| [-] Collapse All |
| [+] Expand All |
The remote host is running an obsolete operating system.
According to its version, the remote Unix operating system is obsolete and no longer maintained by its vendor or provider.
Lack of support implies that no new security patches will be released for it.
Upgrade to a newer version.
Critical
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Publication date: 2008/08/08, Modification date: 2012/06/13
Ubuntu 6.06 support ended on 2011-06-01.
Upgrade to Ubuntu 12.04.
For more information, see : https://wiki.ubuntu.com/Releases
The remote SSH server is affected by multiple vulnerabilities.
According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities :
- A race condition exists that may allow an unauthenticated,
remote attacker to crash the service or, on portable OpenSSH,
possibly execute code on the affected host. Note that successful
exploitation requires that GSSAPI authentication be enabled.
- A flaw exists that may allow an attacker to determine the
validity of usernames on some platforms. Note that this issue
requires that GSSAPI authentication be enabled.
- When SSH
version 1 is used, an issue can be triggered via an SSH packet that
contains duplicate blocks that could result in a loss of
availability for the service.
- On Fedora Core 6 (and possibly
other systems), an unspecified vulnerability in the
linux_audit_record_event() function allows remote attackers to
inject incorrect information into audit logs.
| http://www.openssh.com/txt/release-4.4 |
Upgrade to OpenSSH 4.4 or later.
High
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
BID |
20216 |
BID |
20241 |
BID |
20245 |
CVE |
CVE-2006-4924 |
CVE |
CVE-2006-4925 |
CVE |
CVE-2006-5051 |
CVE |
CVE-2006-5052 |
CVE |
CVE-2006-5229 |
CVE |
CVE-2007-3102 |
CVE |
CVE-2008-4109 |
XREF |
OSVDB:29152 |
XREF |
OSVDB:29264 |
XREF |
OSVDB:29266 |
XREF |
OSVDB:29494 |
XREF |
OSVDB:32721 |
XREF |
OSVDB:39214 |
XREF |
CWE:362 |
Publication date: 2006/09/28, Modification date: 2011/11/16
The remote SSH service is affected by multiple vulnerabilities.
According
to its banner, the remote host is running a version of OpenSSH prior to
4.5. Versions before 4.5 are affected by the following vulnerabilities
:
- A client-side null pointer dereference, caused by a
protocol error from a malicious server, which could cause the client
to crash. (CVE-2006-4925)
- A privilege separation
vulnerability that could allow attackers to bypass authentication.
The vulnerability is caused by a design error between privileged
processes and their child processes. (CVE-2006-5794)
- An
attacker that connects to the service before it has finished
creating keys could force the keys to be recreated. This could
result in a denial of service for any processes that rely on a trust
relationship with the server. This issue only affects the Apple
implementation of OpenSSH on Mac OS X. (CVE-2007-0726) Note that
the authentication bypass vulnerability is only exploitable when other
vulnerabilities are present.
| http://www.openssh.org/txt/release-4.5 |
| http://support.apple.com/kb/TA24626 |
| http://openssh.com/security.html |
Upgrade to OpenSSH 4.5 or later.
For Mac OS X 10.3, apply Security Update 2007-003.
For Mac OS X 10.4, upgrade to 10.4.9.
High
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
BID |
20956 |
CVE |
CVE-2006-4925 |
CVE |
CVE-2006-5794 |
CVE |
CVE-2007-0726 |
XREF |
OSVDB:29494 |
XREF |
OSVDB:30232 |
XREF |
OSVDB:34850 |
Publication date: 2011/10/04, Modification date: 2011/11/16
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.5
Remote attackers may be able to bypass authentication.
According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.
| http://www.openssh.com/txt/release-4.7 |
Upgrade to OpenSSH 4.7 or later.
High
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
BID |
25628 |
CVE |
CVE-2007-4752 |
CVE |
CVE-2007-2243 |
XREF |
OSVDB:34600 |
XREF |
OSVDB:43371 |
XREF |
CWE:20 |
Publication date: 2011/10/04, Modification date: 2011/11/16
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.7
The SSL certificate for this service is for a different host.
The commonName (CN) of the SSL certificate presented on this port is for a different machine.
Purchase or generate a proper certificate for this service.
Medium
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Publication date: 2010/04/03, Modification date: 2012/04/02
The following hostnames were checked :
lvps83-169-53-201.dedicated.hosteurope.de
The following hostnames were checked :
lvps83-169-53-201.dedicated.hosteurope.de
The SSL certificate for this service cannot be trusted.
