Scribd
Upload
124 views

Scan Report PDF

The light vulnerability scan of a website found several medium and low level issues but no high risk vulnerabilities. The full scan available with a PRO account would scan for additional vulnerability types including SQL injection, cross-site scripting, file inclusion, and discovery of sensitive files that may pose higher risks. Several vulnerabilities were found related to outdated server-side software including PHP and an Apache HTTP server.

Uploaded by

Julian Martinez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
124 views

Scan Report PDF

The light vulnerability scan of a website found several medium and low level issues but no high risk vulnerabilities. The full scan available with a PRO account would scan for additional vulnerability types including SQL injection, cross-site scripting, file inclusion, and discovery of sensitive files that may pose higher risks. Several vulnerabilities were found related to outdated server-side software including PHP and an Apache HTTP server.

Uploaded by

Julian Martinez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Website Vulnerability Scanner Report (Light)

Get a PRO Account to unlock the FULL capabilities of this scanner

See wh at th e FULL scan n er can d o

Perform in-depth website scanning and discover high risk vulnerabilities.

Testi n g areas Li gh t scan Fu l l scan

Website fingerprinting  

Version-based vulnerability detection  


Common configuration issues  

SQL injection  

Cross-Site Scripting  

Local/Remote File Inclusion  

Remote command execution  

Discovery of sensitive files  

 https://www.siesa.com/siesa-cloud-services/

Summary

Ov erall risk lev el: Risk rat ings: Scan informat ion:
H igh High: 1 Start time: 2020-05-23 05:49:38 UTC+03
Medium: 3 Finish time: 2020-05-23 05:50:24 UTC+03

Low: 3 Scan duration: 46 sec

Info: 3 Tests performed: 10/10

Scan status: Finished

Findings

 Vulnerabilities found for server-side software


Ris k A ffe c te d
C VS S C VE S umma ry E xploit
Le ve l s oftwa re

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in


PHP and other products, launches an rsh command (by means of the imap_rimap
function in c-client/imap4r1.c and the tcp_aopen function in
osdep/unix/tcp_unix.c) without preventing argument injection, which might allow
 8.5 CVE-2018-19518 remote attackers to execute arbitrary OS commands if the IMAP server name is N/A PHP 5.6.28
untrusted input (e.g., entered by a user of a web application) and if rsh has been
replaced by a program with different argument semantics. For example, if rsh is
a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an
IMAP server name containing a "-oProxyCommand" argument.

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and
2.2.x through 2.2.19 allows remote attackers to cause a denial of service
(memory and CPU consumption) via a Range header that expresses multiple http_server
 7.8 CVE-2011-3192 N/A
overlapping ranges, as exploited in the wild in August 2011, a different 2.2.15
vulnerability than CVE-2007-0086.

1/6
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can
 7.5 CVE-2019-9020 N/A PHP 5.6.28
lead to an invalid memory access (heap out of bounds read or read after free).
This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading
functions in the PHAR extension may allow an attacker to read allocated or
 7.5 CVE-2019-9021 N/A PHP 5.6.28
unallocated memory past the actual data when trying to parse the file name, a
different vulnerability than CVE-2018-20783. This is related to
phar_detect_phar_fname_ext in ext/phar/phar.c.

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read
instances are present in mbstring regular expression functions when supplied
with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c,
 7.5 CVE-2019-9023 N/A PHP 5.6.28
ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c,
ext/mbstring/oniguruma/enc/unicode.c, and
ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression
pattern contains invalid multibyte sequences.

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before
 7.5 CVE-2019-9641 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in N/A PHP 5.6.28
exif_process_IFD_in_TIFF.

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server


before 2.4.5 proceeds with save operations for a session without considering the http_server
 7.5 CVE-2013-2249 N/A
dirty flag and the requirement for a new session ID, which has unspecified impact 2.2.15
and remote attack vectors.

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the
http_server
 7.5 CVE-2017-3167 ap_get_basic_auth_pw() by third-party modules outside of the authentication N/A
2.2.15
phase may lead to authentication requirements being bypassed.

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may
http_server
 7.5 CVE-2017-3169 dereference a NULL pointer when third-party modules call N/A
2.2.15
ap_hook_process_connection() during an HTTP request to an HTTPS port.

The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24
introduced a bug in token list parsing, which allows ap_find_token() to search past
http_server
 7.5 CVE-2017-7668 the end of its input string. By maliciously crafting a sequence of request headers, N/A
2.2.15
an attacker may be able to cause a segmentation fault, or to force
ap_find_token() to return an incorrect value.

 Details

Ris k de s c ription:
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of service
attacks. An attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to attack the
system.

Re c omme nda tion:


We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

 Insecure HTTP cookies


C ookie Na me Fla g s mis s ing

S1ES4__qLfXkhmjl Secure, HttpOnly

S1ES4_BHlZgoixYQaTzI_ Secure, HttpOnly

 Details

Ris k de s c ription:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made.
Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie
of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Lack of the HttpOnly flag permits the browser to access the cookie from client-side scripts (ex. JavaScript, VBScript, etc). This can be exploited
by an attacker in conjuction with a Cross-Site Scripting (XSS) attack in order to steal the affected cookie. If this is a session cookie, the attacker
could gain unauthorized access to the victim's web session.

2/6
Re c omme nda tion:
We recommend reconfiguring the web server in order to set the flag(s) Secure , HttpOnly to all sensitive cookies.

