Network Vulnerability Assessment Report
09.10.2003
Sorted by host names

Session name: x-micro XWL-11bRRGStart Time:09.10.2003 19:09:46
Finish Time:09.10.2003 19:14:14
Elapsed:0 day(s) 00:04:27
Total records generated:32
high severity:1
low severity:29
informational:2


Summary of scanned hosts

HostHolesWarningsOpen portsState
10.10.10.11292Finished


10.10.10.1

ServiceSeverityDescription
http (80/tcp)
Info
Port is open
domain (53/tcp)
Info
Port is open
general/tcp
High

The remote host seems to generate Initial Sequence Numbers
(ISN) in a weak manner which seems to solely depend
on the source and dest port of the TCP packets.

The Raptor Firewall is known to be vulnerable to this flaw,
certain versions of Novell Netware, as may others be.

An attacker may use this flaw to establish spoofed connections
to the remote host.


Solution : If you are using a Raptor Firewall, see
http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html

If you are running Novell Netware 6, see:
http://support.novell.com/servlet/tidfinder/2964249

or else contact your vendor for a patch

Reference: http://online.securityfocus.com/archive/1/285729

Risk factor : High
CVE : CAN-2002-1463
general/tcp
Low
Remote OS guess : Linux Kernel 2.4.0 - 2.5.20

CVE : CAN-1999-0454
http (80/tcp)
Low

The remote web servers is [mis]configured in that it
does not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map or search page instead.

Nessus enabled some counter measures for that, however
they might be insufficient. If a great number of security
holes are produced for this port, they might not all be accurate
http (80/tcp)
Low
The remote web server type is :

GoAhead-Webs


Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.

http (80/tcp)
Low

The remote host is hosting the Pod.Board CGI suite,
a set of PHP scripts designed to manage online forums.

There is a cross site scripting issue in this suite which
may allow an attacker to steal the cookies of your legitimate
users, by luring them into clicking on a rogue URL.

Solution : None at this time
Risk Factor : Low/Medium
BID : 7933
http (80/tcp)
Low
A web server is running on this port
http (80/tcp)
Low
The following directories were discovered:
/cgi-bin, /cgi-bin2
http (80/tcp)
Low

The remote host seems to be vulnerable to a security problem in
SquirrelMail. Its read_body.php didn't filter out user input for
'filter_dir' and 'mailbox', making a xss attack possible.

Solution:
Upgrade to a newer version.

Risk factor : Medium
CVE : CAN-2002-1276, CAN-2002-1341
BID : 7019, 6302
http (80/tcp)
Low

The remote pafiledb.php is vulnerable to a cross site scripting
attack.

An attacker may use this flaw to steal the cookies of your users


Solution : Upgrade to paFileDB 3.0
Risk factor : Medium
BID : 6021
general/tcp
Low

The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
http (80/tcp)
Low

Basit cms 1.0 has a cross site scripting bug. An attacker may use it to
perform a cross site scripting attack on this host.

In addition to this, it is vulnerable to a SQL insertion
attack which may allow an attacker to get the control
of your database.

Solution : Upgrade to a newer version.
Risk factor : Medium
BID : 7139
http (80/tcp)
Low

Siteframe 2.2.4 has a cross site scripting bug. An attacker may use it to
perform a cross site scripting attack on this host.

In addition to this, another flaw in this package may allow an attacker to
obtain the physical path to the remote web root.

Solution : Upgrade to a newer version.
Risk factor : Medium
BID : 7140, 7143
http (80/tcp)
Low

The remote host is using XMB Forum.

This set of CGI is vulnerable to a cross-site-scripting issue
that may allow attackers to steal the cookies of your
users.

Solution: Upgrade to a newer version.
Risk factor : Medium
CVE : CAN-2002-0316, CAN-2003-0375
BID : 4944, 8013
http (80/tcp)
Low

ezPublish 2.2.7 has a cross site scripting bug. An attacker may use it to
perform a cross site scripting attack on this host.

In addition to this, another flaw may allow an attacker store hostile
HTML code on the server side, which will be executed by the browser of the
administrative user when he looks at the server logs.

Solution : Upgrade to a newer version.
Risk factor : Medium
CVE : CAN-2003-0310
BID : 7137, 7138
http (80/tcp)
Low

The remote host is using ezPublish, a content management system.

There is a flaw in the remote ezPublish which lets an attacker
perform a cross site scripting attack. An attacker may use this
flaw to steal the cookies of your legitimate users.