The
server's X.509 certificate does not have a signature from a known
public certificate authority. This situation can occur in three
different ways, each of which results in a break in the chain below
which certificates cannot be trusted.
First, the top of the
certificate chain sent by the server might not be descended from a known
public certificate authority. This can occur either when the top of
the chain is an unrecognized, self-signed certificate, or when
intermediate certificates are missing that would connect the top of the
certificate chain to a known public certificate authority.
Second,
the certificate chain may contain a certificate that is not valid at
the time of the scan. This can occur either when the scan occurs before
one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.
Third, the certificate chain
may contain a signature that either didn't match the certificate's
information, or was not possible to verify. Bad signatures can be fixed
by getting the certificate with the bad signature to be re-signed by
its issuer. Signatures that could not be verified are the result of the
certificate's issuer using a signing algorithm that hackervaccine either does
not support or does not recognize.
If the remote host is a
public host in production, any break in the chain nullifies the use of
SSL as anyone could establish a man in the middle attack against the
remote host.
Purchase or generate a proper certificate for this service.
Medium
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Publication date: 2010/12/15, Modification date: 2012/01/28
The following certificates were at the top of the certificate
chain sent by the remote host, but are signed by an unknown
certificate authority :
|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, Inc./OU=Herndon/E=info@parallels.com/L=Herndon/C=US/ST=VA
|-Issuer : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, Inc./OU=Herndon/E=info@parallels.com/L=Herndon/C=US/ST=VA
The following certificates were at the top of the certificate
chain sent by the remote host, but are signed by an unknown
certificate authority :
|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, Inc./OU=Herndon/E=info@parallels.com/L=Herndon/C=US/ST=VA
|-Issuer : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, Inc./OU=Herndon/E=info@parallels.com/L=Herndon/C=US/ST=VA
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
The
X.509 certificate chain for this service is not signed by a recognized
certificate authority. If the remote host is a public host in
production, this nullifies the use of SSL as anyone could establish a
man in the middle attack against the remote host.
Note that
this plugin does not check for certificate chains that end in a
certificate that is not self-signed, but is signed by an unrecognized
certificate authority.
Purchase or generate a proper certificate for this service.
Medium
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Publication date: 2012/01/17, Modification date: 2012/01/17
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, Inc./OU=Herndon/E=info@parallels.com/L=Herndon/C=US/ST=VA
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : CN=lvps83-169-53-201.dedicated.hosteurope.de/O=Parallels, Inc./OU=Herndon/E=info@parallels.com/L=Herndon/C=US/ST=VA
It may be possible to send spoofed RST packets to the remote system.
The remote host might be vulnerable to a sequence number approximation bug, which may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc...).
See http://www.securityfocus.com/bid/10183/solution/
Medium
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
BID |
10183 |
CVE |
CVE-2004-0230 |
XREF |
OSVDB:4030 |
Publication date: 2004/04/25, Modification date: 2012/06/14
The SSH server on the remote host has multiple denial of service vulnerabilities.
According
to its banner, the version of OpenSSH running on the remote host is
prior to version 5.9. Such versions are affected by multiple denial of
service vulnerabilities :
- A denial of service vulnerability
exists in the gss-serv.c 'ssh_gssapi_parse_ename' function. A
remote attacker may be able to trigger this vulnerability if
gssapi-with-mic is enabled to create a denial of service condition
via a large value in a certain length field.
(CVE-2011-5000)
- On FreeBSD, NetBSD, OpenBSD, and other products, a remote,
authenticated attacker could exploit the remote_glob() and
process_put() functions to cause a denial of service (CPU and memory
consumption).
(CVE-2010-4755)
| http://cxsecurity.com/research/89 |
| http://site.pi3.com.pl/adv/ssh_1.txt |
Upgrade to OpenSSH 5.9 or later.
Medium
4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)
BID |
54114 |
CVE |
CVE-2010-4755 |
CVE |
CVE-2011-5000 |
XREF |
OSVDB:75248 |
XREF |
OSVDB:75249 |
XREF |
OSVDB:81500 |
Publication date: 2011/11/18, Modification date: 2012/06/26
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.9
The remote host is susceptible to an information disclosure attack.
When
OpenSSH has S/KEY authentication enabled, it is possible to determine
remotely if an account configured for S/KEY authentication exists.