More information about this issue:


https://blog.dareboost.com/en/2016/12/secure-cookies-secure-httponly-flags/.

 Server SSL certificate is not trusted


Httpsconnectionpool(host='www.siesa.com', port=443): max retries exceeded with url: /siesa-cloud-services/ (caused by sslerror(sslerror(1, u'
[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:661)'),))
URL: https://www.siesa.com/siesa-cloud-services/

 Details

Ris k de s c ription:
The SSL certificate presented by the web server is not trusted by web browsers. This makes it really difficult for humans to distinguish between
the real certificate presented by the server and a fake SSL certificate. An attacker could easily mount a man-in-the-middle attack in order to
sniff the SSL communication by presenting the user a fake SSL certificate.

Re c omme nda tion:


We recommend you to configure a trusted SSL certificate for the web server.

Here are some examples of how to configure SSL for various servers:
Apache: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Nginx: http://nginx.org/en/docs/http/configuring_https_servers.html

 Directory listing is enabled


https://www.siesa.com/new/wp-includes/

https://www.siesa.com/new/wp-content/uploads/2020/01/

https://www.siesa.com/new/wp-content/plugins/caldera-forms/assets/js/i18n/

https://www.siesa.com/new/wp-content/themes/porto/js/libs/

https://www.siesa.com/new/wp-content/plugins/pixelyoursite/dist/scripts/

https://www.siesa.com/new/wp-includes/js/jquery/

https://www.siesa.com/new/wp-content/plugins/caldera-forms/assets/build/js/

https://www.siesa.com/new/wp-content/plugins/page-scroll-to-id/js/

https://www.siesa.com/new/wp-includes/js/

https://www.siesa.com/new/wp-content/plugins/webservice-millenium-contactenos/

https://www.siesa.com/new/wp-content/plugins/js_composer/assets/js/dist/

https://www.siesa.com/new/wp-content/plugins/vc-extensions-bundle/css/

https://www.siesa.com/new/wp-content/themes/siesa/

 Details

Ris k de s c ription:
An attacker can see the entire structure of files and subdirectories from the affected URL. It is often the case that sensitive files are 'hidden'
among public files in that location and attackers can use this vulnerability to access them.

Re c omme nda tion:


We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive files
at the mentioned URLs.

More information about this issue:


http://projects.webappsec.org/w/page/13246922/Directory%20Indexing.

3/6
 Server software and technology found
S oftwa re / Ve rs ion C a te g ory

CentOS Operating Systems

Apache 2.2.15 Web Servers

PHP 5.6.28 Programming Languages

Twitter Bootstrap Web Frameworks

WordPress 5.3.3 CMS, Blogs

Google Font API Font Scripts

Modernizr JavaScript Frameworks

OWL Carousel Widgets

jQuery JavaScript Frameworks

 Details

Ris k de s c ription:
An attacker could use this information to mount specific attacks against the identified software type and version.

Re c omme nda tion:


We recommend you to eliminate the information which permit the identification of software platform, technology, server and operating system:
HTTP server headers, HTML meta information, etc.

More information about this issue:


https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002).

 Missing HTTP security headers


H T T P S e c urity H e a de r H e a de r Role S ta tus

X-Frame-Options Protects against Clickjacking attacks Not set

X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set

Strict-Transport-Security Protects against man-in-the-middle attacks Not set

X-Content-Type-Options Prevents possible phishing or XSS attacks Not set

 Details

Ris k de s c ription:
Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By
manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus
performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described
in detail here:
https://www.owasp.org/index.php/Clickjacking

The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS)
attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

The HTTP Strict-Transport-Security header instructs the browser not to load the website via plain HTTP connection but always use HTTPS. Lack of
this header exposes the application users to the risk of data theft or unauthorized modification in case the attacker implements a man-in-the-
middle attack and intercepts the communication between the user and the server.

The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web
page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site
Scripting or phishing.

Re c omme nda tion:


We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking
attacks.
More information about this issue:

4/6
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

We recommend setting the X-XSS-Protection header to "X-XSS-Protection: 1; mode=block".


More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

We recommend setting the Strict-Transport-Security header.


More information about this issue:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

We recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff".


More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

 Robots.txt file found


https://www.siesa.com/robots.txt

 Details

Ris k de s c ription:
There is no particular security risk in having a robots.txt file. However, this file is often misused to try to hide some web pages from the users.
This should not be done as a security measure because these URLs can easily be read from the robots.txt file.

Re c omme nda tion:


We recommend you to remove the entries from robots.txt which lead to sensitive locations in the website (ex. administration panels,
configuration files, etc).

More information about this issue:


https://www.theregister.co.uk/2015/05/19/robotstxt/

 No security issue found regarding client access policies

 No password input found (auto-complete test)

 No password input found (clear-text submission test)

5/6
Scan coverage information

List of tests performed (10/ 10)


 Fingerprinting the server software and technology...
 Checking for vulnerabilities of server-side software...
 Analyzing the security of HTTP cookies...
 Analyzing HTTP security headers...
 Checking for secure communication...
 Checking robots.txt file...
 Checking client access policies...
 Checking for directory listing (quick scan)...
 Checking for password auto-complete (quick scan)...
 Checking for clear-text submission of passwords (quick scan)...

Scan parameters
Website URL: https://www.siesa.com/siesa-cloud-services/
Scan type: Light
Authentication: False

6/6

You might also like