
Page 31
Audit Report Affected Nodes: Additional Information: match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name '174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com' 174.143.96.250:443 The subject common name found in the X.509 certificate ('CN=plesk') does not seem to match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name '174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com' The subject common name found in the X.509 certificate ('CN=plesk') does not seem to match the scan target '174.143.96.250':Subject CN 'plesk' does not match node name '174.143.96.250'Subject CN 'plesk' does not match DNS name 'grupocanton.com'
174.143.96.250:587
References:
None
The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.
3.2.18. Apache httpd AllowOverride Options handling bypass (CVE-2009-1195) (http-apache-allowoverideoptions-handling-bypass)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if the AllowOverride directive with certin Options are used. Review your Web server configuration for validation. A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN Reference APPLE-SA-2009-11-09 35115 CVE-2009-1195 DSA-1816
Page 32
Audit Report Source OSVDB OVAL OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference 54733 OVAL11094 OVAL12377 OVAL8704 RHSA-2009:1075 RHSA-2009:1156 35261 35264 35395 35453 35721 37152 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html apache-allowoverrides-security-bypass(50808)
3.2.19. Apache httpd mod_cache proxy DoS (CVE-2007-1863) (http-apache-mod_cache-proxy-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_cache. Review your Web server configuration for validation. A bug was found in the mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.
Affected Nodes:
Page 33
Audit Report Affected Nodes: 174.143.96.250:443 Additional Information: Running vulnerable HTTPS service: Apache 2.2.3.
References:
Source APPLE BID CERT CVE OVAL REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL Reference APPLE-SA-2008-05-28 24649 TA08-150A CVE-2007-1863 OVAL9824 RHSA-2007:0533 RHSA-2007:0534 RHSA-2007:0556 RHSA-2007:0557 25830 25873 25920 26273 26443 26508 26822 26842 26993 27037 27563 27732 28606 30430 SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html
Page 34
Audit Report
3.2.20. Apache httpd mod_proxy_ajp DoS (CVE-2010-0408) (http-apache-mod_proxy_ajp-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ajp. Review your Web server configuration for validation. mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service.Acknowledgements: We would like to thank Niku Toivola of Sulake Corporation for reporting and proposing a patch fix for this issue.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2010-11-10 38491 CVE-2010-0408 DSA-2035 OVAL8619 OVAL9935 RHSA-2010:0168 39100 39501 39628 39632 39656 40096 http://httpd.apache.org/security/vulnerabilities_22.html
Apache >= 2.2 and < 2.3
Page 35
Audit Report Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.2.21. MySQL my_net_skip_rest Packet Length Denial of Service Vulnerability (mysql-my_net_skip_rest-packetlength-dos)
Description:
The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 before 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length.
Affected Nodes:
References:
Source APPLE CVE OVAL URL URL URL Reference APPLE-SA-2010-11-10 CVE-2010-1849 OVAL7328 http://bugs.mysql.com/bug.php?id=50974 http://bugs.mysql.com/bug.php?id=53371 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
Page 36
Audit Report
3.2.22. PHP PHP hangs on numeric value 2.2250738585072011e-308 (php-cve-2010-4645)
Description:
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows contextdependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.
Affected Nodes:
References:
Source BID CVE REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA XF Reference 45668 CVE-2010-4645 RHSA-2011:0195 RHSA-2011:0196 42812 42843 43051 43189 php-zendstrtod-dos(64470)
Upgrade to PHP v5.2.17 Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.17.tar.gz Upgrade to PHP v5.2.17. Upgrade to PHP v5.3.5 Download and apply the upgrade from: http://museum.php.net/php5/php-5.3.5.tar.gz Upgrade to PHP v5.3.5.
3.2.23. PHP Fixed possible flaw in open_basedir (php-fixed-possible-flaw-in-open-basedir)
Description:
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.
Page 37
Audit Report
Affected Nodes:
References:
Source APPLE BID CVE SECUNIA SECUNIA Reference APPLE-SA-2011-03-21 44723 CVE-2010-3436 42729 42812
3.2.24. PHP possible double free in imap extension (php-possible-double-free-in-imap-extension)
Description:
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.
Affected Nodes:
References:
Source APPLE Reference APPLE-SA-2011-03-21
Page 38
Audit Report Source BID CVE OVAL SECUNIA XF Reference 44980 CVE-2010-4150 OVAL12489 42729 php-phpimapc-dos(63390)
3.2.25. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)
Description:
The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak: So called "null" ciphers, because they do not encrypt data. Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the cipher suite. Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.
Affected Nodes:
Affected Nodes: 174.143.96.250:443 Additional Information: grupocanton.com/174.143.96.250:443 negotiated the SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA cipher suite
References:
None
Configure the server to disable support for weak ciphers. For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers. For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read: SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For other servers, refer to the respective vendor documentation to disable the weak ciphers
Page 39
Audit Report
3.2.26. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)
Description:
Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed between a client and the server, including the following weaknesses: No protection from against man-in-the-middle attacks during the handshake. Weak MAC construction and MAC relying solely on the MD5 hash function. Exportable cipher suites unnecessarily weaken the MACs Same cryptographic keys used for message authentication and encryption. Vulnerable to truncation attacks by forged TCP FIN packets SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment Card Industry) Data Security Standard. Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also supported.
Affected Nodes:
Affected Nodes: 174.143.96.250:443 Additional Information: SSLv2 is supported
References:
Source URL URL Reference http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf
