Summary

This document reports on the results of an automatic security scan. The report first summarises the results found. Then, for each host, the report describes every issue found. Please consider the advice given in each description, in order to rectify the issue.

Vendor security updates are not trusted.

Overrides are off. Even when a result has an override, this report uses the actual threat of the result.

Information on overrides is included in the report.

Notes are included in the report.

This report might not show details of all issues that were found. Issues with the threat level "High" are not shown. Issues with the threat level "Medium" are not shown. Issues with the threat level "Low" are not shown. Issues with the threat level "Log" are not shown. Issues with the threat level "Debug" are not shown. Issues with the threat level "False Positive" are not shown. Only results with a minimum QoD of 70 are shown.

This report contains all 18 results selected by the filtering described above. Before filtering there were 105 results.

All dates are displayed using the timezone "Coordinated Universal Time", which is abbreviated "UTC".

Scan started: Tue Apr 9 17:56:14 2019 UTC
Scan ended: Tue Apr 9 18:05:40 2019 UTC
Task: scan

Host Summary

Host Start End High Medium Low Log False Positive
0.0.0.0 (www.hackazon.org) Apr 9, 17:56:24 Apr 9, 18:05:40 0 3 2 13 0
Total: 1 0 3 2 13 0

Results per Host

Host 0.0.0.0

Scanning of this host started at: Tue Apr 9 17:56:24 2019 UTC
Number of results: 18

Port Summary for Host 0.0.0.0

Service (Port) Threat Level
80/tcp Medium
general/icmp Log
general/CPE-T Log
general/tcp Medium

Security Issues for Host 0.0.0.0

general/tcp
Medium
NVT: 1.3.6.1.4.1.25623.1.0.142220 (OID: 1.3.6.1.4.1.25623.1.0.142220)
Product detection result: cpe:/a:apache:http_server:2.4.7 by Apache Web Server Detection (OID: 1.3.6.1.4.1.25623.1.0.900498)
Vulnerability Detection Result
Installed version: 2.4.7
Fixed version:     2.4.39
Log Method

Details: 1.3.6.1.4.1.25623.1.0.142220 (OID: 1.3.6.1.4.1.25623.1.0.142220)

Version used: 2019-04-08T15:50:06+0000

Product Detection Result

Product: cpe:/a:apache:http_server:2.4.7
Method: Apache Web Server Detection (OID: 1.3.6.1.4.1.25623.1.0.900498)

general/tcp
Low
NVT: 1.3.6.1.4.1.25623.1.0.142228 (OID: 1.3.6.1.4.1.25623.1.0.142228)
Product detection result: cpe:/a:apache:http_server:2.4.7 by Apache Web Server Detection (OID: 1.3.6.1.4.1.25623.1.0.900498)
Vulnerability Detection Result
Installed version: 2.4.7
Fixed version:     2.4.39
Log Method

Details: 1.3.6.1.4.1.25623.1.0.142228 (OID: 1.3.6.1.4.1.25623.1.0.142228)

Version used: 2019-04-08T15:50:06+0000

Product Detection Result

Product: cpe:/a:apache:http_server:2.4.7
Method: Apache Web Server Detection (OID: 1.3.6.1.4.1.25623.1.0.900498)

80/tcp
Log (CVSS: 0.0)
NVT: Apache Web Server Detection (OID: 1.3.6.1.4.1.25623.1.0.900498)
Summary

Detects the installed version of Apache Web Server

The script detects the version of Apache HTTP Server on remote host and sets the KB.

Vulnerability Detection Result
Detected Apache

Version:  2.4.7
Location: 80/tcp
CPE:      cpe:/a:apache:http_server:2.4.7

Concluded from version/product identification result:
Server: Apache/2.4.7
Log Method

Details: Apache Web Server Detection (OID: 1.3.6.1.4.1.25623.1.0.900498)

Version used: $Revision: 10290 $

80/tcp
Log (CVSS: 0.0)
NVT: CGI Scanning Consolidation (OID: 1.3.6.1.4.1.25623.1.0.111038)
Summary

The script consolidates various information for CGI scanning.