Note
that hackervaccine has not tried to exploit the issue, but rather only checked
if OpenSSH is running on the remote host. As a result, it will not
detect if the remote host has implemented a workaround.
| http://www.hackervaccine.org/u?87921f08 |
A patch currently does not exist for this issue. As a workaround, either set 'ChallengeResponseAuthentication' in the OpenSSH config to 'no' or use a version of OpenSSH without S/KEY support compiled in.
Medium
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.8 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
BID |
23601 |
CVE |
CVE-2007-2243 |
XREF |
OSVDB:34600 |
XREF |
CWE:287 |
Publication date: 2011/11/18, Modification date: 2011/11/18
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
The remote host is susceptible to an information disclosure attack.
When using OPIE for PAM and OpenSSH, it is possible for remote attackers to determine the existence of certain user acounts.
Note
that hackervaccine has not tried to exploit the issue, but rather only checked
if OpenSSH is running on the remote host. As a result, it does not
detect if the remote host actually has OPIE for PAM installed.
| http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html |
A patch currently does not exist for this issue. As a workaround, ensure that OPIE for PAM is not installed.
Medium
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE |
CVE-2007-2768 |
XREF |
OSVDB:34601 |
Publication date: 2011/11/18, Modification date: 2011/11/18
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
The remote SSH server may permit anonymous port bouncing.
According to its banner, the remote host is running OpenSSH, version 2.3.0 or later. Such versions of OpenSSH allow forwarding TCP connections. If the OpenSSH server is configured to allow anonymous connections (e.g. AnonCVS), remote, unauthenticated users could use the host as a proxy.
| http://marc.info/?l=bugtraq&m=109413637313484&w=2 |
| http://www.hackervaccine.org/u?2c86d008 |
Disallow anonymous users, set AllowTcpForwarding to 'no', or use the Match directive to restrict anonymous users.
Medium
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVE |
CVE-2004-1653 |
XREF |
OSVDB:9562 |
Publication date: 2011/12/01, Modification date: 2011/12/01
Version source : ssh-2.0-openssh_4.2p1 debian-7ubuntu3.2
Installed version : 4.2p1
The remote service encrypts traffic using a protocol with known weaknesses.
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
| http://www.schneier.com/paper-ssl.pdf |
| http://support.microsoft.com/kb/187498 |
| http://www.linux4beginners.info/node/disable-sslv2 |
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Medium
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE |
CVE-2005-2969 |
Publication date: 2005/10/12, Modification date: 2012/04/02
The remote service supports the use of weak SSL ciphers.
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
| http://www.openssl.org/docs/apps/ciphers.html |
Reconfigure the affected application if possible to avoid use of weak ciphers.
Medium
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
XREF |
CWE:327 |
XREF |
CWE:326 |
XREF |
CWE:753 |
XREF |
CWE:803 |
XREF |
CWE:720 |
Publication date: 2007/10/08, Modification date: 2012/04/02
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
The remote SSH service is prone to an X11 session hijacking vulnerability.
According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use.
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 |
| http://www.openssh.org/txt/release-5.0 |
Upgrade to OpenSSH version 5.0 or later.
Medium
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.7 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
BID |
28444 |
CVE |
CVE-2008-1483 |
CVE |
CVE-2008-3234 |
XREF |
OSVDB:43745 |
XREF |
OSVDB:48791 |
XREF |
Secunia:29522 |
XREF |
CWE:264 |
Publication date: 2008/04/03, Modification date: 2011/11/16
The remote OpenSSH server returned the following banner :
SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
The remote service supports the use of medium strength SSL ciphers.
The
remote host supports the use of SSL ciphers that offer medium strength
encryption, which we currently regard as those with key lengths at least
56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Medium
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Publication date: 2009/11/23, Modification date: 2012/04/02
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
The SSH service running on the remote host has an information disclosure vulnerability.
The version of OpenSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.
| http://www.hackervaccine.org/u?4984aeb9 |
| http://www.openssh.com/txt/cbc.adv |
| http://www.openssh.com/txt/release-5.2 |
Upgrade to OpenSSH 5.2 or later.
Medium
4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)
BID |
32319 |
CVE |
CVE-2008-5161 |
XREF |
OSVDB:50036 |
XREF |
CERT:958563 |
XREF |
CWE:200 |
Publication date: 2011/09/27, Modification date: 2011/09/28
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.2
The version of SSH running on the remote host has a command injection vulnerability.
According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp.
| https://bugzilla.mindrot.org/show_bug.cgi?id=1094 |
| http://www.openssh.com/txt/release-4.3 |
Upgrade to OpenSSH 4.3 or later.
