| Security Issues and Fixes: www.abc-inc.ca |
| Type |
Port |
Issue and Fix |
| Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since CertainKey solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
|
| Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1p1 or older.
If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existent
login compared to the time it takes to refuse a bad password for a
valid login.
An attacker may use this flaw to set up a brute force attack against
the remote host.
*** CertainKey did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive
Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk Factor : Low
|
| Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk Factor : Low
|
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
|
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
|
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.5p1
|
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 9a:41:14:2a:93:18:c9:65:1c:42:4a:b2:6a:61:e0:5e
SSHv2 host key fingerprint : 30:62:0c:0b:09:f1:6c:70:fc:12:14:40:1d:ba:11:85
|
| Warning |
www (80/tcp) |
The target is running version of the Mailman mailing list software that
allows a list subscriber to retrieve the mailman password of any other
subscriber by means of a specially crafted mail message to the server.
That is, a message sent to $listname-request@target containing the
lines:
password address=$victim
password address=$subscriber
will return the password of both $victim and $subscriber for the list
$listname.
Note: CertainKey has determined the vulnerability exists only by looking at
the version number of Mailman installed on the target.
Additional information on the vulnerability can be found at:
- http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html
Solution : Upgrade to Mailman version 2.1.5 or newer.
Risk factor : Medium
|
| Warning |
www (80/tcp) |
It is possible to obtain the listing of the content of the
remote web server root by sending the request :
GET // HTTP/1.0
This vulnerability usually affects the default Apache
configuration which is shipped with Red Hat Linux, although
it might affect other Linux distributions or other web server.
An attacker may exploit this flaw the browse the content
of the remote web root and possibly find hidden links into it.
Solution : Use index files instead of default welcome pages
Risk Factor : Medium
|
| Warning |
www (80/tcp) |
The remote web server appears to be running a version of
Apache that is less that 2.0.49 or 1.3.31.
These versions are vulnerable to a denial of service attack where a remote
attacker can block new connections to the server by connecting to a listening
socket on a rarely accessed port.
Solution: Upgrade to Apache 2.0.49 or 1.3.31.
|
| Warning |
www (80/tcp) |
The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.
Solution : Disable this service, as you do not use it
Risk factor : Low
|
| Warning |
www (80/tcp) |
The remote host appears to be running a version of Apache 2.x which is older
than 2.0.48.
This version is vulnerable to a bug which may allow a rogue CGI to disable
the httpd service by issuing over 4K of data to stderr.
To exploit this flaw, an attacker would need the ability to upload a rogue
CGI script to this server and to have it executed by the Apache daemon (httpd).
Solution : Upgrade to version 2.0.48 when it is available
See also : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
Risk factor : Low
|
| Warning |
www (80/tcp) |
The remote host appears to be running a version of
Apache 2.x which is older than 2.0.43
This version allows an attacker to view the source code
of CGI scripts via a POST request made to a directory
with both WebDAV and CGI enabled.
*** Note that CertainKey solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
Solution : Upgrade to version 2.0.43
See also : http://www.apache.org/dist/httpd/CHANGES_2.0
Risk factor : Medium
|
| Warning |
www (80/tcp) |
The target host is running an Apache web server which allows for the
injection of arbitrary escape sequences into its error logs. An
attacker might use this vulnerability in an attempt to exploit similar
vulnerabilities in terminal emulators.
Note: CertainKey has determined the vulnerability exists only by looking at
the Server header returned by the web server running on the target.
Solution : Upgrade to Apache version 1.3.31 or 2.0.49 or newer.
Risk factor : Low
|
| Warning |
www (80/tcp) |
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
|
| Warning |
www (80/tcp) |
The remote host appears to be running a version of
Apache 2.x which is older than 2.0.47
This version is vulnerable to various flaws which may allow
an attacker to disable this service remotely and/or locally.
Solution : Upgrade to version 2.0.47
See also : http://www.apache.org/dist/httpd/CHANGES_2.0
Risk factor : Medium
|
| Warning |
www (80/tcp) |
The remote host appears to be running a version of
Apache 2.x which is older than 2.0.46
This version is vulnerable to various flaws :
- There is a denial of service vulnerability which may allow
an attacker to disable basic authentication on this host
- There is a denial of service vulnerability in the mod_dav module
which may allow an attacker to crash this service remotely
Solution : Upgrade to version 2.0.46
See also : http://www.apache.org/dist/httpd/CHANGES_2.0
Risk factor : Medium
|
| Informational |
www (80/tcp) |
A web server is running on this port
|
| Informational |
www (80/tcp) |
The following directories were discovered:
/cgi-bin, /error, /icons, /mailman, /manual, /usage
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
The following directories require authentication:
/bugzilla, /download
|
| Informational |
www (80/tcp) |
The remote web server type is :
Apache/2.0.40 (Red Hat Linux)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
|
| Informational |
www (80/tcp) |
The remote host is running SquirrelMail 1.2.11 under /webmail.
SquirrelMail is a PHP-based webmail package that provides access to mail
accounts via POP3 or IMAP; see <http://www.squirrelmail.org/> for more
information.
Risk factor : None
|
| Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
|
| Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
|
| Informational |
general/tcp |
66.11.174.128 resolves as www.abc-inc.ca.
|
| Informational |
general/udp |
For your information, here is the traceroute to 66.11.174.128 :
134.117.69.104
134.117.69.1
134.117.7.3
134.117.219.248
134.117.6.5
66.97.23.141
66.97.16.74
66.97.16.90
66.97.16.125
198.32.245.25
66.11.167.162
66.11.174.128
|