This information is based on the following scripts / settings:

- HTTP-Version Detection (OID: 1.3.6.1.4.1.25623.1.0.100034)

- No 404 check (OID: 1.3.6.1.4.1.25623.1.0.10386)

- Web mirroring / webmirror.nasl (OID: 1.3.6.1.4.1.25623.1.0.10662)

- Directory Scanner / DDI_Directory_Scanner.nasl (OID: 1.3.6.1.4.1.25623.1.0.11032)

- The configured 'cgi_path' within the 'Scanner Preferences' of the scan config in use

- The configured 'Enable CGI scanning', 'Enable generic web application scanning' and 'Add historic /scripts and /cgi-bin to directories for CGI scanning' within the 'Global variable settings' of the scan config in use

If you think any of this information is wrong please report it to the referenced community portal.

Vulnerability Detection Result
The Hostname/IP "www.hackazon.org" was used to access the remote host.

Generic web application scanning is disabled for this host via the "Enable generic web application scanning" option within the "Global variable settings" of the scan config in use.

Requests to this service are done via HTTP/1.1.

This service seems to be able to host PHP scripts.

This service seems to be NOT able to host ASP scripts.

The User-Agent "Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3)" was used to access the remote host.

Historic /scripts and /cgi-bin are not added to the directories used for CGI scanning. You can enable this again with the "Add historic /scripts and /cgi-bin to directories for CGI scanning" option within the "Global variable settings" of the scan config in use.

A possible recursion was detected during CGI scanning:

The service is using a relative URL in one or more HTML references where e.g. /file1.html contains <a href="subdir/file2.html"> and a subsequent request for subdir/file2.html is linking to subdir/file2.html. This would resolves to subdir/subdir/file2.html causing a recursion. To work around this counter-measures have been enabled but the service should be fixed as well to not use such problematic links. Below an excerpt of URLs is shown to help identify those issues.

Syntax : URL (HTML link)

http://www.hackazon.org/wishlist/?D=A (data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAeCAIAAAHDVQljAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA7NJREFUeNpiXHHi/o/ffxnAgAnI+vvvv5mSMJDBBBT4/fcfRIZFgItNTYIXyLJTFwMIIMYFh+8wwABID1CDGB8HVA8Q3H/9BUgyXn/2/v9/EP/7778AAQTSAzHdUVMcKHTu4bsvP/6A9EO0cLExQxi6MgJQgyHU119Qx1189B7CYLz5/APQHAYMABBAKO6CAxaI95w0xf/8+8/CxLjv+kuE6X/BDvwDM40JTS/E+VDRe6++AklmJkZGRpgoUF5WmBPIABoAMQSL44B2MmG6F6gcIICgYQIXAioCBqOsMNev3/8uP/kAtAnFGGQOGwuTpYoIxHkMHAzAMH3x8cetF58Q0YJi19//UEfjACiqf//79/vPP0SoMjK8+vQDp2pmRsYjt17D3fr47bf3336huxvoM252Fn1ZQS52ZiAbHhoyQlxA7wKNuPv6y91XX0Bhe+v5hz/YIhcrAAgg7DGOFXCwMrMgBzbYZ4wqYjy8nKwP33wFehFfeIvwsuvICPwDO0xbmh+YSPddf8GEFKZMyGlGXYLvH5IfgOb+/487vP8zoHv3P87YYWT4hRQ1EKWMuFT///+fnZUZWQ7oKGDKwa4a6JvbLz4jJxNg7v+NahuK1mcfvrMgBdm1px+ZUEMQPZ28/vITymZifPf1J840+AeUWpgFudjg2cJGTQwoiByILP/BEspiPMqiPMBcjCLHxOiqLfHt598Lj99/+wkqZBjP3n/Dy8GCP2EBvQ4Mg+vPPrFwsjETTINAC4HWaknxMTEQDYBGAgRotcpyGoaBaLxlaVrSQgCpSCyH4Lochj8ugJBAiB9AVC2kVbpkdZ8TBFVSW61UK/KP7fF43jIhd/fPDQjbm0AeqSqmcqqJ1OBmewBWTvUaR6mGA+869Ds2J9Udsqo4ZhjHZ7T8nqe6KxCWG5K9vTkJOmJT1Ypo1Xzac4Z992WktM014beXDwXwBINblFIaEOCU7upqm89BP1qkBbFMNV2k+d6hkaxv867DpT7rQlpXIcyQ6rbos05z1WL1TABJkqyAanU8oAYYYeJv4zlnW44Cusf36OF1YiCYCQfGyCROslyS1puiZTaaJYLtD+NvxUsZeAJZyxYSfU9cDLy8MGmNN84of2Qk7DrngXfUEYLSrT8auTKe3mXozxbZ13Q5jpO0kLSyj//QNXOPffsscMOuC92VpfVHZwOvsQSzHPg2PkQExdNcjuPVaLqCSrFKnj5+0LuKndvkLgPkAWvpwePW5oOwnCmxltahB8KuAf+pyQJVxN7hAAAAAElFTkSuQmCC)