Medium
4.6 (CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.8 (CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)
BID |
16369 |
CVE |
CVE-2006-0225 |
XREF |
OSVDB:22692 |
Publication date: 2011/10/04, Modification date: 2012/04/10
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.3
The remote SSH service is affected by a security bypass vulnerability.
According to its banner, the version of OpenSSH installed on the remote host is earlier than 4.9. It may allow a remote, authenticated user to bypass the 'sshd_config' 'ForceCommand' directive by modifying the '.ssh/rc' session file.
| http://www.openssh.org/txt/release-4.9 |
Upgrade to OpenSSH version 4.9 or later.
Medium
6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
5.4 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
BID |
28531 |
CVE |
CVE-2008-1657 |
XREF |
OSVDB:43911 |
XREF |
CWE:264 |
Publication date: 2011/10/04, Modification date: 2011/10/05
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 4.9
The remote SSH service may be affected by multiple vulnerabilities.
According
to its banner, the version of OpenSSH running on the remote host is
earlier than 5.7. Versions before 5.7 may be affected by the following
vulnerabilities :
- A security bypass vulnerability because
OpenSSH does not properly validate the public parameters in the
J-PAKE protocol. This could allow an attacker to authenticate
without the shared secret. Note that this issue is only exploitable
when OpenSSH is built with J-PAKE support, which is currently
experimental and disabled by default, and that hackervaccine has not
checked whether J-PAKE support is indeed enabled. (CVE-2010-4478)
- The auth_parse_options function in auth-options.c in sshd
provides debug messages containing authorized_keys command options,
which allows remote, authenticated users to obtain potentially
sensitive information by reading these messages. (CVE-2012-0814)
| http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf |
| http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5 |
| http://www.hackervaccine.org/u?3f1722f0 |
Upgrade to OpenSSH 5.7 or later.
Medium
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
BID |
45304 |
BID |
51702 |
CVE |
CVE-2010-4478 |
CVE |
CVE-2012-0814 |
XREF |
OSVDB:69658 |
Publication date: 2011/10/04, Modification date: 2012/05/04
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.7
Auto-complete is not disabled on password fields.
The
remote web server contains at least HTML form field containing an input
of type 'password' where 'autocomplete' is not set to 'off'.
While
this does not represent a risk to this web server per se, it does mean
that users who use the affected forms may have their credentials saved
in their browsers, which could in turn lead to a loss of confidentiality
if any of them use a shared host or their machine is compromised at
some point.
Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.
Medium
4.7 (CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N)
Publication date: 2011/09/27, Modification date: 2011/09/28
Page : /vz/cp
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=en&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?doReturn=Return&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=ja&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=es&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=en&doLogin
=ログインボタン&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=ru&doLogin
=Iniciar sesión&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=de&doLogin
=Log in&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=en&doLogin
=Вход&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=zh_TW&doLo
gin=Anmelden&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
Page : /vz/cp/login-wrapper?LoginUser=&LoginPass=&active_lang=ja&doLogin
=Login_button&js_mode=0&java_mode='notdef'
Destination Page : https://testphp.vulnweb.com:4643/vz/cp/login-wrapper
Input name : LoginPass
The remote SSH service may be affected by an X11 forwarding port hijacking vulnerability.
According
to its banner, the version of SSH installed on the remote host is older
than 5.1 and may allow a local user to hijack the X11 forwarding port.
The application improperly sets the 'SO_REUSEADDR'
socket option when the 'X11UseLocalhost' configuration option is disabled.
Note
that most operating systems, when attempting to bind to a port that has
previously been bound with the 'SO_REUSEADDR' option, will check that
either the effective user-id matches the previous bind (common
BSD-derived systems) or that the bind addresses do not overlap (Linux
and Solaris). This is not the case with other operating systems such as
HP/UX.
| http://www.openssh.org/txt/release-5.1 |
Upgrade to OpenSSH version 5.1 or later.
Low
1.2 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)
1.0 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)
BID |
30339 |
CVE |
CVE-2008-3259 |
XREF |
OSVDB:47227 |
XREF |
CWE:200 |
Publication date: 2011/10/04, Modification date: 2011/10/05
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.1
Some CGIs are candidate for extended injection tests.
hackervaccine was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response.
The affected parameters are candidates for extended injection tests like cross-site scripting attacks.
