| Security Issues and Fixes: localhost |
| Type |
Port |
Issue and Fix |
| Vulnerability |
ftp (21/tcp) |
The remote Wu-FTPd server seems to be vulnerable to a remote flaw.
This version fails to properly check bounds on a pathname when Wu-Ftpd is
compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a
specially crafted request, an attacker can possibly execute arbitrary code
as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity,
and/or availability.
It should be noted that this vulnerability is not present within the default
installation of Wu-Ftpd.
The server must be configured using the 'MAIL_ADMIN' option to notify an
administrator when a file has been uploaded.
*** Nessus solely relied on the banner of the remote server
*** to issue this warning, so it may be a false positive.
Solution : Upgrade to Wu-FTPd 2.6.3 when available
Risk factor : High
BID : 8668
Other references : OSVDB:2594
Nessus ID : 14371 |
| Vulnerability |
ftp (21/tcp) |
The remote Wu-FTPd server seems to be vulnerable to a remote overflow.
This version contains a remote overflow if s/key support is enabled.
The skey_challenge function fails to perform bounds checking on the
name variable resulting in a buffer overflow.
With a specially crafted request, an attacker can execute arbitrary
code resulting in a loss of integrity and/or availability.
It appears that this vulnerability may be exploited prior to authentication.
It is reported that S/Key support is not enabled by default,
though some operating system distributions which ship Wu-Ftpd may have it
enabled.
*** Nessus solely relied on the banner of the remote server
*** to issue this warning, so it may be a false positive.
Solution : Upgrade to Wu-FTPd 2.6.3 when available or disable SKEY or apply the
patches available at http://www.wu-ftpd.org
Risk factor : High
CVE : CVE-2004-0185
BID : 8893
Other references : OSVDB:2715, RHSA:RHSA-2004:096-09, DSA:DSA-457-1
Nessus ID : 14372 |
| Informational |
ftp (21/tcp) |
An FTP server is running on this port.
Here is its banner :
220 mail.mlpub.co.uk FTP server (Version wu-2.6.2(1) Mon Dec 11 13:26:04 UTC 2006) ready.
Nessus ID : 10330 |
| Informational |
ftp (21/tcp) |
Remote FTP server banner :
220 mail.mlpub.co.uk FTP server (Version wu-2.6.2(1) Mon Dec 11 13:26:04 UTC 2006) ready.
Nessus ID : 10092 |
| Informational |
smtp (25/tcp) |
An SMTP server is running on this port
Here is its banner :
220 mail.mlpub.co.uk ESMTP Postfix (Helloooo)
Nessus ID : 10330 |
| Informational |
smtp (25/tcp) |
Remote SMTP server banner :
220 mail.mlpub.co.uk ESMTP Postfix (Helloooo)
This is probably: Postfix
Nessus ID : 10263 |
| Warning |
http (80/tcp) |
Some Web Servers use a file called /robot(s).txt to make search engines and
any other indexing tools visit their WebPages more frequently and
more efficiently.
By connecting to the server and requesting the /robot(s).txt file, an
attacker may gain additional information about the system they are
attacking.
Such information as, restricted directories, hidden directories, cgi script
directories and etc. Take special care not to tell the robots not to index
sensitive directories, since this tells attackers exactly which of your
directories are sensitive.
The file 'robots.txt' contains the following:
User-agent: *
Disallow: /cgi-bin/
Disallow: /search.php
Disallow: /cart.php
Disallow: /giftcert.php
Disallow: /orders.php
Disallow: /register.php
Disallow: /icon.php
Disallow: /image.php
Disallow: /error_message.php
Disallow: /offers.php
Disallow: /product_image.php
Disallow: /shop_closed.html
Risk factor : Medium
Nessus ID : 10302 |
| Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
http (80/tcp) |
The remote web server type is :
Apache
and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.
Nessus ID : 10107 |
| Informational |
http (80/tcp) |
The following directories were discovered:
/logs, /css, /files, /images, /js, /mail
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032 |
| Informational |
http (80/tcp) |
Here is the Nikto report:
---------------------------------------------------------------------------
- Nikto 1.35/1.35 - www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: Mon Dec 8 22:37:39 2008
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache
+ The root file (/) redirects to: /home.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt - contains 12 'disallow' entries which should be manually viewed (added to mutation file lists) (GET).