The following directories require authentication and are tested by the script "HTTP Brute Force Logins with default Credentials (OID: 1.3.6.1.4.1.25623.1.0.108041)":

http://www.hackazon.org/api

The following directories were used for CGI scanning:

http://www.hackazon.org/
http://www.hackazon.org/cart
http://www.hackazon.org/category
http://www.hackazon.org/faq
http://www.hackazon.org/helpdesk
http://www.hackazon.org/home
http://www.hackazon.org/product
http://www.hackazon.org/products_pictures
http://www.hackazon.org/search
http://www.hackazon.org/search/page
http://www.hackazon.org/user
http://www.hackazon.org/wishlist
http://www.hackazon.org/wishlist/view

While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards

The following directories were excluded from CGI scanning because the "Regex pattern to exclude directories from CGI scanning" setting of the NVT "Global variable settings" (OID: 1.3.6.1.4.1.25623.1.0.12288) for this scan was: "/(index\.php|image|img|css|js$|js/|javascript|style|theme|icon|jquery|graphic|grafik|picture|bilder|thumbnail|media/|skins?/)"

http://www.hackazon.org/+pageHost+www.adobe.com/images/shared/download_buttons
http://www.hackazon.org/css
http://www.hackazon.org/css/nivo-themes/bar
http://www.hackazon.org/css/nivo-themes/light
http://www.hackazon.org/css/plugins
http://www.hackazon.org/css/plugins/metisMenu
http://www.hackazon.org/font-awesome/css
http://www.hackazon.org/icons
http://www.hackazon.org/images
http://www.hackazon.org/js
http://www.hackazon.org/js/amf
http://www.hackazon.org/js/plugins/dataTables
http://www.hackazon.org/js/plugins/metisMenu

PHP script discloses physical path at:

http://www.hackazon.org/twitter (/var/www/hackazon/classes/PHPixie/Auth/Login/Twitter.php)

The following CGIs were discovered:

Syntax : cginame (arguments [default value])

http://www.hackazon.org/admin/user/login (return_url [%2Fadmin%2F] password [] username [] )
http://www.hackazon.org/bestprice (userEmail [] _csrf_bestprice [BWGKya2QwKHInsqBKgse2saHfGY4RtZk] )
http://www.hackazon.org/category/view (id [49] )
http://www.hackazon.org/faq (userEmail [] _csrf_faq [kNnb7aZbzOkH8LR8C2U8hzHQTWzE9EnS] )
http://www.hackazon.org/install (force [1] )
http://www.hackazon.org/install/login (password [] )
http://www.hackazon.org/product/view (id [16] )
http://www.hackazon.org/products_pictures/ (products_pictures [] )
http://www.hackazon.org/search (quality-filter [11] id [] searchString [] price-filter [5] brand-filter[] [8] )
http://www.hackazon.org/search/page/ (page [1] id [] searchString [] brands [] price [] quality [] )
http://www.hackazon.org/user/login (return_url [%2Faccount%2F] )
http://www.hackazon.org/user/password (email [] )
http://www.hackazon.org/user/register (first_name [] last_name [] username [] )
Log Method

Details: CGI Scanning Consolidation (OID: 1.3.6.1.4.1.25623.1.0.111038)

Version used: $Revision: 13679 $

References

Other: https://community.greenbone.net/c/vulnerability-tests

80/tcp
Medium (CVSS: 4.8)
NVT: Cleartext Transmission of Sensitive Information via HTTP (OID: 1.3.6.1.4.1.25623.1.0.108440)
Summary

The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.

