Security Issues and Fixes: domeyko.dii.uchile.cl |
Type |
Port |
Issue and Fix |
Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH which is older than 3.4
There is a flaw in this version that can be exploited remotely to
give an attacker a shell on this host.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-6
Solution : Upgrade to OpenSSH 3.4 or contact your vendor for a patch
Risk factor : High
CVE : CVE-2002-0639, CVE-2002-0640
BID : 5093
Nessus ID : 11031 |
Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH older than OpenSSH 3.2.1
A buffer overflow exists in the daemon if AFS is enabled on
your system, or if the options KerberosTgtPassing or
AFSTokenPassing are enabled. Even in this scenario, the
vulnerability may be avoided by enabling UsePrivilegeSeparation.
Versions prior to 2.9.9 are vulnerable to a remote root
exploit. Versions prior to 3.2.1 are vulnerable to a local
root exploit.
Solution :
Upgrade to the latest version of OpenSSH
Risk factor : High
CVE : CVE-2002-0575
BID : 4560
Nessus ID : 10954 |
Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1p1 or older.
If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existant
login compared to the time it takes to refuse a bad password for an
existant login.
An attacker may use this flaw to set up a brute force attack against
the remote host.
*** Nessus did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive
Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk Factor : Low
CVE : CAN-2003-0190
BID : 7482
Nessus ID : 11574 |
Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.
OpenSSH features a mecanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mecanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk Factor : Low
CVE : CAN-2003-0386
BID : 7831
Nessus ID : 11712 |
Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.1p1
Nessus ID : 10267 |
Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
Nessus ID : 10881 |
Vulnerability |
smtp (25/tcp) |
The remote sendmail server, according to its version number,
may be vulnerable to a buffer overflow its DNS handling code.
The owner of a malicious name server could use this flaw
to execute arbitrary code on this host.
Solution : Upgrade to Sendmail 8.12.5
Risk factor : High
CVE : CVE-2002-0906
BID : 5122
Nessus ID : 11232 |
Vulnerability |
smtp (25/tcp) |
The remote sendmail server, according to its version number,
may be vulnerable to a remote buffer overflow allowing remote
users to gain root privileges.
Sendmail versions from 5.79 to 8.12.7 are vulnerable.
Solution : Upgrade to Sendmail ver 8.12.8 or greater or
if you cannot upgrade, apply patches for 8.10-12 here:
http://www.sendmail.org/patchcr.html
NOTE: manual patches do not change the version numbers.
Vendors who have released patched versions of sendmail
may still falsely show vulnerabilty.
*** Nessus reports this vulnerability using only
*** the banner of the remote SMTP server. Therefore,
*** this might be a false positive.
see http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.cert.org/advisories/CA-2003-07.html
http://www.kb.cert.org/vuls/id/398025
Risk factor : High
CVE : CAN-2002-1337
BID : 6991
Nessus ID : 11316 |
Vulnerability |
smtp (25/tcp) |
The remote sendmail server, according to its version number,
may be vulnerable to a remote buffer overflow allowing remote
users to gain root privileges.
Sendmail versions from 5.79 to 8.12.8 are vulnerable.
Solution : Upgrade to Sendmail ver 8.12.9 or greater or
if you cannot upgrade, apply patches for 8.10-12 here:
http://www.sendmail.org/patchps.html
NOTE: manual patches do not change the version numbers.
Vendors who have released patched versions of sendmail
may still falsely show vulnerabilty.
*** Nessus reports this vulnerability using only
*** the banner of the remote SMTP server. Therefore,
*** this might be a false positive.
Risk factor : High
CVE : CAN-2003-0161
BID : 7230
Nessus ID : 11499 |
Vulnerability |
smtp (25/tcp) |
smrsh (supplied by Sendmail) is designed to prevent the execution of
commands outside of the restricted environment. However, when commands
are entered using either double pipes (||) or a mixture of dot
and slash characters, a user may be able to bypass the checks
performed by smrsh. This can lead to the execution of commands
outside of the restricted environment.
Solution : upgrade to the latest version of Sendmail (or at least 8.12.8).
Risk factor : Medium
CVE : CAN-2002-1165
BID : 5845
Nessus ID : 11321 |
Warning |
smtp (25/tcp) |
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.