+ / - Redirects to /home.php , Default EMC Cellera manager server is running.
+ / - Redirects to /home.php , Appears to be a default Apache Tomcat install.
+ / - Redirects to /home.php , Appears to be a default Apache Tomcat install.
+ / - Redirects to /home.php , Default EMC ControlCenter manager server is running.
+ / - Redirects to /home.php , Appears to be a default Apache install.
+ / - Redirects to /home.php , Appears to be a default Apache install.
+ / - Redirects to /home.php , Default Jrun 2 server running.
+ / - Redirects to /home.php , Cisco VoIP Phone deafult web server found.
+ / - Redirects to /home.php , Default Sybase Jaguar CTS server running.
+ / - Redirects to /home.php , Default Jrun 3 server running.
+ / - Redirects to /home.php , Default Lantronix printer found.
+ / - Redirects to /home.php , Default IBM Tivoli Server Administration server is running.
+ / - Redirects to /home.php , Default Jrun 4 server running.
+ / - Redirects to /home.php , Default Xerox WorkCentre server is running.
+ /?D=A - Redirects to /home.php , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.
+ /?M=A - Redirects to /home.php , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.
+ /?N=D - Redirects to /home.php , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.
+ /?S=A - Redirects to /home.php , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.
+ // - Redirects to /home.php , Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ // - Redirects to /home.php , By sending an OPTIONS request for /, the physical path to PHP can be revealed.
+ /index.php?name=forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects to /home.php , phpBB is vulnerable to a highlight command execution or SQL inection vulnerability, used by the Santy.A worm. CERT VU497400. OSVDB-11719.
+ Over 20 "Moved" messages, this may be a by-product of the
+ server answering all requests with a "302" or "301" Moved message. You should
+ manually verify your results.
+ /search.php?searchfor=\"><script>alert('Vulnerable');</script> - Siteframe 2.2.4 is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /mail/ - This might be interesting... (GET)
+ /admin/auth.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ Over 20 "Moved" messages, this may be a by-product of the
+ server answering all requests with a "302" or "301" Moved message. You should
+ manually verify your results.
+ 2037 items checked - 4 item(s) found on remote host(s)
+ End Time: Mon Dec 8 22:37:49 2008 (10 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nessus ID : 14260 |
| Warning |
nessus (1241/tcp) |
A Nessus Daemon is listening on this port.
Nessus ID : 10147 |
| Informational |
nessus (1241/tcp) |
A TLSv1 server answered on this port
Nessus ID : 10330 |
| Informational |
nessus (1241/tcp) |
Here is the TLSv1 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FR, ST=Some-State, O=Nessus Users United, OU=Certification Authority for mail.mlpub.co.uk, CN=mail.mlpub.co.uk/emailAddress=ca@mail.mlpub.co.uk
Validity
Not Before: Dec 8 22:27:39 2008 GMT
Not After : Dec 8 22:27:39 2009 GMT
Subject: C=FR, ST=Some-State, O=Nessus Users United, OU=Server certificate for mail.mlpub.co.uk, CN=mail.mlpub.co.uk/emailAddress=nessusd@mail.mlpub.co.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:e5:9c:ba:50:46:7c:8f:75:5d:f3:04:d5:53:
89:0e:7c:83:a9:5c:da:8d:ed:e6:ae:cb:cb:bb:01:
98:95:76:29:78:7a:79:02:d0:c5:77:47:9d:73:d4:
1f:6c:2b:73:3e:f9:14:3f:16:c8:0f:88:7f:98:d4:
2c:1f:57:b5:81:0e:0f:8f:5e:c4:58:c3:f7:35:b1:
fc:f3:d9:46:2f:27:9c:91:18:9d:c8:b9:ed:e2:79:
9c:9a:7b:f6:9f:aa:91:72:64:d2:c9:c0:56:94:4e:
6e:24:05:83:da:12:5d:20:e0:19:51:54:ef:d5:fb:
e6:bf:ab:8a:0e:01:5f:68:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:01:61:25:9F:8A:6F:FA:30:A1:AE:59:12:BB:4E:27:6C:28:D8:17
X509v3 Authority Key Identifier:
keyid:3B:EB:92:11:01:78:A0:AF:D8:0A:C3:B9:F5:73:F1:AF:2A:9C:4A:82
DirName:/C=FR/ST=Some-State/O=Nessus Users United/OU=Certification Authority for mail.mlpub.co.uk/CN=mail.mlpub.co.uk/emailAddress=ca@mail.mlpub.co.uk
serial:DA:7B:9E:A4:21:80:F7:42
X509v3 Subject Alternative Name:
email:nessusd@mail.mlpub.co.uk
X509v3 Issuer Alternative Name:
<EMPTY>
Signature Algorithm: md5WithRSAEncryption
27:01:58:d8:27:b1:d7:24:48:37:c7:ad:33:0e:a5:e7:f7:fa:
eb:37:a1:f9:e5:b6:f1:18:f6:3a:72:a3:4b:9f:37:5c:13:9b:
51:b9:4e:5c:21:4a:f3:fb:ee:21:0a:62:8c:03:ba:cc:b7:61:
d8:6f:7d:fc:d2:65:68:70:08:70:87:0e:ca:51:95:87:d3:ac:
30:71:9d:ea:ba:77:02:ba:81:2c:27:31:bb:34:51:06:97:44:
cf:48:da:cd:bc:b8:04:c6:16:36:c9:6c:b4:f9:8c:50:f1:57:
31:66:fc:e2:1c:49:13:28:5d:86:51:41:27:6a:13:65:0d:f5:
3a:fa
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server does not accept SSLv3 connections.