Vulnerability Detection Result
The following URLs requires Basic Authentication (URL:realm name):

http://www.hackazon.org/api:"Please provide your credentials using url /api/auth"
Impact

An attacker could use this situation to compromise or eavesdrop on the HTTP communication between the client and the server using a man-in-the-middle attack to get access to sensitive data like usernames or passwords.

Solution

Solution type: Workaround

Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before allowing to input sensitive data into the mentioned functions.

Affected Software/OS

Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted SSL/TLS connection.

Vulnerability Detection Method

Evaluate previous collected information and check if the host / application is not enforcing the transmission of sensitive data via an encrypted SSL/TLS connection.

The script is currently checking the following:

- HTTP Basic Authentication (Basic Auth)

- HTTP Forms (e.g. Login) with input field of type 'password'

Details: Cleartext Transmission of Sensitive Information via HTTP (OID: 1.3.6.1.4.1.25623.1.0.108440)

Version used: $Revision: 10726 $

References

Other: https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
https://cwe.mitre.org/data/definitions/319.html

general/CPE-T
Log (CVSS: 0.0)
NVT: CPE Inventory (OID: 1.3.6.1.4.1.25623.1.0.810002)
Summary

This routine uses information collected by other routines about CPE identities of operating systems, services and applications detected during the scan.

Vulnerability Detection Result
0.0.0.0|cpe:/a:apache:http_server:2.4.7
0.0.0.0|cpe:/a:jquery:jquery
0.0.0.0|cpe:/a:php:php:5.5.9
0.0.0.0|cpe:/o:canonical:ubuntu_linux
Log Method

Details: CPE Inventory (OID: 1.3.6.1.4.1.25623.1.0.810002)

Version used: $Revision: 14324 $

References

Other: http://cpe.mitre.org/

80/tcp
Log (CVSS: 0.0)
NVT: HTTP Security Headers Detection (OID: 1.3.6.1.4.1.25623.1.0.112081)
Summary

All known security headers are being checked on the host. On completion a report will hand back whether a specific security header has been implemented (including its value) or is missing on the target.

Vulnerability Detection Result
Missing Headers
---------------
Content-Security-Policy
Referrer-Policy
X-Content-Type-Options
X-Frame-Options
X-Permitted-Cross-Domain-Policies
X-XSS-Protection
Log Method

Details: HTTP Security Headers Detection (OID: 1.3.6.1.4.1.25623.1.0.112081)

Version used: $Revision: 10899 $

References

Other: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
https://securityheaders.io/

80/tcp
Log (CVSS: 0.0)
NVT: HTTP Server type and version (OID: 1.3.6.1.4.1.25623.1.0.10107)
Summary

This detects the HTTP Server's type and version.

Vulnerability Detection Result
The remote web server type is :

Apache/2.4.7 (Ubuntu)


Solution : You can set the directive "ServerTokens Prod" to limit
the information emanating from the server in its response headers.
Solution

- Configure your server to use an alternate name like 'Wintendo httpD w/Dotmatrix display'

- Be sure to remove common logos like apache_pb.gif.

- With Apache, you can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.

Log Method

Details: HTTP Server type and version (OID: 1.3.6.1.4.1.25623.1.0.10107)

Version used: $Revision: 11585 $

general/icmp
Log (CVSS: 0.0)
NVT: ICMP Timestamp Detection (OID: 1.3.6.1.4.1.25623.1.0.103190)
Summary

The remote host responded to an ICMP timestamp request. The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. This information could theoretically be used to exploit weak time-based random number generators in other services.