This
is not a weakness per se, the main purpose of this test is to speed up
other scripts. The results may be useful for a human pen-tester.
n/a
Low
XREF |
CWE:86 |
Publication date: 2010/07/26, Modification date: 2011/09/21
Using the GET HTTP method, hackervaccine found that :
+ The following resources may be vulnerable to injectable parameter :
+ The 'LoginUser' parameter of the /vz/cp/login-wrapper CGI :
/vz/cp/login-wrapper?LoginUser=acnetf
-------- output --------
<td><img src="/vz/skins/winxp.new/images/1x1.gif" width="10" heigh [...]
<td width="40%"><font style="color:#111111">Username</font></td>
<td align="left" width="60%"><input type="text" name="LoginUser" class="
FlatInput" title="Username" value="acnetf"></td>
</tr>
<tr>
------------------------
/vz/cp/login-wrapper?doReturn=Return&LoginUser=acnetf&LoginPass=&js_mode
=0&doLogin=Login_button&java_mode='notdef'&active_lang=zh_TW
-------- output --------
<td><img src="/vz/skins/winxp.new/images/1x1.gif" width="10" heigh [...]
<td width="40%"><font style="color:#111111">使用者名稱</font></td>
<td align="left" width="60%"><input type="text" name="LoginUser" class="
FlatInput" title="使用者名稱" value="acnetf"></td>
</tr>
<tr>
------------------------
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
https://testphp.vulnweb.com:4643/vz/cp/login-wrapper?LoginUser=acnetf
Local attackers may be able to access sensitive information.
According
to its banner, the version of OpenSSH running on the remote host is
earlier than 5.8p2. Such versions may be affected by a local
information disclosure vulnerability that could allow the contents of
the host's private key to be accessible by locally tracing the execution
of the ssh-keysign utility. Having the host's private key may allow
the impersonation of the host.
Note that installations are only
vulnerable if ssh-rand-helper was enabled during the build process,
which is not the case for *BSD, OS X, Cygwin and Linux.
| http://www.openssh.com/txt/portable-keysign-rand-helper.adv |
| http://www.openssh.com/txt/release-5.8p2 |
Upgrade to Portable OpenSSH 5.8p2 or later.
Low
2.1 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
BID |
47691 |
XREF |
OSVDB:72183 |
XREF |
Secunia:44347 |
Publication date: 2011/05/09, Modification date: 2011/11/15
Version source : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
Installed version : 4.2p1
Fixed version : 5.8p2
The remote service could be identified.
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.
n/a
None
Publication date: 2007/08/19, Modification date: 2012/06/25
An SSH server is running on this port.
A TLSv1 server answered on this port.
A web server is running on this port through TLSv1.
A TLSv1 server answered on this port.
A web server is running on this port through TLSv1.
It is possible to determine which TCP ports are open.
This plugin is a SYN 'half-open' port scanner.
It shall be reasonably quick even against a firewalled target.
Note
that SYN scanners are less intrusive than TCP (full connect) scanners
against broken services, but they might kill lame misconfigured
firewalls. They might also leave unclosed connections on the remote
target, if the network is loaded.
Protect your target with an IP filter.
None
Port 22/tcp was found to be open
Port 80/tcp was found to be open
Port 4643/tcp was found to be open
Port 8443/tcp was found to be open
A web server is running on the remote host.
This plugin attempts to determine the type and the version of the remote web server.
n/a
None
Publication date: 2000/01/04, Modification date: 2012/06/04
The remote web server type is :
Apache
and the 'ServerTokens' directive is ProductOnly
Apache does not offer a way to hide the server type.
The remote web server type is :
Apache
and the 'ServerTokens' directive is ProductOnly
Apache does not offer a way to hide the server type.
This plugin displays the SSL certificate.
