Host: 140.211.167.9, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: domain (53/udp) Security Warning Synopsis : Remote DNS server is vulnerable to cache snooping attacks. Description : The remote DNS server answers to queries for third-party domains which do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... See also : For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://www.nessus.org/u?0f22a4a4 Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) -------------------------------------------------------------------------------- Host: 140.211.167.20, Service: https (443/tcp) Security Warning Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution : Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: domain (53/udp) Security Warning Synopsis : The remote name server allows recursive queries to be performed by the host running nessusd. Description : It is possible to query the remote name server for third party names. If this is your internal nameserver, then forget this warning. If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.nessus.org). This allows hackers to do cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system. See also : http://www.cert.org/advisories/CA-1997-22.html Solution : Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }' For more info on Bind 9 administration (to include recursion), see: http://www.nominum.com/content/documents/bind9arm.pdf If you are using another name server, consult its documentation. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE : CVE-1999-0024 BID : 136, 678 -------------------------------------------------------------------------------- Host: 140.211.167.1, Service: telnet (23/tcp) Security Warning Synopsis : A telnet server is listening on the remote port Description : The remote host is running a telnet server. Using telnet is not recommended as logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials of other users. Solution : Disable this service and use SSH instead Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output : Remote telnet banner: NERO CORE Router (corv-car1-gw) User Access Verification Username: -------------------------------------------------------------------------------- Host: 140.211.167.20, Service: https (443/tcp) Security Warning Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution : Reconfigure the affected application if possible to avoid use of weak ciphers. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} -------------------------------------------------------------------------------- Host: 140.211.167.7, Service: rsync (873/tcp) Security Warning An rsync server is running on this port -------------------------------------------------------------------------------- Host: 140.211.167.6, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.6 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: https (443/tcp) Security Warning The SSL certificate of the remote service expired Jul 7 19:11:34 2006 GMT! -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: https (443/tcp) Security Warning Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution : Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) -------------------------------------------------------------------------------- Host: 140.211.167.7, Service: https (443/tcp) Security Warning Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution : Reconfigure the affected application if possible to avoid use of weak ciphers. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} -------------------------------------------------------------------------------- Host: 140.211.167.2, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.5 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.25, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.7, Service: https (443/tcp) Security Warning Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution : Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) -------------------------------------------------------------------------------- Host: 140.211.167.20, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.18, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.13, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.6, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.20, Service: https (443/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: https (443/tcp) Security Warning Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution : Reconfigure the affected application if possible to avoid use of weak ciphers. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} -------------------------------------------------------------------------------- Host: 140.211.167.7, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.28, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.15, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-1.99-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.16, Service: https (443/tcp) Security Warning The SSL certificate of the remote service expired Feb 1 00:00:00 2008 GMT! -------------------------------------------------------------------------------- Host: 140.211.167.24, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.2, Service: http (80/tcp) Security Warning Synopsis : The remote Apache server can be used to guess the presence of a given user name on the remote host. Description : When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/. If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host. Solution : In httpd.conf, set the 'UserDir' to 'disabled'. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2001-1013 BID : 3335 Other references : OSVDB:637 -------------------------------------------------------------------------------- Host: 140.211.167.2, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.20, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: http (80/tcp) Security Warning Synopsis : The remote web server might transmit credentials over clear text Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users. Solution : Make sure that every form transmits its results over HTTPS Risk factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Page : /phpmyadmin/ Destination page : index.php Input name : pma_password Page : /phpmyadmin/?D=A Destination page : index.php Input name : pma_password Page : /phpmyadmin/index.php Destination page : index.php Input name : pma_password -------------------------------------------------------------------------------- Host: 140.211.167.30, Service: http (80/tcp) Security Warning Synopsis : The remote web server might transmit credentials over clear text Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users. Solution : Make sure that every form transmits its results over HTTPS Risk factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Page : /phpmyadmin/?D=A Destination page : index.php Input name : pma_password Page : /cs362/afbp/ Destination page : /cs362/afbp/?q=node&destination=node Input name : pass Page : /cs362/afbp/?D=A Destination page : /cs362/afbp/?q=node&destination=node%3FD%3DA Input name : pass -------------------------------------------------------------------------------- Host: 140.211.167.30, Service: http (80/tcp) Security Warning BEA WebLogic may be tricked into revealing the source code of JSP scripts by using simple URL encoding of characters in the filename extension. e.g.: default.js%70 (=default.jsp) won't be considered as a script but rather as a simple document. Vulnerable systems: WebLogic version 5.1.0 SP 6 Immune systems: WebLogic version 5.1.0 SP 8 Solution: Use the official patch available at http://www.bea.com Risk factor : Medium BID : 2527 -------------------------------------------------------------------------------- Host: 140.211.167.30, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.30, Service: http (80/tcp) Security Warning The following files are calling the function phpinfo() which disclose potentially sensitive information to the remote attacker : /phpinfo.php Solution : Delete them or restrict access to them Risk factor : Low -------------------------------------------------------------------------------- Host: 140.211.167.30, Service: http (80/tcp) Security Warning Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a problem handling malformed URLs. This allows a remote user to browse the file system under the web root (normally inetpubwwwroot). Upon sending a specially formed request to the web server, containing a '.jsp' extension makes the JRun handle the request. Example: http://www.victim.com/%3f.jsp The following directories were found to be browsable: /?q=admin /?q=aggregator /?q=comment/reply /?q=contact /?q=logout /?q=node/add /?q=search /?q=user/password /?q=user/register /?q=user/login CVE : CVE-2001-1510 BID : 3592 -------------------------------------------------------------------------------- Host: 140.211.167.30, Service: http (80/tcp) Security Warning Synopsis : It is possible to download the source code of several scripts on the remote web server Description : By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of several pages on the remote host, it seems possible to download the source code of these scripts. You should ensure these files do no contain any sensitive information, such as credentials to connect to a database. Solution : Delete these files. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : It s possible to read the following files : /themes/backstage/page.tpl.php~ /themes/goscon07/node-content_speaker.tpl.php~ /themes/goscon07/node.tpl.php~ /themes/goscon07/page-printschedule.tpl.php~ /themes/goscon07/page.tpl.php~ /themes/goscon07/template.php.old /themes/goscon07/template.php~ /themes/goscon07/views-list-Schedule.tpl.php~ /themes/goscon08/node-content_speaker.tpl.php~ /themes/goscon08/node.tpl.php~ /themes/goscon08/page.tpl.php~ /themes/ohip/page.tpl.php~ /themes/soc/page.tpl.php.old /themes/wireframe/page.tpl.php~ -------------------------------------------------------------------------------- Host: 140.211.167.22, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.19, Service: https (443/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.26, Service: ssh (22/tcp) Security Warning Synopsis : The remote SSH service is prone to an X11 session hijacking vulnerability. Description : According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. See also : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://www.openssh.org/txt/release-5.0 Solution : Upgrade to OpenSSH version 5.0 or later. Risk factor : Medium / CVSS Base Score : 6.2 (CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C) Plugin output : The remote OpenSSH server returned the following banner : SSH-2.0-OpenSSH_4.7 CVE : CVE-2008-1483 BID : 28444 Other references : Secunia:29522 -------------------------------------------------------------------------------- Host: 140.211.167.26, Service: http (80/tcp) Security Warning Synopsis : The remote Apache server can be used to guess the presence of a given user name on the remote host. Description : When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/. If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host. Solution : In httpd.conf, set the 'UserDir' to 'disabled'. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2001-1013 BID : 3335 Other references : OSVDB:637 -------------------------------------------------------------------------------- Host: 140.211.167.26, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.7, Service: https (443/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE -------------------------------------------------------------------------------- Host: 140.211.167.7, Service: http (80/tcp) Security Warning Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE --------------------------------------------------------------------------------