Configure the server to require clients to use at least SSLv3 or TLS. For Microsoft IIS web servers, see Microsoft Knowledgebase article Q187498 for instructions on disabling SSL 2.0. For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2 The ! (exclamation point) before SSLv2 is what disables this protocol.
3.2.27. X.509 Server Certificate Is Invalid/Expired (tls-server-cert-expired)
Page 40
Audit Report
Description:
The TLS/SSL server's X.509 certificate either contains a start date in the future or is expired. Please refer to the proof in the section below for more details.
Affected Nodes:
Affected Nodes: 174.143.96.250:25 174.143.96.250:443 174.143.96.250:587 Additional Information: The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT The certificate is not valid after Tue, 01 Jun 2010 11:41:37 COT
References:
None
Obtain a new certificate and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Please ensure that the start date and the end date on the new certificate are valid. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority. After you have received a new certificate file from the Certificate Authority, you will have to install it on the TLS/SSL server. The exact instructions for installing a certificate differ for each product. Follow their documentation.
3.2.28. Apache httpd mod_imagemap XSS (CVE-2007-5000) (apache-httpd-2_2_x-mod_imagemap-xss-cve-20075000)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_imagemap. Review your Web server configuration for validation. The affected asset is vulnerable to this Apache vulnerability ONLY if an imagemap file is publicly available. Review your Web server configuration for validation. A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
Affected Nodes:
Page 41
Audit Report
References:
Source APPLE APPLE BID CERT CVE OSVDB OVAL REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 26838 TA08-150A CVE-2007-5000 39134 OVAL9539 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 RHSA-2008:0261 28046 28073 28081 28196 28375 28467 28471 28525 28526 28607 28749 28750 28922 28977 29420 29640 29806
Page 42
Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL Reference 29988 30356 30430 30732 31142 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html
3.2.29. Apache httpd mod_proxy_ftp globbing XSS (CVE-2008-2939) (apache-httpd-2_2_x-mod_proxy_ftpglobbing-xss-cve-2008-2939)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A flaw was found in the handling of wildcards in the path of a FTP URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing globbing characters could lead to cross-site scripting (XSS) attacks.
Affected Nodes:
References:
Source APPLE BID CERT CERT-VN Reference APPLE-SA-2009-05-12 30560 TA09-133A 663763
Page 43
Audit Report Source CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference CVE-2008-2939 OVAL11316 OVAL7716 RHSA-2008:0966 RHSA-2008:0967 31384 31673 32685 32838 33156 33797 34219 35074 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxyftp-xss(44223)
3.2.30. Apache httpd mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) (apache-httpd-2_2_x-mod_proxy_ftp-utf-7-xsscve-2008-0005)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.
Affected Nodes:
Page 44
References:
Source APPLE BID CVE OVAL REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference APPLE-SA-2008-03-18 27234 CVE-2008-0005 OVAL10812 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 28467 28471 28526 28607 28749 28977 29348 29420 29640 30732 35650 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxyftp-utf7-xss(39615)
Page 45
Audit Report
3.2.31. Apache httpd mod_status XSS (CVE-2007-6388) (apache-httpd-2_2_x-mod_status-xss-cve-2007-6388)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_status. Review your Web server configuration for validation. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
Affected Nodes:
References:
Source APPLE APPLE BID CERT CVE OVAL REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA Reference APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 27237 TA08-150A CVE-2007-6388 OVAL10272 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 RHSA-2008:0261 28467 28471 28526 28607
Page 46
Audit Report Source SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference 28749 28922 28965 28977 29420 29504 29640 29806 29988 30356 30430 30732 31142 33200 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html apache-status-page-xss(39472)
3.2.32. Apache httpd apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE-2011-0419) (apache-httpd-cve2011-0419)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_autoindex. Review your Web server configuration for validation. A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack.Acknowledgements: This issue was reported by Maksymilian Arciemowicz
Page 47
Audit Report
Affected Nodes:
References:
Source APPLE CVE DEBIAN REDHAT REDHAT REDHAT SECUNIA SECUNIA SECUNIA URL URL Reference APPLE-SA-2011-10-12 CVE-2011-0419 DSA-2237 RHSA-2011:0507 RHSA-2011:0896 RHSA-2011:0897 44490 44564 44574 http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html
Apache >= 2.0 and < 2.1 Upgrade to Apache version 2.0.65 Download and apply the upgrade from: http://httpd.apache.org/download.cgi Apache HTTP server version 2.0.65 is currently not available for download. Please check the Apache HTTP server download page for more information.Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Apache >= 2.2 and < 2.3 Upgrade to Apache version 2.2.19 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.19.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.2.33. Apache httpd APR-util heap underwrite (CVE-2009-0023) (http-apache-apr-util-heap-underwrite)
Description:
Page 48
Audit Report
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can provide a specially crafted search keyword to a function that handles compiled forms of search patterns. Review your Web server configuration for validation. A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2009-11-09 35221 CVE-2009-0023 DSA-1812 OVAL10968 OVAL12321 RHSA-2009:1107 RHSA-2009:1108 34724 35284 35360 35395 35444 35487 35565 35710 35797 35843 37221 http://httpd.apache.org/security/vulnerabilities_22.html
Page 49
Audit Report Source XF Reference apache-aprstrmatchprecompile-dos(50964)
3.2.34. Apache ETag Inode Information Leakage (http-apache-etag-inode-leak)
Description:
Certain versions of Apache use the requested file's inode number to construct the 'ETag' response header. While not a vulnerability in and of itself, this information makes certain NFS attacks much simpler to execute.
Affected Nodes:
Affected Nodes: 174.143.96.250:80 Additional Information: Running vulnerable HTTP service: Apache 2.2.3. http://174.143.96.250/index.html 1: "1f20e9d-14c-48dd25a7358c0"
174.143.96.250:443
Running vulnerable HTTPS service: Apache 2.2.3. https://174.143.96.250/ 1: "1e38016-ee7-46b9dad472100"