Solution : Upgrade to ezPublish 3
Risk factor : Low/Medium
BID : 7616
http (80/tcp)
Low

osCommerce is a widely installed open source shopping e-commerce solution.
An attacker may use it to perform a cross site scripting attack on
this host.

Solution : Upgrade to a newer version.
Risk factor : Medium
BID : 7156, 7151, 7153, 7158, 7155
http (80/tcp)
Low

The remote host is running Tmax Soft JEUS, a web application
written in Java.

There is a cross site scripting issue in this software which
may allow an attacker to steal the cookies of your legitimate
users, by luring them into clicking on a rogue URL through
the misue of the file /url.jsp.


Solution : None at this time
Risk Factor : Low/Medium
BID : 7969
general/udp
Low
For your information, here is the traceroute to 10.10.10.1 :
10.10.10.1

general/icmp
Low

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
http (80/tcp)
Low

The remote host has a CGI called 'testcgi.exe' installed
under /cgi-bin which is vulnerable to a cross site scripting
issue.


Solution: Upgrade to a newer version.
Risk factor : Low
BID : 7214
http (80/tcp)
Low

The remote web server is running P-Synch, a password management
system running over HTTP.

There is a flaw in the CGIs nph-psa.exe and nph-psf.exe which
may allow an attacker to make this host include remote
files, disclose the path to the p-synch installation or
produce arbitrary HTML code (cross-site scripting).

Solution : Upgrade to the latest version of P-Synch
Risk factor : Low
BID : 7740, 7745, 7747
http (80/tcp)
Low

Mambo Site Server is an open source Web Content Management System. An attacker
may use it to perform a cross site scripting attack on this host.


Solution: Upgrade to a newer version.
Risk factor : Medium
BID : 7135
http (80/tcp)
Low
The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Risk factor : Medium

Solutions:

. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
- http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
. Microsoft IIS:
- http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
. Apache:
- http://httpd.apache.org/info/css-security/
. ColdFusion:
- http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
. General:
- http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
- http://www.cert.org/advisories/CA-2000-02.html
BID : 5305, 7353, 7344, 8037
http (80/tcp)
Low

Nuked-klan 1.3b has a cross site scripting bug. An attacker may use it to
perform a cross site scripting attack on this host.

In addition to this, another flaw may allow an attacker to obtain the physical
path of the remote CGI directory.

Solution : Upgrade to a newer version.
Risk factor : Medium
BID : 6916, 6917
http (80/tcp)
Low

The remote Auction Deluxe server is vulnerable to
a cross site scripting attack.

As a result, a user could easily steal the cookies
of your legitimate users and impersonate them.

Solution : Upgrade to Auction Deluxe 3.30 or newer
Risk factor : Medium
CVE : CAN-2002-0257
BID : 4069
http (80/tcp)
Low

DCP-Portal v5.3.1 has a cross site scripting bug. An attacker may use it to
perform a cross site scripting attack on this host.

Solution : Upgrade to a newer version.
Risk factor : Medium
BID : 7144, 7141
http (80/tcp)
Low

The remote host is running the Neoteris IVE.

There is a cross site scripting issue in this
server (in the CGI swsrv.cgi) which may allow
an attacker to perform a session hijacking.


Solution : Upgrade to version 3.1 or Neoteris IVE
Risk factor : Medium
CVE : CAN-2003-0217
http (80/tcp)
Low

The remote host is running the Xoops CGI suite.

There is a cross site scripting issue in this suite
which may allow an attacker to steal your users cookies.

The flaw lies in the cgi glossaire-aff.php.

You are advised to remove this CGI.

Solution : None at this time
Risk factor : Medium
BID : 7356
http (80/tcp)
Low

The remote host is running the Bandmin CGI suite.

There is a cross site scripting issue in this suite
which may allow an attacker to steal your users cookies.

The flaw lies in the cgi bandwitdh/index.php

You are advised to remove this CGI.

Solution : None at this time
Risk factor : Medium
CVE : CAN-2003-0416
BID : 7729
http (80/tcp)
Low

The remote host is running a version of pMachine which is vulnerable
to two flaws :
- It is vulnerable to a path disclosure problem which may allow
an attacker to gain more knowledge about this host

- It is vulnerable to a cross-site-scripting attack which may allow
an attacker to steal the cookies of the legitimates users of
this service

Solution : None at this time. Disable this CGI suite
Risk Factor : Low/Medium
BID : 7980, 7981