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
n/a
None
Publication date: 2008/05/19, Modification date: 2012/04/02
Subject Name:
Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: info@parallels.com
Locality: Herndon
Country: US
State/Province: VA
Issuer Name:
Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: info@parallels.com
Locality: Herndon
Country: US
State/Province: VA
Serial Number: 00 F4 00 89 ED 2C 35 1C 8D
Version: 1
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Jun 25 10:30:23 2012 GMT
Not Valid After: Jun 25 10:30:23 2013 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 D7 5A 3E D3 68 0C B4 12 16 E0 CB 4C B3 46 DD 3B 6D 88 80
37 4E 8B C8 F2 08 10 8E 0C 41 4F D8 48 2C A3 FD 5A E4 5E 89
82 00 CA 61 E4 9F 7A 80 32 A0 D7 FA 06 44 86 3C C4 B4 E5 BC
49 DD 32 93 28 CB 9D 8E B8 80 D1 B1 2E 83 9A 08 A7 1E BB 30
E8 1B 60 35 1C 23 66 C4 95 2D B6 F2 31 B7 94 1D 65 6A 05 43
46 0E F6 97 B2 4E 25 4E BD 2D BF 90 89 D6 BC DF B1 3A DA A8
A4 22 34 A6 5C EE 5A 11 25 D3 DE 7D 0C FB C7 06 9E 5E 93 A4
B8 E6 E7 41 8B 63 4A D2 F3 75 5F A9 91 72 D9 9A 53 55 51 A0
DF B7 41 2C 24 33 05 59 73 C2 BC 11 44 06 9F 06 9E 8D CE 02
E2 5E B8 20 90 C8 93 E3 19 01 FC 6B 43 41 02 18 E6 A7 EA 17
73 FE AF 54 34 D4 42 1E E6 CB C3 0C ED 19 7B A5 18 EA A5 58
11 08 AF 92 EF 2E A5 EA D2 7A 20 36 9B BA 78 F8 9C 5D 6C C7
50 F7 04 DF 8B EC EA EC 9C 70 83 39 5F 85 CC E4 15
Exponent: 01 00 01
Signature: 00 70 12 52 44 25 5B 6E 7B B2 24 49 C4 FB E6 AB 12 18 43 EC
3F 5C 02 3B 18 A7 92 5D C3 C2 17 AC 48 0E 14 D0 B1 DC 41 EF
38 83 F4 1F 93 C7 F0 7D B2 20 FD E3 E5 53 F3 D0 AE AB DF 7B
F1 35 25 BB B2 9E CB F2 03 B8 F7 B5 E0 3A 41 63 DA 23 E9 BD
11 C2 9E F1 5D 4B B7 A9 12 1F BF 44 1B D3 5F AC 6F 16 15 E3
BB 8D 77 EF 36 26 C4 CE A1 46 51 73 58 27 1B 8C 62 4A CC 3D
AF EF AC CD 04 0A 9F 4B 18 B6 C7 0C B9 EA 10 4F D5 64 DD A9
47 1B 67 F2 6A 49 88 2A 17 58 38 51 60 DE 52 68 CA 9C D5 AE
01 6E A2 12 65 6F FF C2 05 18 EE 55 41 CF 74 92 16 4A EA A2
16 68 2F 8F 37 E0 30 78 7C 05 08 08 B1 3D FB 95 B4 CE 66 13
47 B3 83 BD 82 91 20 31 29 F6 93 51 13 4B BA 08 19 6E 36 B2
43 B7 F3 EC F7 32 00 0F 63 0A B2 BA 6A 4E 1D 61 B4 F2 2A C2
A6 ED 1A 92 88 FE DD FB C2 ED 96 D5 0D 58 81 CA 0B
Subject Name:
Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: info@parallels.com
Locality: Herndon
Country: US
State/Province: VA
Issuer Name:
Common Name: lvps83-169-53-201.dedicated.hosteurope.de
Organization: Parallels, Inc.