References:
Source BID BID CVE XF Reference 6939 6943 CVE-2003-1418 apache-mime-information-disclosure(11438)
Disable inode-based ETag generation in the Apache config You can remove inode information from the ETag header by adding the following directive to your Apache config: FileETag MTime Size
Page 50
Audit Report OpenBSD Apply OpenBSD 3.2 errata #8 for Apache inode and pid leak Download and apply the patch from: http://www.openbsd.org/errata32.html#httpd The OpenBSD team has released a patch for the Apache inode and pid leak problem. This patch can be applied cleanly to 3.2 stable and rebuilt. Restart httpd for the changes to take effect. OpenBSD 3.3 will ship with the patched httpd by default. The patch can be applied to earlier 3.x versions of OpenBSD, but it may require editing of the source code.
3.2.35. Apache httpd mod_proxy_balancer CSRF (CVE-2007-6420) (http-apache-mod_proxy_balancer-csrf)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web server configuration for validation. The mod_proxy_balancer provided an administrative interface that could be vulnerable to cross-site request forgery (CSRF) attacks.
Affected Nodes:
References:
Source APPLE BID BID CVE OVAL REDHAT SECUNIA SECUNIA SECUNIA SECUNIA URL Reference APPLE-SA-2008-10-09 27236 31681 CVE-2007-6420 OVAL8371 RHSA-2008:0966 31026 32222 33797 34219 http://httpd.apache.org/security/vulnerabilities_22.html
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.9.tar.gz
Page 51
Audit Report Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.2.36. Apache httpd mod_proxy_balancer DoS (CVE-2007-6422) (http-apache-mod_proxy_balancer-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web server configuration for validation. A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.
Affected Nodes:
References:
Source BID CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference 27236 CVE-2007-6422 OVAL10181 OVAL8690 RHSA-2008:0008 RHSA-2008:0009 28526 28749 28977 29348 29640 SUSE-SA:2008:021 http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxybalancer-dos(39476)
Page 52
Audit Report
3.2.37. Apache httpd mod_proxy_balancer XSS (CVE-2007-6421) (http-apache-mod_proxy_balancer-xss)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_balancer. Review your Web server configuration for validation. A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.
Affected Nodes:
References:
Source APPLE BID CVE OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE Reference APPLE-SA-2008-03-18 27236 CVE-2007-6421 OVAL10664 OVAL8651 RHSA-2008:0008 RHSA-2008:0009 28526 28749 28977 29420 29640 SUSE-SA:2008:021
Page 53
Audit Report Source URL XF Reference http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxybalancer-xss(39474)
3.2.38. Apache httpd mod_status cross-site scripting (CVE-2006-5752) (http-apache-mod_status-xss)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_status. Review your Web server configuration for validation. The affected asset is vulnerable to this Apache vulnerability ONLY if the server-status page is publicly accessible and ExtendedStatus is enabled. Review your Web server configuration for validation. A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
Affected Nodes:
References:
Source BID CVE OVAL REDHAT REDHAT REDHAT REDHAT Reference 24645 CVE-2006-5752 OVAL10154 RHSA-2007:0532 RHSA-2007:0533 RHSA-2007:0534 RHSA-2007:0556
Page 54
Audit Report Source REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SUSE URL XF Reference RHSA-2007:0557 RHSA-2008:0261 25827 25830 25873 25920 26273 26443 26458 26508 26822 26842 26993 27037 27563 27732 28212 28224 28606 SUSE-SA:2007:061 http://httpd.apache.org/security/vulnerabilities_22.html apache-modstatus-xss(35097)
3.2.39. Apache httpd Subrequest handling of request headers (mod_headers) (CVE-2010-0434) (http-apacherequest-header-info-disclosure)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_headers. Review your Web server configuration for validation.
Page 55
Audit Report
A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest, instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying the parent request, which might not be intended, and second by leaving pointers to modified header fields in memory allocated to the subrequest scope, which could be freed before the main request processing was finished, resulting in a segfault or in revealing data from another request on threaded servers, such as the worker or winnt MPMs.Acknowledgements: We would like to thank Philip Pickett of VMware for reporting and proposing a fix for this issue.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN OVAL OVAL REDHAT REDHAT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL XF Reference APPLE-SA-2010-11-10 38494 CVE-2010-0434 DSA-2035 OVAL10358 OVAL8695 RHSA-2010:0168 RHSA-2010:0175 39100 39115 39501 39628 39632 39656 40096 http://httpd.apache.org/security/vulnerabilities_22.html apache-http-rh-info-disclosure(56625)
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.gz
Page 56
Audit Report Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
3.2.40. MySQL Bug #44798: Stored Procedures Server Crash (mysql-bug-44798-stored-procedures-server-crash)
Description:
Versions of MySQL server 5.0 before 5.0.84 and 5.1 before 5.1.36 suffer from a privilege interpretation flaw that causes a server crash. A user created with the privileges to create stored procedures but not execute them will trigger this issue.
Affected Nodes:
References:
Source URL Reference http://bugs.mysql.com/bug.php?id=44798
MySQL >= 5.0.0 and < 5.0.84 Upgrade to MySQL v5.0.84 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.0.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch. MySQL (?:^5.1.) Upgrade to MySQL v5.1.36 Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.2.41. PHP Fixed NULL pointer dereference in ZipArchive::getArchiveComment (php-fixed-null-pointerdereference-in-ziparchivegetarchivecomment)
Description:
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.
Page 57
Audit Report
Affected Nodes:
References:
Source APPLE BID CVE REDHAT SECUNIA SECUNIA Reference APPLE-SA-2011-03-21 44718 CVE-2010-3709 RHSA-2011:0195 42729 42812
3.2.42. Self-signed TLS/SSL certificate (ssl-self-signed-certificate)
Description:
The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL manin-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.
Affected Nodes:
Affected Nodes: 174.143.96.250:25 174.143.96.250:443 174.143.96.250:587 Additional Information: TLS/SSL certificate is self-signed. TLS/SSL certificate is self-signed. TLS/SSL certificate is self-signed.
References:
None
Page 58
Audit Report
Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority, such as Thawte or Verisign.
3.3. Moderate Vulnerabilities