If users are not allowed to process the queue (which is the default)
then you are not vulnerable.
Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only
CVE : CAN-2001-0715
BID : 3898
Nessus ID : 11088 |
Informational |
smtp (25/tcp) |
An SMTP server is running on this port
Here is its banner :
220 dii.uchile.cl ESMTP Sendmail 8.11.6/8.11.6; Mon, 15 Dec 2003 22:59:43 -0300
Nessus ID : 10330 |
Informational |
smtp (25/tcp) |
Remote SMTP server banner :
220 dii.uchile.cl ESMTP Sendmail 8.11.6/8.11.6; Mon, 15 Dec 2003 23:00:27 -0300
This is probably: Sendmail version 8.11.6
Nessus ID : 10263 |
Informational |
smtp (25/tcp) |
This server could be fingerprinted as being Sendmail 8.12.2-8.12.5
Nessus ID : 11421 |
Informational |
smtp (25/tcp) |
For some reason, we could not send the EICAR test string to this MTA
Nessus ID : 11034 |
Vulnerability |
domain (53/tcp) |
The remote BIND 9 server, according to its
version number, is vulnerable to a buffer
overflow which may allow an attacker to
gain a shell on this host or to disable
this server.
Solution : upgrade to bind 9.2.2 or downgrade to the 8.x series
See also : http://www.isc.org/products/BIND/bind9.html
http://cert.uni-stuttgart.de/archive/bugtraq/2003/03/msg00075.html
http://www.cert.org/advisories/CA-2002-19.html
Risk factor : High
Nessus ID : 11318 |
Warning |
domain (53/tcp) |
The remote name server allows DNS zone transfers to be performed.
This information is of great use to an attacker who may use it
to gain information about the topology of your network and spot new
targets.
Solution: Restrict DNS zone transfers to only the servers that absolutely
need it.
Risk factor : Medium
CVE : CAN-1999-0532
Nessus ID : 10595 |
Warning |
domain (53/tcp) |
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using another name server, consult its documentation.
Risk factor : Serious
CVE : CVE-1999-0024
BID : 678
Nessus ID : 10539 |
Informational |
domain (53/tcp) |
The remote bind version is : 9.2.1
Nessus ID : 10028 |
Informational |
domain (53/tcp) |
A DNS server is running on this port. If you
do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
Vulnerability |
www (80/tcp) |
'cgiwrap' is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
*** Note that all versions of cgiwrap are not affected
*** by this problem ! Consult your vendor.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-1530, CVE-2000-0431
BID : 777, 1238
Nessus ID : 10041 |
Warning |
www (80/tcp) |
ht://Dig's configuration file is located at: /etc/
CVE : CAN-2000-1191
Nessus ID : 10385 |
Warning |
www (80/tcp) |
The remote host is using a version of OpenSSL which is
older than 0.9.6j or 0.9.7b
This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.
An attacker may use this implementation flaw to sniff the
data going to this host and decrypt some parts of it, as well
as impersonate your server and perform man in the middle attacks.
*** Nessus solely relied on the banner of the remote host
*** to issue this warning
See also : http://www.openssl.org/news/secadv_20030219.txt
http://lasecwww.epfl.ch/memo_ssl.shtml
http://eprint.iacr.org/2003/052/
Solution : Upgrade to version 0.9.6j (0.9.7b) or newer
Risk factor : Medium
CVE : CAN-2003-0078, CAN-2003-0131
BID : 6884, 7148
Nessus ID : 11267 |
Warning |
www (80/tcp) |
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Risk factor : Medium
Nessus ID : 11213 |
Warning |
www (80/tcp) |
The 'printenv' CGI is installed.
printenv normally returns all environment variables.
This gives an attacker valuable information about the
configuration of your web server.
Solution : Remove it from /cgi-bin.
Risk factor : Medium
Nessus ID : 10188 |
Warning |
www (80/tcp) |
The remote host is running a version of PHP earlier than 4.2.2.
The mail() function does not properly sanitize user input.
This allows users to forge email to make it look like it is
coming from a different source other than the server.
Users can exploit this even if SAFE_MODE is enabled.
Solution : Contact your vendor for the latest PHP release.