Organization Unit: Herndon
Email Address: info@parallels.com
Locality: Herndon
Country: US
State/Province: VA
Serial Number: 00 F4 00 89 ED 2C 35 1C 8D
Version: 1
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Jun 25 10:30:23 2012 GMT
Not Valid After: Jun 25 10:30:23 2013 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 D7 5A 3E D3 68 0C B4 12 16 E0 CB 4C B3 46 DD 3B 6D 88 80
37 4E 8B C8 F2 08 10 8E 0C 41 4F D8 48 2C A3 FD 5A E4 5E 89
82 00 CA 61 E4 9F 7A 80 32 A0 D7 FA 06 44 86 3C C4 B4 E5 BC
49 DD 32 93 28 CB 9D 8E B8 80 D1 B1 2E 83 9A 08 A7 1E BB 30
E8 1B 60 35 1C 23 66 C4 95 2D B6 F2 31 B7 94 1D 65 6A 05 43
46 0E F6 97 B2 4E 25 4E BD 2D BF 90 89 D6 BC DF B1 3A DA A8
A4 22 34 A6 5C EE 5A 11 25 D3 DE 7D 0C FB C7 06 9E 5E 93 A4
B8 E6 E7 41 8B 63 4A D2 F3 75 5F A9 91 72 D9 9A 53 55 51 A0
DF B7 41 2C 24 33 05 59 73 C2 BC 11 44 06 9F 06 9E 8D CE 02
E2 5E B8 20 90 C8 93 E3 19 01 FC 6B 43 41 02 18 E6 A7 EA 17
73 FE AF 54 34 D4 42 1E E6 CB C3 0C ED 19 7B A5 18 EA A5 58
11 08 AF 92 EF 2E A5 EA D2 7A 20 36 9B BA 78 F8 9C 5D 6C C7
50 F7 04 DF 8B EC EA EC 9C 70 83 39 5F 85 CC E4 15
Exponent: 01 00 01
Signature: 00 70 12 52 44 25 5B 6E 7B B2 24 49 C4 FB E6 AB 12 18 43 EC
3F 5C 02 3B 18 A7 92 5D C3 C2 17 AC 48 0E 14 D0 B1 DC 41 EF
38 83 F4 1F 93 C7 F0 7D B2 20 FD E3 E5 53 F3 D0 AE AB DF 7B
F1 35 25 BB B2 9E CB F2 03 B8 F7 B5 E0 3A 41 63 DA 23 E9 BD
11 C2 9E F1 5D 4B B7 A9 12 1F BF 44 1B D3 5F AC 6F 16 15 E3
BB 8D 77 EF 36 26 C4 CE A1 46 51 73 58 27 1B 8C 62 4A CC 3D
AF EF AC CD 04 0A 9F 4B 18 B6 C7 0C B9 EA 10 4F D5 64 DD A9
47 1B 67 F2 6A 49 88 2A 17 58 38 51 60 DE 52 68 CA 9C D5 AE
01 6E A2 12 65 6F FF C2 05 18 EE 55 41 CF 74 92 16 4A EA A2
16 68 2F 8F 37 E0 30 78 7C 05 08 08 B1 3D FB 95 B4 CE 66 13
47 B3 83 BD 82 91 20 31 29 F6 93 51 13 4B BA 08 19 6E 36 B2
43 B7 F3 EC F7 32 00 0F 63 0A B2 BA 6A 4E 1D 61 B4 F2 2A C2
A6 ED 1A 92 88 FE DD FB C2 ED 96 D5 0D 58 81 CA 0B
The remote service encrypts communications using SSL.
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
| http://www.openssl.org/docs/apps/ciphers.html |
n/a
None
Publication date: 2006/06/05, Modification date: 2012/05/03
Here is the list of SSL ciphers supported by the remote server :
High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
SEED-SHA Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Here is the list of SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
High Strength Ciphers (>= 112-bit key)
SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
SEED-SHA Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
The SSL certificate commonName does not match the host name.
This service presents an SSL certificate for which the 'commonName'
(CN) does not match the host name on which the service listens.
If the machine has several names, make sure that users connect to the service through the DNS host name that matches the common name in the certificate.
None
Publication date: 2010/04/03, Modification date: 2012/04/02
The host name known by hackervaccine is : testphp.vulnweb.com
The CommonName of the certificate is : lvps83-169-53-201.dedicated.hosteurope.de.
The host name known by hackervaccine is : testphp.vulnweb.com
The CommonName of the certificate is : lvps83-169-53-201.dedicated.hosteurope.de.
The remote host allows resuming SSL sessions.
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed.
n/a
None
Publication date: 2011/02/07, Modification date: 2012/04/19
This port supports resuming SSLv3 sessions.
This port supports resuming SSLv3 sessions.
The remote service encrypts communications.
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
n/a
None
Publication date: 2011/12/01, Modification date: 2012/06/23
This port supports SSLv3/TLSv1.0.
This port supports SSLv2/SSLv3/TLSv1.0.
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
| http://www.openssl.org/docs/apps/ciphers.html |
| http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange |
| http://en.wikipedia.org/wiki/Perfect_forward_secrecy |
n/a
None
Publication date: 2011/12/07, Modification date: 2012/04/02
Here is the list of SSL PFS ciphers supported by the remote server :
High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Here is the list of SSL PFS ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
An SSH server is listening on this port.
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
n/a
None
Publication date: 1999/10/12, Modification date: 2011/10/24
SSH version : SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.2
It was possible to obtain traceroute information.
Makes a traceroute to the remote host.
n/a
None
Publication date: 1999/11/27, Modification date: 2012/02/23
For your information, here is the traceroute from 10.0.0.4 to 87.230.87.158 :
10.0.0.4
10.0.0.1
192.168.1.254
99.37.251.254
99.171.168.129
151.164.188.145
12.123.16.77
192.205.32.190
206.165.75.2
80.237.129.117
176.28.4.50
?