3.3.1. Apache httpd mod_proxy_ftp DoS (CVE-2009-3094) (http-apache-mod_proxy_ftp-dos)
Description:
The affected asset is vulnerable to this Apache vulnerability ONLY if it is running module mod_proxy_ftp. Review your Web server configuration for validation. A NULL pointer dereference flaw was found in the mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service.
Affected Nodes:
References:
Source CVE DEBIAN OVAL OVAL SECUNIA SECUNIA SUSE URL Reference CVE-2009-3094 DSA-1934 OVAL10981 OVAL8087 36549 37152 SUSE-SA:2009:050 http://httpd.apache.org/security/vulnerabilities_22.html
Apache >= 2.2 and < 2.3 Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.14.tar.gz Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
Page 59
Audit Report operating system.
3.3.2. MySQL HTML Output Script Insertion Vulnerability (mysql-html-output-script-insertion)
Description:
A cross-site scripting (XSS) vulnerability exists in the command-line client when the "--html" option is enabled. This could allow attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by the client when composing an HTML document.
Affected Nodes:
References:
Source APPLE BID CVE DEBIAN OVAL REDHAT SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2010-03-29 31486 CVE-2008-4456 DSA-1783 OVAL11456 RHSA-2010:0110 32072 34907 38517 http://bugs.mysql.com/bug.php?id=27884 http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability mysql-commandline-xss(45590)
MySQL (?:^5.1.) Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql/5.1.html Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.
3.3.3. OpenSSH CBC Mode Information Disclosure Vulnerability (ssh-openssh-cbc-mode-info-disclosure)
Page 60
Audit Report
Description:
Certain versions of OpenSSH ship with a flawed implementation of the block cipher algorithm in the Cipher Block Chaining (CBC) mode. This could allow a remote attacker to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
Affected Nodes:
References:
Source APPLE BID CERT-VN CVE OSVDB OSVDB OSVDB OVAL SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA URL URL XF Reference APPLE-SA-2009-11-09 32319 958563 CVE-2008-5161 49872 50035 50036 OVAL11279 32740 32760 32833 33121 33308 34857 http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt http://www.openssh.com/txt/cbc.adv openssh-sshtectia-cbc-info-disclosure(46620)
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz Version 5.2 of OpenSSH was released on February 22nd, 2009. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.
Page 61
Audit Report
3.3.4. Database Open Access (database-open-access)
Description:
The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.
Affected Nodes:
Affected Nodes: 174.143.96.250:3306 Additional Information: Running vulnerable MySQL service.
References:
Source URL Reference https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ
3.3.5. TCP timestamp response (generic-tcp-timestamp)
Description:
The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.
Affected Nodes:
Affected Nodes: 174.143.96.250 Additional Information: Apparent system boot time: Fri Nov 18 18:17:26 COT 2011
References:
Source URL URL URL Reference http://www.forensicswiki.org/wiki/TCP_timestamps http://www.ietf.org/rfc/rfc1323.txt http://uptime.netcraft.com
Page 62
Audit Report
Cisco Disable TCP timestamp responses on Cisco Run the following command to disable TCP timestamps:
no ip tcp timestamp
FreeBSD Disable TCP timestamp responses on FreeBSD Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.inet.tcp.rfc1323=0
Linux Disable TCP timestamp responses on Linux Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0
net.ipv4.tcp_timestamps=0
OpenBSD Disable TCP timestamp responses on OpenBSD Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
net.inet.tcp.rfc1323=0
Page 63
Audit Report Microsoft Windows Disable TCP timestamp responses on Windows Set the Tcp1323Opts value in the following key to 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
3.3.6. WebDAV Extensions are Enabled (http-generic-webdav-enabled)
Description:
WebDAV is a set of extensions to the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. Many web servers enable WebDAV extensions by default, even when they are not needed. Because of its added complexity, it is considered good practice to disable WebDAV if it is not currently in use.
Affected Nodes:
References:
None
IIS, PWS, Microsoft-IIS, Internet Information Services, Internet Information Services, Microsoft-PWS Disable WebDAV for IIS For Microsoft IIS, follow Microsoft's instructions to disable WebDAV for the entire server. Apache Disable WebDAV for Apache Make sure the mod_dav module is disabled, or ensure that authentication is required on directories where DAV is required.
Apache Tomcat, Tomcat, Tomcat Web Server Disable WebDAV for Apache Tomcat Disable the WebDAV Servlet for all web applications found on the web server. This can be done by removing the servlet definition for WebDAV (the org.apache.catalina.servlets.WebdavServlet class) and remove all servlet mappings referring to the WebDAV servlet.
Java System Web Server, iPlanet, SunONE WebServer, Sun-ONE-Web-Server Disable WebDAV for iPlanet/Sun ONE Disable WebDAV on the web server. This can be done by disabling WebDAV for the server instance and for all virtual servers.
Page 64
Audit Report To disable WebDAV for the server instance, enter the Server Manager and uncheck the "Enable WebDAV Globally" checkbox then click the "OK" button. To disable WebDAV for each virtual server, enter the Class Manager and uncheck the "Enable WebDAV Globally" checkbox next to each server instance then click the "OK" button.
Page 65
Audit Report
4. Discovered Services
4.1. HTTP
HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files commonly used with HTTP include text, sound, images and video.
4.1.1. General Security Issues
Simple authentication scheme

Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL) connections to transmit the authentication data.
4.1.2. Discovered Instances of this Service

Device 174.143.96.250 Protocol tcp Port 80 Vulnerabilities 8 Additional Information Apache 2.2.3 PHP: 5.2.14 WebDAV: http.banner: Apache/2.2.3 (Red Hat) http.banner.server: Apache/2.2.3 (Red Hat) http.banner.x-powered-by: PHP/5.2.14
4.2. HTTPS
HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange multimedia content on the World Wide Web using encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard HTTP protocol is used. The multimedia files commonly used with HTTP include text, sound, images and video.

Device 174.143.96.250 Protocol tcp Port 443 Vulnerabilities 8 Additional Information Apache 2.2.3 WebDAV: http.banner: Apache/2.2.3 (Red Hat) http.banner.server: Apache/2.2.3 (Red Hat) ssl: true ssl.cert.issuer.dn: EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.key.alg.name: RSA ssl.cert.key.rsa.modulusBits: 2048
Page 66
Audit Report Device Protocol Port Vulnerabilities Additional Information ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT ssl.cert.selfsigned: true ssl.cert.serial.number: 1243874497 ssl.cert.sig.alg.name: SHA1withRSA ssl.cert.subject.dn: EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.validsignature: true ssl.version.ssl20: true verbs-1: GET verbs-2: HEAD verbs-3: OPTIONS verbs-4: POST verbs-count: 4
4.3. MySQL
Device 174.143.96.250 Protocol tcp Port 3306 Vulnerabilities 8 Additional Information MySQL 5.0.77 logging: disabled protocolVersion: 10
4.4. SMTP
SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail messages between hosts. Clients typically submit outgoing e-mail to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final destination.
4.4.1. General Security Issues
Installed by default
By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP server to handle mail for the local host (e.g. the output of some cron jobs is sent to the root account via email). Check your workstations to see if sendmail is running, by telnetting to port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying 192.168.0.1... Connected to mybox. Escape character is '^]'. 220 mybox. ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT) If sendmail is running and you don't need it, then disable it via /etc/rc.conf or your operating system's equivalent startup configuration file. If you do need SMTP for the localhost, make sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable by other hosts. Also be sure to check port 587/tcp, which some versions of sendmail use for outgoing mail submissions.
Promiscuous relay
Page 67
Audit Report Perhaps the most common security issue with SMTP servers is servers which act as a "promiscuous relay", or "open relay". This describes servers which accept and relay mail from anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers) to use your mail server to send their spam to unwitting recipients. Promiscuous relay checks are performed on all discovered SMTP servers. See "smtp-general-openrelay" for more information on this vulnerability and how to fix it.