Vulnerability Detection Result

Vulnerability was detected according to the Vulnerability Detection Method.

Log Method

Details: ICMP Timestamp Detection (OID: 1.3.6.1.4.1.25623.1.0.103190)

Version used: $Revision: 10411 $

References

CVE: CVE-1999-0524
CERT: CB-K15/1514, CB-K14/0632, DFN-CERT-2014-0658
Other: http://www.ietf.org/rfc/rfc0792.txt

80/tcp
Log (CVSS: 0.0)
NVT: jQuery Detection (OID: 1.3.6.1.4.1.25623.1.0.141622)
Summary

Detection of jQuery.

The script sends a connection request to the server and attempts to detect jQuery and to extract its version.

Vulnerability Detection Result
Detected jQuery

Version:  unknown
Location: /js/ladda.
CPE:      cpe:/a:jquery:jquery
Log Method

Details: jQuery Detection (OID: 1.3.6.1.4.1.25623.1.0.141622)

Version used: $Revision: 14001 $

References

Other: https://jquery.com/

80/tcp
Medium (CVSS: 5.0)
NVT: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)
Summary

The application is missing the 'httpOnly' cookie attribute

Vulnerability Detection Result
The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "httpOnly" attribute.
Solution

Solution type: Mitigation

Set the 'httpOnly' attribute for any session cookie.

Affected Software/OS

Application with session handling in cookies.

Vulnerability Insight

The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Vulnerability Detection Method

Check all cookies sent by the application for a missing 'httpOnly' attribute

Details: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)

Version used: $Revision: 5270 $

References

Other: https://www.owasp.org/index.php/HttpOnly
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

80/tcp
Log (CVSS: 0.0)
NVT: Nikto (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.14260)
Summary

This plugin uses nikto to find weak CGI scripts and other known issues regarding web server security. See the preferences section for configuration options.

Note: The plugin needs the 'nikto' or 'nikto.pl' binary found within the PATH of the user running the scanner and needs to be executable for this user. The existence of this binary is checked and reported separately within 'Availability of scanner helper tools' (OID: 1.3.6.1.4.1.25623.1.0.810000).

Vulnerability Detection Result
Here is the Nikto report:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          0.0.0.0
+ Target Hostname:    0.0.0.0
+ Target Port:        80
+ Virtual Host:       www.hackazon.org
+ Start Time:         2019-04-09 17:59:23 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.11
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /crossdomain.xml, fields: 0x253 0x51add1c831300
+ /crossdomain.xml contains a full wildcard entry. See http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ Uncommon header 'union all select filetoclob('/etc/passwd','server')' found, with contents: :html,0 FROM sysusers WHERE username=USER --/.html HTTP/1.1 404 Not Found
+ Uncommon header 'src=javascript' found, with contents: alert('Vulnerable')><Img Src=\" HTTP/1.1 404 Not Found
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3092: /log.txt: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header '-al&absolute_path_studip=http' found, with contents: //cirt.net/rfiinc.txt?? HTTP/1.1 404 Not Found
+ Uncommon header '-al&_phplib[libdir]=http' found, with contents: //cirt.net/rfiinc.txt?? HTTP/1.1 404 Not Found
+ OSVDB-3092: /helpdesk/: This might be interesting...
+ /portal/changelog: Vignette richtext HTML editor changelog found.
+ 7751 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2019-04-09 18:01:27 (GMT0) (124 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Log Method

Details: Nikto (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.14260)

Version used: $Revision: 13985 $

general/tcp
Log (CVSS: 0.0)
NVT: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Summary

This script consolidates the OS information detected by several NVTs and tries to find the best matching OS.

Furthermore it reports all previously collected information leading to this best matching OS. It also reports possible additional information which might help to improve the OS detection.

If any of this information is wrong or could be improved please consider to report these to the referenced community portal.

