Nessus Scan Report

CGI Generic Header Injection Vulnerability

Synopsis:
The remote web server is prone to HTTP headers injections attacks.

Description:
The remote web server hosts CGIs that are vulnerable to 'header
injection'. By leveraging this issue, an attacker may be able to poison
a proxy cache, or trigger a cross-site scripting flaws and cause
arbitrary HTML and script code to be executed in a user's browser
within the security context of the affected site.
Privilege escalation may be possible too, depending on the application.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/HTTP_header_injection

See also:
http://projects.webappsec.org/HTTP-Response-Splitting

See also:
http://cwe.mitre.org/data/definitions/113.html

Solution:
Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.

Plugin output:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to header injection :

/bank/customize.aspx?lang=%0D%0AX-foo:%20bar

-------- output --------
Set-Cookie: amSessionId=13285989122; path=/
Set-Cookie: lang=
X-foo: bar; path=/
Cache-Control: no-cache
Pragma: no-cache
------------------------

/bank/customize.aspx?lang=international&lang=%0D%0AX-foo:%20bar

-------- output --------
X-AspNet-Version: 2.0.50727
Set-Cookie: lang=international,
X-foo: bar; path=/
Cache-Control: no-cache
Pragma: no-cache
------------------------

/bank/customize.aspx?lang=%0D%0AX-foo:%20bar&lang=international

-------- output --------
X-AspNet-Version: 2.0.50727
Set-Cookie: lang=
X-foo: bar,international; path=/
Cache-Control: no-cache
Pragma: no-cache
------------------------

/bank/customize.aspx?lang=%0D%0AX-foo:%20bar&__VIEWSTATE=/wEPDwUJMjA2OTM
xMDA4ZGQ=&_ctl0:_ctl0:Content:Main:TextBox1=Enter%20title%20(e.g.%20Watc
hfire)&_ctl0:_ctl0:Content:Main:Button1=Query

-------- output --------
Set-Cookie: amSessionId=13294989221; path=/
Set-Cookie: lang=
X-foo: bar; path=/
Cache-Control: no-cache
Pragma: no-cache
------------------------

/bank/customize.aspx?lang=international&lang=%0D%0AX-foo:%20bar&__VIEWST
ATE=/wEPDwUJMjA2OTMxMDA4ZGQ=&_ctl0:_ctl0:Content:Main:TextBox1=Enter%20t
itle%20(e.g.%20Watchfire)&_ctl0:_ctl0:Content:Main:Button1=Query

-------- output --------
X-AspNet-Version: 2.0.50727
Set-Cookie: lang=international,
X-foo: bar; path=/
Cache-Control: no-cache
Pragma: no-cache
------------------------

/bank/customize.aspx?lang=%0D%0AX-foo:%20bar&lang=international&__VIEWST
ATE=/wEPDwUJMjA2OTMxMDA4ZGQ=&_ctl0:_ctl0:Content:Main:TextBox1=Enter%20t
itle%20(e.g.%20Watchfire)&_ctl0:_ctl0:Content:Main:Button1=Query

-------- output --------
X-AspNet-Version: 2.0.50727
Set-Cookie: lang=
X-foo: bar,international; path=/
Cache-Control: no-cache
Pragma: no-cache
------------------------

Clicking directly on these URLs might expose the vulnerabilities :
(you will probably need to check the HTML source)

http://demo.testfire.net/bank/customize.aspx?lang=%0D%0AX-foo:%20bar

Plugin ID:
39468

CGI Generic SQL Injection Vulnerability

Synopsis:
A web application is potentially vulnerable to SQL injection.

Description:
By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read
confidential data, modify the remote database, or even take control of
the remote operating system.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

See also:
http://en.wikipedia.org/wiki/SQL_injection

See also:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

See also:
http://www.securitydocs.com/library/2651

Solution:
Modify the relevant CGIs so that they properly escape arguments.

Plugin output:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to SQL injection :

/bank/login.aspx?passw=%27

-------- output --------
<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbExce [...]
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling( [...]
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResul [...]
------------------------

Clicking directly on these URLs might expose the vulnerabilities :
(you will probably need to check the HTML source)

http://demo.testfire.net/bank/login.aspx?passw=%27

Plugin ID:
11139

HTTP methods per directory

Synopsis:
This plugin determines which HTTP methods are allowed on various CGI
directories.

Description:
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.

As this list may be incomplete, the plugin also tests - if 'Thorough
tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.

Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request :

- HTTP methods GET HEAD TRACE OPTIONS are allowed on :

/
/Admin
/admin
/bank
/bank/20060308_bak
/images

Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND
BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE
VERSION-CONTROL X-MS-ENUMATTS are allowed on :

/bank/members

- HTTP methods GET HEAD OPTIONS POST are allowed on :

/
/Admin
/admin
/bank
/bank/20060308_bak
/images

- Invalid/unknown HTTP methods are allowed on :

/bank/members

Plugin ID:
43111

CGI Generic Cross-Site Scripting Vulnerability

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
These XSS are likely to be 'non persistent' or 'reflected'.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent

See also:
http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html

Solution:
Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.

Plugin output:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross-site scripting (XSS) :

/bank/login.aspx?uid=<script>alert(42);</script>

-------- output --------
</td>
<td>
<input type="text" id="uid" name="uid" value="<script>alert(42);</ [...]
</td>
<td>
------------------------

Clicking directly on these URLs might expose the vulnerabilities :
(you will probably need to check the HTML source)

http://demo.testfire.net/bank/login.aspx?uid=<script>alert(42);</script>

Plugin ID:
39466

CGI Generic Persistent Cross-Site Scripting Vulnerability

Synopsis:
A CGI application hosted on the remote web server is potentially
prone to cross-site scripting attack.

Description:
The remote web server hosts one or more CGI scripts that fail to
adequately sanitize request strings containing malicious JavaScript.
By leveraging this issue, an attacker may be able to cause arbitrary
HTML and script code to be executed in a user's browser within the
security context of the affected site.

These issues are likely to be 'persistent' or 'stored', but this
aspect should be checked manually. Please note that persistent XSS
can be triggered by any channel that provides information to the
application. Nessus cannot test them all.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Persistent

Solution:
Restrict access to the vulnerable application

Or contact the vendor for a patch or upgrade.

Plugin output:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross site scripting :

/search.aspx?txtSearch=<BODY ONLOAD=alert($URL$)>
Seen on :
/search.aspx?txtSearch=<BODY%20ONLOAD=alert(G2f7365617263682e617370783f7
478745365617263683d3c424f4459204f4e4c4f41443d616c657274282455524c24293e)
>
-------- output --------

<p>No results were found for the query:<br /><br />
<span id="_ctl0__ctl0_Content_Main_lblSearch"><BODY ONLOAD=alert(G [...]

</div>
------------------------

Clicking directly on these URLs might expose the vulnerabilities :
(you will probably need to check the HTML source)

http://demo.testfire.net/search.aspx?txtSearch=<BODY ONLOAD=alert($URL$)>

Plugin ID:
42425

HMAP Web Server Fingerprinting

Synopsis:
HMAP fingerprints the remote HTTP server.

Description:
By sending several valid and invalid HTTP requests, it
may be possible to identify the remote web server type.
In some cases, its version can also be approximated, as
well as some options.

An attacker may use this tool to identify the kind of the
remote web server and gain further knowledge about this host.

Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html

Risk factor:
None

See also:
http://ujeni.murkyroc.com/hmap/

See also:
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf

Solution:
n/a

Plugin output:

This web server was fingerprinted as : Microsoft-IIS/6.0
which is consistent with the displayed banner : Microsoft-IIS/6.0

Plugin ID:
11919

HTTP Server type and version
Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Microsoft-IIS/6.0 Plugin ID: 10107

Web mirroring

Synopsis:
Nessus crawled the remote web site.

Description:
This script makes a mirror of the remote web site(s) and extracts the
list of CGIs that are used by the remote host.

It is suggested that you change the number of pages to mirror in the
'Options' section of the client.

Risk factor:
None

Solution:
n/a

Plugin output:

The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/comment.aspx (cfile [comments.txt] name [ ] email_addr [] subject [] comments [] sub...)
/servererror.aspx (aspxerrorpath [/bank/account.aspx.cs] )
/bank/ws.asmx (op [GetUserAccounts] disco [] WSDL [] )
/survey_questions.aspx (step [a] )
/bank/customize.aspx (lang [international] __VIEWSTATE [/wEPDwUJMjA2OTMxMDA4ZGQ=] )
/bank/queryxpath.aspx (__VIEWSTATE [/wEPDwUKMTEzMDczNTAxOWRk] __EVENTVALIDATION [/wEWAwLNx+2Y...)
/bank/login.aspx (uid [] passw [] btnSubmit [Login] )
/search.aspx (txtSearch [] )
/default.aspx (content [inside_contact.htm] )

Plugin ID:
10662

Web Application Tests : load estimation

Synopsis:
Load estimation for web application tests.

Description:
This script computes the maximum number of requests that would be done
by the generic web tests, depending on miscellaneous options.
It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or
the complexity of additional manual tests.

Note that the script does not try to compute this duration as it would
depend upon external factors such as the network and web servers loads.