Device 174.143.96.250 Protocol tcp Port 25 Vulnerabilities 2 Additional Information Unknown advertise-esmtp: 1 advertised-esmtp-extension-count: 5 advertises-esmtp: TRUE smtp.banner: 220 228605-web1.www.tabascohoy.com ESMTP ssl.cert.issuer.dn: EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.key.alg.name: RSA ssl.cert.key.rsa.modulusBits: 2048 ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT ssl.cert.selfsigned: true ssl.cert.serial.number: 1243874497 ssl.cert.sig.alg.name: SHA1withRSA ssl.cert.subject.dn: EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.validsignature: true supported-auth-method-count: 3 supported-auth-method:1: LOGIN supported-auth-method:2: CRAM-MD5 supported-auth-method:3: PLAIN supports-8bitmime: TRUE supports-auth: TRUE supports-auth=login: TRUE supports-debug: FALSE supports-expand: FALSE supports-pipelining: TRUE supports-starttls: TRUE supports-turn: FALSE supports-verify: FALSE
Page 68
Audit Report Device 174.143.96.250 Protocol tcp Port 587 Vulnerabilities 2 Additional Information Unknown advertise-esmtp: 1 advertised-esmtp-extension-count: 5 advertises-esmtp: TRUE smtp.banner: 220 228605-web1.www.tabascohoy.com ESMTP ssl.cert.issuer.dn: EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.key.alg.name: RSA ssl.cert.key.rsa.modulusBits: 2048 ssl.cert.not.valid.after: Tue, 01 Jun 2010 11:41:37 COT ssl.cert.not.valid.before: Mon, 01 Jun 2009 11:41:37 COT ssl.cert.selfsigned: true ssl.cert.serial.number: 1243874497 ssl.cert.sig.alg.name: SHA1withRSA ssl.cert.subject.dn: EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US ssl.cert.validsignature: true supported-auth-method-count: 3 supported-auth-method:1: LOGIN supported-auth-method:2: CRAM-MD5 supported-auth-method:3: PLAIN supports-8bitmime: TRUE supports-auth: TRUE supports-auth=login: TRUE supports-debug: FALSE supports-expand: FALSE supports-pipelining: TRUE supports-starttls: TRUE supports-turn: FALSE supports-verify: FALSE
4.5. SSH
SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol. It primarily adds encryption and data integrity to Telnet, but can also provide superior authentication mechanisms such as public key authentication.