Vulnerability Detection Result
Best matching OS:

OS: Ubuntu
CPE: cpe:/o:canonical:ubuntu_linux
Found by NVT: 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Identification)
Concluded from PHP Server banner on port 80/tcp: X-Powered-By: PHP/5.5.9-1ubuntu4.11
Setting key "Host/runs_unixoide" based on this information

Other OS detections (in order of reliability):

OS: Ubuntu
CPE: cpe:/o:canonical:ubuntu_linux
Found by NVT: 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Identification)
Concluded from HTTP Server banner on port 80/tcp: Server: Apache/2.4.7 (Ubuntu)
Log Method

Details: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)

Version used: $Revision: 14244 $

References

Other: https://community.greenbone.net/c/vulnerability-tests

80/tcp
Log (CVSS: 0.0)
NVT: PHP Version Detection (Remote) (OID: 1.3.6.1.4.1.25623.1.0.800109)
Summary

Detects the installed version of PHP. This script sends HTTP GET request and try to get the version from the response, and sets the result in KB.

Vulnerability Detection Result
Detected PHP

Version:  5.5.9
Location: 80/tcp
CPE:      cpe:/a:php:php:5.5.9

Concluded from version/product identification result:
X-Powered-By: PHP/5.5.9-1ubuntu4.11 
Log Method

Details: PHP Version Detection (Remote) (OID: 1.3.6.1.4.1.25623.1.0.800109)

Version used: $Revision: 13811 $

80/tcp
Log (CVSS: 0.0)
NVT: Services (OID: 1.3.6.1.4.1.25623.1.0.10330)
Summary

This routine attempts to guess which service is running on the remote ports. For instance, it searches for a web server which could listen on another port than 80 or 443 and makes this information available for other check routines.

Vulnerability Detection Result
A web server is running on this port
Log Method

Details: Services (OID: 1.3.6.1.4.1.25623.1.0.10330)

Version used: $Revision: 13541 $

general/tcp
Low (CVSS: 2.6)
NVT: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)
Summary

The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 4286223955
Packet 2: 4286224990
Impact

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution

Solution type: Mitigation

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.

Affected Software/OS

TCP/IPv4 implementations that implement RFC1323.

Vulnerability Insight

The remote host implements TCP timestamps, as defined by RFC1323.

Vulnerability Detection Method

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported.

Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

Version used: $Revision: 14310 $

References

Other: http://www.ietf.org/rfc/rfc1323.txt
http://www.microsoft.com/en-us/download/details.aspx?id=9152

general/tcp
Log (CVSS: 0.0)
NVT: Traceroute (OID: 1.3.6.1.4.1.25623.1.0.51662)
Summary

A traceroute from the scanning server to the target system was conducted. This traceroute is provided primarily for informational value only. In the vast majority of cases, it does not represent a vulnerability. However, if the displayed traceroute contains any private addresses that should not have been publicly visible, then you have an issue you need to correct.

Vulnerability Detection Result
Here is the route from 0.0.0.1 to 0.0.0.0:

0.0.0.1
0.0.0.0
Solution

Block unwanted packets from escaping your network.

Log Method

Details: Traceroute (OID: 1.3.6.1.4.1.25623.1.0.51662)

Version used: $Revision: 10411 $

80/tcp
Log (CVSS: 0.0)
NVT: wapiti (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.80110)
Summary

This plugin uses wapiti to find web security issues.

Make sure to have wapiti 2.x as wapiti 1.x is not supported.

See the preferences section for wapiti options.

Note that the scanner is using limited set of wapiti options. Therefore, for more complete web assessment, you should use standalone wapiti tool for deeper/customized checks.

Note: The plugin needs the 'wapiti' binary found within the PATH of the user running the scanner and needs to be executable for this user. The existence of this binary is checked and reported separately within 'Availability of scanner helper tools' (OID: 1.3.6.1.4.1.25623.1.0.810000).

Vulnerability Detection Result
The wapiti report filename is empty. That could mean that a wrong version of wapiti is used or tmp dir is not accessible. Make sure to have wapiti 2.x as wapiti 1.x is not supported.
In short: Check the installation of wapiti and the scanner.
Log Method

Details: wapiti (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.80110)

Version used: $Revision: 13985 $