Nessus ID : 10863 |
| Informational |
mysql (3306/tcp) |
An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
0x00: 46 00 00 00 0A 35 2E 30 2E 33 32 2D 44 65 62 69 F....5.0.32-Debi
0x10: 61 6E 5F 37 65 74 63 68 36 2D 6C 6F 67 00 37 06 an_7etch6-log.7.
0x20: 00 00 42 5E 32 7D 41 6C 7D 4E 00 2C A2 08 02 00 ..B^2}Al}N.,....
0x30: 00 00 00 00 00 00 00 00 00 00 00 00 00 4F 7E 50 .............O~P
0x40: 54 33 42 32 72 67 32 60 6D 00 T3B2rg2`m.
Nessus ID : 11154 |
| Warning |
unknown (10024/tcp) |
This SMTP server is running on a non standard port.
This might be a backdoor set up by crackers to send spam
or even control your machine.
Solution: Check and clean your configuration
Risk factor : Medium
Nessus ID : 18391 |
| Informational |
unknown (10024/tcp) |
An SMTP server is running on this port
Here is its banner :
220 [127.0.0.1] ESMTP amavisd-new service ready
Nessus ID : 10330 |
| Informational |
unknown (10024/tcp) |
Remote SMTP server banner :
220 [127.0.0.1] ESMTP amavisd-new service ready
Nessus ID : 10263 |
| Warning |
unknown (10025/tcp) |
This SMTP server is running on a non standard port.
This might be a backdoor set up by crackers to send spam
or even control your machine.
Solution: Check and clean your configuration
Risk factor : Medium
Nessus ID : 18391 |
| Informational |
unknown (10025/tcp) |
An SMTP server is running on this port
Here is its banner :
220 mail.mlpub.co.uk ESMTP Postfix (Helloooo)
Nessus ID : 10330 |
| Informational |
unknown (10025/tcp) |
Remote SMTP server banner :
220 mail.mlpub.co.uk ESMTP Postfix (Helloooo)
This is probably: Postfix
Nessus ID : 10263 |
| Informational |
ntp (123/udp) |
It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.
It was possible to gather the following information from the remote NTP host :
version='ntpd 4.2.2p4@1.1585-o Sun Mar 4 13:21:35 UTC 2007 (1)',
processor='i686', system='Linux/2.6.18-6-686', leap=1, stratum=3,
precision=-20, rootdelay=24.834, rootdispersion=39.548, peer=36039,
refid=145.24.129.6, reftime=0xcce81cba.1a427bb9, poll=10,
clock=0xcce82023.ffab2a49, state=4, offset=2.023, frequency=19.977,
jitter=1.581, noise=0.589, stability=0.002, tai=0
Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore
Risk factor : Low
Nessus ID : 10884 |
| Vulnerability |
general/tcp |
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.
To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.
Nessus ID : 9999 |
| Informational |
general/tcp |
Information about this scan :
Nessus version : 2.2.8
Plugin feed version : 200605221015
Type of plugin feed : GPL only
Scanner IP : 127.0.0.1
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)
Nessus ID : 19506 |