Device Protocol Port Vulnerabilities Additional Information
Page 69
Audit Report Device 174.143.96.250 Protocol tcp Port 22 Vulnerabilities 3 Additional Information OpenSSH 4.3 ssh.banner: SSH-2.0-OpenSSH_4.3 ssh.protocol.version: 2.0 ssh.rsa.pubkey.fingerprint: 68155186A79E9D58FA0BA9D1B132D88F
Page 70
Audit Report
5. Discovered Users and Groups

No user or group information was discovered during the scan.
Page 71
Audit Report
6. Discovered Databases
No database information was discovered during the scan.
Page 72
Audit Report
7. Discovered Files and Directories

No file or directory information was discovered during the scan.
Page 73
Audit Report
8. Policy Evaluations
No policy evaluations were performed.
Page 74
Audit Report
9. Spidered Web Sites

No web sites were spidered during the scan.
Page 75

Audit Report: Audited On December 02 2011

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Audit Report: Audited On December 02 2011

Загружено:

Авторское право:

Доступные форматы

Audit Report

Audited on December 02 2011

Reported on December 02 2011

There is not enough historical data to display overall asset trend.

3. Discovered and Potential Vulnerabilities

Audit Report Source URL Reference http://httpd.apache.org/security/vulnerabilities_22.html

3.1.2. MySQL dispatch_command() Multiple Format String Vulnerabilities (mysql-dispatch_command-multipleformat-string)

3.1.3. Apache httpd mod_proxy_ftp FTP command injection (CVE-2009-3095) (apache-httpd-2_2_xmod_proxy_ftp-ftp-command-injection-cve-2009-3095)

3.1.4. Apache httpd Range header remote DoS (CVE-2011-3192) (apache-httpd-cve-2011-3192)

3.1.5. Apache httpd APR-util XML DoS (CVE-2009-1955) (http-apache-apr-util-xml-dos)

3.1.6. PHP Multiple Vulnerabilities Fixed in version 5.3.1 (http-php-multiple-vulns-5-3-1)

3.1.7. MySQL yaSSL CertDecoder::GetName Multiple Buffer Overflows (mysql-yassl-certdecodergetnamemultiple-bofs)

3.1.8. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)

3.2. Severe Vulnerabilities

Audit Report Source URL Reference http://httpd.apache.org/security/vulnerabilities_22.html

3.2.2. Apache httpd mod_proxy reverse proxy DoS (CVE-2009-1890) (http-apache-mod_proxy-reverse-proxy-dos)

Audit Report Source URL URL Reference http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

3.2.4. MySQL vio_verify_callback() Zero-Depth X.509 Certificate Vulnerability (mysql-vio_verify_callback-zerodepth-x-509-certificate)

3.2.5. OpenSSH X11 Forwarding Information Disclosure Vulnerability (ssh-openssh-x11-fowarding-infodisclosure)

3.2.6. Apache httpd APR-util off-by-one overflow (CVE-2009-1956) (http-apache-apr-util-off-by-one-overflow)

3.2.7. PHP Multiple Vulnerabilities Fixed in version 5.3.2 (http-php-multiple-vulns-5-3-2)

3.2.8. MySQL COM_FIELD_LIST Command Buffer Overflow Vulnerability (mysql-com_field_list-command-bof)

3.2.9. Apache httpd expat DoS (CVE-2009-3560) (apache-httpd-2_2_x-cve-2009-3560)

3.2.10. Apache httpd expat DoS (CVE-2009-3720) (apache-httpd-2_2_x-cve-2009-3720)

3.2.11. Apache httpd apr_bridage_split_line DoS (CVE-2010-1623) (apache-httpd-2_2_x-cve-2010-1623)

3.2.12. Apache httpd mod_cache and mod_dav DoS (CVE-2010-1452) (apache-httpd-2_2_x-mod_cache-andmod_dav-dos-cve-2010-1452)