Risk factor : Medium
CVE : CAN-2002-0985
BID : 5562
Nessus ID : 11444 |
Warning |
www (80/tcp) |
The remote host is running a version of PHP which is
older than 4.3.2
There is a flaw in this version which may allow an attacker who has the
ability to inject an arbitrary argument to the function socket_iovec_alloc()
to crash the remote service and possibly to execute arbitrary code.
For this attack to work, PHP has to be compiled with the option
--enable-sockets (which is disabled by default), and an attacker needs to
be able to pass arbitrary values to socket_iovec_alloc().
Other functions are vulnerable to such flaws : openlog(), socket_recv(),
socket_recvfrom() and emalloc()
Solution : Upgrade to PHP 4.3.2
Risk factor : Low
CVE : CAN-2003-0172
BID : 7187, 7197, 7198, 7199, 7210, 7256, 7259
Nessus ID : 11468 |
Informational |
www (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
Informational |
www (80/tcp) |
The following directories were discovered:
/cgi-bin, /css, /icons, /images, /noticias, /prueba, /~admin
Nessus ID : 11032 |
Informational |
www (80/tcp) |
The remote web server type is :
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 |
Informational |
www (80/tcp) |
An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.
Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low
CVE : CAN-2001-1013
BID : 3335
Nessus ID : 10766 |
Informational |
pop3 (110/tcp) |
A pop3 server is running on this port
Nessus ID : 10330 |
Informational |
pop3 (110/tcp) |
The remote POP3 servers leak information about the software it is running,
through the login banner. This may assist an attacker in choosing an attack
strategy.
Versions and types should be omitted where possible.
The version of the remote POP3 server is :
+OK domeyko.dii.uchile.cl v2001.78rh server ready
Solution : Change the login banner to something generic.
Risk factor : Low
Nessus ID : 10185 |
Informational |
imap2 (143/tcp) |
An IMAP server is running on this port
Nessus ID : 10330 |
Informational |
imap2 (143/tcp) |
The remote imap server banner is :
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN] domeyko.dii.uchile.cl IMAP4rev1 2001.315rh at Mon, 15 Dec 2003 22:59:38 -0300 (CLST)
Versions and types should be omitted where possible.
Change the imap banner to something generic.
Nessus ID : 11414 |
Vulnerability |
https (443/tcp) |
'cgiwrap' is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
*** Note that all versions of cgiwrap are not affected
*** by this problem ! Consult your vendor.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-1530, CVE-2000-0431
BID : 777, 1238
Nessus ID : 10041 |
Warning |
https (443/tcp) |
The SSLv2 server offers 5 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary
Nessus ID : 10863 |
Warning |
https (443/tcp) |
ht://Dig's configuration file is located at: /etc/
CVE : CAN-2000-1191
Nessus ID : 10385 |
Warning |
https (443/tcp) |
The remote host is using a version of OpenSSL which is
older than 0.9.6j or 0.9.7b
This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.
An attacker may use this implementation flaw to sniff the
data going to this host and decrypt some parts of it, as well
as impersonate your server and perform man in the middle attacks.
*** Nessus solely relied on the banner of the remote host
*** to issue this warning
See also : http://www.openssl.org/news/secadv_20030219.txt
http://lasecwww.epfl.ch/memo_ssl.shtml
http://eprint.iacr.org/2003/052/
Solution : Upgrade to version 0.9.6j (0.9.7b) or newer
Risk factor : Medium
CVE : CAN-2003-0078, CAN-2003-0131
BID : 6884, 7148
Nessus ID : 11267 |
Warning |
https (443/tcp) |
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Risk factor : Medium
Nessus ID : 11213 |
Warning |
https (443/tcp) |
The 'printenv' CGI is installed.
printenv normally returns all environment variables.
This gives an attacker valuable information about the
configuration of your web server.
Solution : Remove it from /cgi-bin.
Risk factor : Medium
Nessus ID : 10188 |
Warning |
https (443/tcp) |
The remote host is running a version of PHP earlier than 4.2.2.
The mail() function does not properly sanitize user input.
This allows users to forge email to make it look like it is
coming from a different source other than the server.
Users can exploit this even if SAFE_MODE is enabled.
Solution : Contact your vendor for the latest PHP release.