Risk factor:
None

Solution:
n/a

Plugin output:
Here are the estimated number of requests in miscellaneous modes
for the GET method only :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

directory traversal : S=483 SP=588 AP=588 SC=588 AC=588
arbitrary command execution : S=322 SP=392 AP=392 SC=392 AC=392
format string : S=23 SP=28 AP=28 SC=28 AC=28
header injection : S=23 SP=28 AP=28 SC=28 AC=28
blind SQL injection : S=690 SP=840 AP=840 SC=840 AC=840
SQL injection : S=575 SP=700 AP=700 SC=700 AC=700
web code injection : S=23 SP=28 AP=28 SC=28 AC=28
persistent XSS : S=92 SP=112 AP=112 SC=112 AC=112
cross-site scripting (XSS) : S=161 SP=196 AP=196 SC=196 AC=196

Here are the estimated number of requests in miscellaneous modes
for both methods (GET & POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

directory traversal : S=24528 SP=26124 AP=26124 SC=26124 AC=26124
arbitrary command execution : S=16352 SP=17416 AP=17416 SC=17416 AC=17416
format string : S=1168 SP=1244 AP=1244 SC=1244 AC=1244
header injection : S=1168 SP=1244 AP=1244 SC=1244 AC=1244
blind SQL injection : S=35040 SP=37320 AP=37320 SC=37320 AC=37320
SQL injection : S=29200 SP=31100 AP=31100 SC=31100 AC=31100
web code injection : S=1168 SP=1244 AP=1244 SC=1244 AC=1244
persistent XSS : S=4672 SP=4976 AP=4976 SC=4976 AC=4976
cross-site scripting (XSS) : S=8176 SP=8708 AP=8708 SC=8708 AC=8708

Plugin ID:
33817

Web Server Uses Plain Text Authentication Forms

Synopsis:
The remote web server might transmit credentials in cleartext.

Description:
The remote web server contains several HTML form fields containing
an input of type 'password' which transmit their information to
a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and
server may obtain logins and passwords of valid users.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Make sure that every sensitive form transmits content over HTTPS.

Plugin output:
Page : /bank/login.aspx
Destination page : login.aspx
Input name : passw

Plugin ID:
26194

Web Server Uses Basic Authentication

Synopsis:
The remote web server seems to transmit credentials in clear text.

Description:
The remote web server contains web pages that are protected by 'Basic'
authentication over plain text.

An attacker eavesdropping the traffic might obtain logins and passwords
of valid users.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Make sure that HTTP authentication is transmitted over HTTPS.

Plugin output:

The following pages are protected.
/bank/members/:/ realm="demo.testfire.net"
/bank/members:/ realm="demo.testfire.net"

Plugin ID:
34850

Web Server Allows Password Auto-Completion

Synopsis:
Auto-complete is not disabled on password fields.

Description:
The remote web server contains at least HTML form field containing an
input of type 'password' where 'autocomplete' is not set to 'off'.

While this does not represent a risk to this web server per se, it
does mean that users who use the affected forms may have their
credentials saved in their browsers, which could in turn lead to a
loss of confidentiality if any of them use a shared host or their
machine is compromised at some point.

Risk factor:
None

Solution:
Add the attribute 'autocomplete=off' to these fields to prevent
browsers from caching credentials.

Plugin output:
Page : /bank/login.aspx
Destination Page : login.aspx
Input name : passw

Plugin ID:
42057

HTTP Server Cookies Set

Synopsis:
Some cookies have been set by the web server.

Description:
HTTP cookies are pieces of information that are presented by web
servers and are sent back by the browser.
As HTTP is a stateless protocol, cookies are a possible mechanism to
keep track of sessions.

This plugin displays the list of the HTTP cookies that were set by the
web server when it was crawled.

Risk factor:
None

Solution:
n/a

Plugin output:

path = /
name = amSessionId
value = 13245988432
version = 1
secure = 0
httponly = 0

path = /
name = ASP.NET_SessionId
value = pfywra55tkvq5n3nq0xstc34
version = 1
secure = 0
httponly = 1

path = /
name = amCreditOffer
value =
version = 1
expires = Sun, 10-Jan-2010 19:25:04 GMT
secure = 0
httponly = 0

path = /
name = lang
value =
version = 1
secure = 0
httponly = 0

path = /
name = amUserId
value =
version = 1
expires = Sun, 10-Jan-2010 19:25:04 GMT
secure = 0
httponly = 0

Plugin ID:
39463

Web Server Directory Enumeration

Synopsis:
It is possible to enumerate directories on the web server.

Description:
This plugin attempts to determine the presence of various common
directories on the remote web server. By sending a request for a
directory, the web server response code indicates if it is a valid
directory or not.

Risk factor:
None

Solution:
n/a

Plugin output:

The following directories were discovered:
/Admin, /admin, /bank, /images

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

Plugin ID:
11032

Other references:
OWASP:OWASP-CM-006