3.2.13. Apache httpd mod_proxy crash (CVE-2007-3847) (apache-httpd-2_2_x-mod_proxy-crash-cve-2007-3847)

3.2.14. Apache httpd mod_proxy_http DoS (CVE-2008-2364) (apache-httpd-2_2_x-mod_proxy_http-dos-cve-20082364)

3.2.15. Apache httpd Signals to arbitrary processes (CVE-2007-3304) (apache-httpd-2_2_x-signals-to-arbitraryprocesses-cve-2007-3304)

3.2.16. Apache httpd mod_proxy reverse proxy exposure (CVE-2011-3368) (apache-httpd-cve-2011-3368)

Audit Report Source URL URL XF Reference http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxy-information-disclosure(70336)

3.2.18. Apache httpd AllowOverride Options handling bypass (CVE-2009-1195) (http-apache-allowoverideoptions-handling-bypass)

3.2.19. Apache httpd mod_cache proxy DoS (CVE-2007-1863) (http-apache-mod_cache-proxy-dos)

3.2.20. Apache httpd mod_proxy_ajp DoS (CVE-2010-0408) (http-apache-mod_proxy_ajp-dos)

3.2.21. MySQL my_net_skip_rest Packet Length Denial of Service Vulnerability (mysql-my_net_skip_rest-packetlength-dos)

3.2.22. PHP PHP hangs on numeric value 2.2250738585072011e-308 (php-cve-2010-4645)

3.2.23. PHP Fixed possible flaw in open_basedir (php-fixed-possible-flaw-in-open-basedir)

3.2.24. PHP possible double free in imap extension (php-possible-double-free-in-imap-extension)

3.2.25. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)

3.2.26. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)

3.2.27. X.509 Server Certificate Is Invalid/Expired (tls-server-cert-expired)

3.2.28. Apache httpd mod_imagemap XSS (CVE-2007-5000) (apache-httpd-2_2_x-mod_imagemap-xss-cve-20075000)

3.2.29. Apache httpd mod_proxy_ftp globbing XSS (CVE-2008-2939) (apache-httpd-2_2_x-mod_proxy_ftpglobbing-xss-cve-2008-2939)

3.2.30. Apache httpd mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) (apache-httpd-2_2_x-mod_proxy_ftp-utf-7-xsscve-2008-0005)

3.2.31. Apache httpd mod_status XSS (CVE-2007-6388) (apache-httpd-2_2_x-mod_status-xss-cve-2007-6388)

3.2.33. Apache httpd APR-util heap underwrite (CVE-2009-0023) (http-apache-apr-util-heap-underwrite)

Audit Report Source XF Reference apache-aprstrmatchprecompile-dos(50964)

3.2.34. Apache ETag Inode Information Leakage (http-apache-etag-inode-leak)

Running vulnerable HTTPS service: Apache 2.2.3. https://174.143.96.250/ 1: "1e38016-ee7-46b9dad472100"

3.2.35. Apache httpd mod_proxy_balancer CSRF (CVE-2007-6420) (http-apache-mod_proxy_balancer-csrf)

3.2.36. Apache httpd mod_proxy_balancer DoS (CVE-2007-6422) (http-apache-mod_proxy_balancer-dos)

3.2.37. Apache httpd mod_proxy_balancer XSS (CVE-2007-6421) (http-apache-mod_proxy_balancer-xss)

Audit Report Source URL XF Reference http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxybalancer-xss(39474)

3.2.38. Apache httpd mod_status cross-site scripting (CVE-2006-5752) (http-apache-mod_status-xss)

3.2.40. MySQL Bug #44798: Stored Procedures Server Crash (mysql-bug-44798-stored-procedures-server-crash)

3.2.41. PHP Fixed NULL pointer dereference in ZipArchive::getArchiveComment (php-fixed-null-pointerdereference-in-ziparchivegetarchivecomment)

3.2.42. Self-signed TLS/SSL certificate (ssl-self-signed-certificate)

3.3. Moderate Vulnerabilities

Audit Report operating system.

3.3.2. MySQL HTML Output Script Insertion Vulnerability (mysql-html-output-script-insertion)

3.3.3. OpenSSH CBC Mode Information Disclosure Vulnerability (ssh-openssh-cbc-mode-info-disclosure)

3.3.4. Database Open Access (database-open-access)