The remote host is running a version of Apache2 which is older than 2.0.51.
It is reported that versions prior 2.0.51 are prone to a remote denial of service issue. An attacker may issue a specific sequence of DAV LOCK commands to crash the process. If Apache is configured to use threads, it may completely crash the Apache process.
In addition to this, versions prior 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this flaw to execute arbitrary code on the remote host or to deny service to legitimate users.
The remote web server appears to be running a version of Apache that is less that 2.0.49 or 1.3.31.
These versions are vulnerable to a denial of service attack where a remote attacker can block new connections to the server by connecting to a listening socket on a rarely accessed port.
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management functions which might allow an attacker to execute arbitrary commands on this host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing the version number of OpenSSH. Since Analyze solely relied on the banner of the remote SSH server to perform this check, this might be a false positive.
If you are running a RedHat host, make sure that the command : rpm -q openssh-server
Determines if the remote name server allows recursive queries
Servicios de dominio y directorio
Detalle
:
The remote name server allows recursive queries to be performed by the host running analyzed.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.confianze.com). This allows hackers to do cache poisoning attacks against this nameserver.
If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system.
Solucion
:
Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command
Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see: http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
It is possible to write on the root directory of this remote anonymous FTP server. This allows an attacker to upload '.rhosts' or '.forward' files, or to turn your FTP server in to a warez server.
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him their credentials.
Solucion
:
Disable these methods.
If you are using Apache, add the following lines for each virtual host in your configuration file :
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf: <Client method="TRACE"> AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501" </Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603 http://www.kb.cert.org/vuls/id/867593
Determines if the remote name server allows zone transfers
Servicios de dominio y directorio
Detalle
:
The remote name server allows DNS zone transfers to be performed. A zone transfer will allow the remote attacker to instantly populate a list of potential targets. In addition, companies often use a naming convention which can give hints as to a servers primary application (for instance, proxy.company.com, payroll.company.com, b2b.company.com, etc.).
As such, this information is of great use to an attacker who may use it to gain information about the topology of your network and spot new targets.
Solucion
:
Restrict DNS zone transfers to only the servers that absolutely need it.
Checks if the remote ftp server accepts anonymous logins
Comparticion y transferencia de archivos
Detalle
:
This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles.
Respuesta
:
This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it may only cause troubles.
The remote host appears to be running a version of Apache 2.x which is older than 2.0.48.
This version is vulnerable to a bug which may allow a rogue CGI to disable the httpd service by issuing over 4K of data to stderr.
To exploit this flaw, an attacker would need the ability to upload a rogue CGI script to this server and to have it executed by the Apache daemon (httpd).
Checks for Apache Error Log Escape Sequence Injection Vulnerability
Servicios web
Detalle
:
The target is running an Apache web server which allows for the injection of arbitrary escape sequences into its error logs. An attacker might use this vulnerability in an attempt to exploit similar vulnerabilities in terminal emulators.
***** Analyze has determined the vulnerability exists only by looking at ***** the Server header returned by the web server running on the target.
Solucion
:
Upgrade to Apache version 1.3.31 or 2.0.49 or newer.
The remote DNS server answers to queries for third party domains which do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more...
For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf
Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability
Checks for logindomain parameter cross-site scripting vulnerability in Open WebMail
Desconocida
Detalle
:
The is running at least one instance of Open WebMail which fails to sufficiently validate user input supplied to the logindomain parameter. This failure enables an attacker to run arbitrary script code in the context of a user's web browser. For further information, see :
This plugin attempts to determine the presence of various common dirs on the remote web server
Respuesta
:
The following directories were discovered: /cgi-bin, /data, /error, /html, /icons, /manual
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
This script detects whether the remote host is running SquirrelMail and extracts version numbers and locations of any instances found.
SquirrelMail is a PHP-based webmail package that provides access to mail accounts via POP3 or IMAP. See http://www.squirrelmail.org/ for more information.
Respuesta
:
SquirrelMail 1.4.0-1 was detected on the remote host under the path /webmail.
SquirrelMail is a PHP-based webmail package that provides access to mail accounts via POP3 or IMAP. See http://www.squirrelmail.org/ for more information.
This script detects whether the target is running Open WebMail and extracts version numbers and locations of any instances found.
Open WebMail is a webmail package written in Perl that provides access to mail accounts via POP3 or IMAP. See <http://www.openwebmail.org/> for more information.
Respuesta
:
Open WebMail 2.41 was detected on the remote host under the path /cgi-bin/openwebmail.
Open WebMail is a webmail package written in Perl that provides access to mail accounts via POP3 or IMAP. See <http://www.openwebmail.org/> for more information.
The remote web server appears to be running a version of Apache that is less that 2.0.49 or 1.3.31.
These versions are vulnerable to a denial of service attack where a remote attacker can block new connections to the server by connecting to a listening socket on a rarely accessed port.
The remote web server appears to be running a version of Apache that is older than version 1.3.33.
This version is vulnerable to a local buffer overflow in the get_tag() function of the module 'mod_include' when a specially crafted document with malformed server-side includes is requested though an HTTP session.
Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.
Solucion
:
Disable SSI or upgrade to a newer version when available.
Checks for Apache mod_access Rule Bypass Vulnerability
Desconocida
Detalle
:
The target is running an Apache web server that may not properly handle access controls. In effect, on big-endian 64-bit platforms, Apache fails to match allow or deny rules containing an IP address but not a netmask.
***** Analyze has determined the vulnerability exists only by looking at ***** the Server header returned by the web server running on the target. ***** If the target is not a big-endian 64-bit platform, consider this a ***** false positive.
Additional information on the vulnerability can be found at :
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him their credentials.
Solucion
:
Disable these methods.
If you are using Apache, add the following lines for each virtual host in your configuration file :
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf: <Client method="TRACE"> AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501" </Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603 http://www.kb.cert.org/vuls/id/867593
Checks for Apache Error Log Escape Sequence Injection Vulnerability
Servicios web
Detalle
:
The target is running an Apache web server which allows for the injection of arbitrary escape sequences into its error logs. An attacker might use this vulnerability in an attempt to exploit similar vulnerabilities in terminal emulators.
***** Analyze has determined the vulnerability exists only by looking at ***** the Server header returned by the web server running on the target.
Solucion
:
Upgrade to Apache version 1.3.31 or 2.0.49 or newer.
An unknown service runs on this port. It is sometimes opened by Trojan horses. Unless you know for sure what is behind it, you'd better check your system.
Respuesta
:
An unknown service runs on this port. It is sometimes opened by this/these Trojan horse(s): Back Construction Blade Runner Cattivik FTP Server CC Invader Dark FTP Doly Trojan Fore FreddyK Invisible FTP Juggernaut 42 Larva MotIv FTP Net Administrator Ramen RTB 666 Senna Spy FTP server The Flu Traitor 21 WebEx WinCrash
Unless you know for sure what is behind it, you'd better check your system
*** Anyway, don't panic, Analyze only found an open port. It may *** have been dynamically allocated to some service (RPC...)
Solucion
:
if a trojan horse is running, run a good antivirus scanner
This web server is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map, search page or authentication page instead.
Analyze enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate
Respuesta
:
This web server is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map, search page or authentication page instead.
CGI scanning will be disabled for this host.
To work around this issue, please contact the Analyze team.
Detalles por Sistema