Risk factor : Medium
CVE : CAN-2002-0985
BID : 5562
Nessus ID : 11444 |
Warning |
https (443/tcp) |
The remote host is running a version of PHP which is
older than 4.3.2
There is a flaw in this version which may allow an attacker who has the
ability to inject an arbitrary argument to the function socket_iovec_alloc()
to crash the remote service and possibly to execute arbitrary code.
For this attack to work, PHP has to be compiled with the option
--enable-sockets (which is disabled by default), and an attacker needs to
be able to pass arbitrary values to socket_iovec_alloc().
Other functions are vulnerable to such flaws : openlog(), socket_recv(),
socket_recvfrom() and emalloc()
Solution : Upgrade to PHP 4.3.2
Risk factor : Low
CVE : CAN-2003-0172
BID : 7187, 7197, 7198, 7199, 7210, 7256, 7259
Nessus ID : 11468 |
Informational |
https (443/tcp) |
A TLSv1 server answered on this port
Nessus ID : 10330 |
Informational |
https (443/tcp) |
A web server is running on this port through SSL
Nessus ID : 10330 |
Informational |
https (443/tcp) |
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Validity
Not Before: Jul 23 14:53:19 2002 GMT
Not After : Jul 23 14:53:19 2003 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ed:9b:ec:09:d9:ad:ec:91:e9:fd:5d:2e:ea:e1:
b3:94:4f:63:b3:d5:a3:3b:65:c4:4e:fa:b4:18:bb:
09:18:d7:62:88:86:95:22:4f:fb:3d:5e:a9:c0:df:
41:fc:64:8d:57:38:f8:3a:68:6f:77:0a:db:f3:22:
9e:52:ae:d7:7d:a9:5f:2e:2d:bc:31:70:a2:8d:99:
9a:a9:80:3c:06:66:bf:67:2c:cf:99:fc:c3:59:74:
5d:68:cb:4e:f2:ec:4e:bc:28:9f:1a:cf:49:f9:12:
53:76:1d:b3:c9:00:65:71:3a:2f:e3:37:ff:41:48:
26:cb:86:17:f7:40:41:7e:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
AD:D5:5D:0E:BB:74:50:A0:DF:B7:3B:76:CD:3B:CD:30:69:CC:D7:91
X509v3 Authority Key Identifier:
keyid:AD:D5:5D:0E:BB:74:50:A0:DF:B7:3B:76:CD:3B:CD:30:69:CC:D7:91
DirName:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
ea:6c:1e:cb:0f:b6:a5:eb:72:c8:60:a1:fc:79:af:3a:bb:b0:
39:14:09:90:75:e5:95:de:6f:ee:b9:a7:ed:39:a9:9c:e6:5d:
72:88:4d:3e:4a:85:21:4b:b8:cb:13:ee:4c:c7:2f:f6:10:66:
6c:d7:b4:f3:bc:f0:cd:f8:a1:48:ce:42:38:6a:8e:bb:9f:b1:
63:94:57:35:ce:83:3a:c3:aa:c5:8d:ea:9f:ef:8d:e9:e4:38:
a4:84:08:1d:57:a4:42:ec:cb:53:98:52:c2:a0:c8:5e:c4:4b:
3b:53:aa:dd:42:40:d1:92:22:85:e7:7b:2b:e4:b2:37:c5:d8:
ae:6d
Nessus ID : 10863 |
Informational |
https (443/tcp) |
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
Nessus ID : 10863 |
Informational |
https (443/tcp) |
This TLSv1 server also accepts SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.
Nessus ID : 10863 |
Informational |
https (443/tcp) |
The following directories were discovered:
/cgi-bin, /css, /icons, /images, /noticias, /prueba, /~admin
Nessus ID : 11032 |
Informational |
https (443/tcp) |
The remote web server type is :
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 |
Informational |
https (443/tcp) |
An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.
Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low
CVE : CAN-2001-1013
BID : 3335
Nessus ID : 10766 |
Warning |
imaps (993/tcp) |
The SSLv2 server offers 3 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary
Nessus ID : 10863 |
Informational |
imaps (993/tcp) |
A TLSv1 server answered on this port
Nessus ID : 10330 |
Informational |
imaps (993/tcp) |
An IMAP server is running on this port through SSL
Nessus ID : 10330 |
Informational |
imaps (993/tcp) |
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Validity
Not Before: Jul 23 15:02:45 2002 GMT
Not After : Jul 23 15:02:45 2003 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:80:f5:3e:18:65:de:94:92:19:f7:38:5f:a7:
38:56:e7:cc:59:32:da:08:42:e5:8b:50:3e:3c:15:
58:fb:67:73:0e:6f:b7:e2:01:2c:0b:ca:40:25:8b:
b1:1a:e5:4c:5e:91:57:37:ba:1c:15:bf:5e:97:79:
86:22:5d:dd:39:6d:b6:12:2e:1c:7d:c2:4a:2b:ce:
62:63:7c:96:fa:46:ea:4d:8a:39:12:e6:dc:d6:26:
19:af:2e:02:dd:5a:b5:2c:3a:65:0d:5b:26:01:21:
ec:46:16:ff:22:d4:5a:50:cc:f8:1d:f9:c0:0f:84:
cb:83:8e:3e:17:55:68:96:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
16:9F:CF:B8:63:6F:4C:92:39:15:DE:59:1E:4A:07:A5:07:89:12:8E
X509v3 Authority Key Identifier:
keyid:16:9F:CF:B8:63:6F:4C:92:39:15:DE:59:1E:4A:07:A5:07:89:12:8E
DirName:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
94:e1:70:a1:c1:a9:08:ea:25:26:83:60:64:05:12:ac:13:ba:
4e:75:84:af:75:ea:8b:d8:ff:48:3e:08:18:9d:10:46:b5:2d:
27:06:cf:9b:78:7d:83:a9:c1:0d:35:52:4c:ce:f1:ad:2e:6f:
73:fd:92:e8:5a:49:90:a3:1f:e4:23:53:82:44:ab:14:6a:87:
cd:b6:16:9d:73:53:f4:94:a6:06:2a:1e:de:f5:19:a5:67:d0:
4d:a2:08:cd:3a:f2:52:85:91:e8:b5:b5:a3:d5:c5:a2:eb:fc:
f6:1a:47:b9:b7:b6:d8:c9:61:3e:3e:93:d6:68:2c:53:30:da:
01:90
Nessus ID : 10863 |
Informational |
imaps (993/tcp) |
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC3-MD5
Nessus ID : 10863 |
Informational |
imaps (993/tcp) |
This TLSv1 server also accepts SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.
Nessus ID : 10863 |
Informational |
imaps (993/tcp) |
The remote imap server banner is :
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=PLAIN AUTH=LOGIN] domeyko.dii.uchile.cl IMAP4rev1 2001.315rh at Mon, 15 Dec 2003 22:59:32 -0300 (CLST)
Versions and types should be omitted where possible.
Change the imap banner to something generic.
Nessus ID : 11414 |
Informational |
mysql (3306/tcp) |
An unknown service is running on this port.
It is usually reserved for MySQL
Nessus ID : 10330 |
Informational |
mysql (3306/tcp) |
Remote MySQL version : 3.23.58
Nessus ID : 10719 |
Informational |
dec-notes (3333/tcp) |
An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 73 68 2d 32 2e 30 35 61 24 20 sh-2.05a$
Nessus ID : 11154 |
Warning |
http-alt (8000/tcp) |
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Risk factor : Medium
Nessus ID : 11213 |
Informational |
http-alt (8000/tcp) |
A web server is running on this port
Nessus ID : 10330 |
Informational |
http-alt (8000/tcp) |
The remote web server type is :
Squid/2.4.STABLE6
Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.
Nessus ID : 10107 |
Informational |
general/udp |
For your information, here is the traceroute to 146.83.5.11 :
192.168.123.254
192.168.11.18
10.51.11.25
192.168.121.2
200.10.225.20
192.168.221.242
192.168.104.146
192.168.104.186
146.83.22.1
200.89.75.33
146.83.5.11
Nessus ID : 10287 |
Informational |
domain (53/udp) |
A DNS server is running on this port. If you
do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
Informational |
general/tcp |
Remote OS guess : Panasonic IP Technology Broadband Networking Gateway, KX-HGW200
CVE : CAN-1999-0454
Nessus ID : 11268 |