87.230.87.158
hackervaccine crawled the remote web site.
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host.
It is suggested that you change the number of pages to mirror in the 'Options' section of the client.
n/a
None
Publication date: 2001/05/04, Modification date: 2012/06/07
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/vz/cp/login-wrapper (LoginPass [] doLogin [Log in] js_mode [0] doReturn [Return] LoginUser ...)
A DNS server is listening on the remote host.
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP addresses.
| http://en.wikipedia.org/wiki/Domain_Name_System |
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
None
Publication date: 2003/02/13, Modification date: 2011/03/11
It is possible to enumerate directories on the web server.
This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.
| http://projects.webappsec.org/Predictable-Resource-Location |
n/a
None
XREF |
OWASP:OWASP-CM-006 |
Publication date: 2002/06/26, Modification date: 2012/04/14
The following directories were discovered:
/cgi-bin, /error, /icons
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
It is possible to guess the remote operating system.
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version.
n/a
None
Publication date: 2003/12/09, Modification date: 2012/04/06
Remote operating system : Linux Kernel 2.6 on Ubuntu 6.06 (dapper)
Confidence Level : 95
Method : SSH
The remote host is running Linux Kernel 2.6 on Ubuntu 6.06 (dapper)
It was possible to resolve the name of the remote host.
hackervaccine was able to resolve the FQDN of the remote host.
n/a
None
Publication date: 2004/02/11, Modification date: 2011/07/14
87.230.87.158 resolves as testphp.vulnweb.com.
Information about the hackervaccine scan.
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of plugin feed (HomeFeed or ProfessionalFeed)
- The version of the hackervaccine Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
n/a
None
Publication date: 2005/08/26, Modification date: 2012/04/18
Information about this scan :
hackervaccine version : 5.0.1
Plugin feed version : 201206261238
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 10.0.0.4
Port scanner(s) : hackervaccine_syn_scanner
Port range : 1-65535
Thorough tests : no
Experimental tests : no
Paranoia level : 2
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests - Test mode : single
Web app tests - Try all HTTP methods : yes
Web app tests - Maximum run time : 10 minutes.
Web app tests - Stop at first flaw : param
Max hosts : 20
Max checks : 4
Recv timeout : 15
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2012/6/26 16:45
Scan duration : 12093 sec
Some information about the remote HTTP configuration can be extracted.
This
test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...
This test is informational only and does not denote any security problem.
n/a
None
Publication date: 2007/01/30, Modification date: 2011/05/31
Protocol version : HTTP/1.1
SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :
Date: Wed, 27 Jun 2012 00:12:38 GMT
Server: Apache
Location: https://testphp.vulnweb.com:4643/vz/cp/
Content-Length: 294
Connection: close
Content-Type: text/html; charset=iso-8859-1
The remote service implements TCP timestamps.
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.
| http://www.ietf.org/rfc/rfc1323.txt |
n/a
None
Publication date: 2007/05/16, Modification date: 2011/03/20
The remote host is behind a firewall.
Based on the responses obtained by the SYN or TCP port scanner, it was possible to determine that the remote host seems to be protected by a firewall.
n/a
None
Publication date: 2007/10/26, Modification date: 2012/02/22
Load estimation for web application tests.
This
script computes the maximum number of requests that would be done by
the generic web tests, depending on miscellaneous options. It does not
perform any test by itself.
The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.
Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.
n/a
None
Publication date: 2009/10/26, Modification date: 2012/02/14
Here are the estimated number of requests in miscellaneous modes
for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]
blind SQL injection : S=84 SP=516 AP=1164 SC=2016 AC=11088
directory traversal (extended test) : S=357 SP=2193 AP=4947 SC=8568 AC=47124
arbitrary command execution (time based) : S=42 SP=258 AP=582 SC=1008 AC=5544
local file inclusion : S=7 SP=43 AP=97 SC=168 AC=924
header injection : S=2 SP=2 AP=2 SC=2 AC=2
XML injection : S=7 SP=43 AP=97 SC=168 AC=924
script injection : S=1 SP=1 AP=1 SC=1 AC=1
blind SQL injection (4 requests) : S=28 SP=172 AP=388 SC=672 AC=3696
on site request forgery : S=1 SP=1 AP=1 SC=1 AC=1
cross-site scripting (comprehensive test): S=56 SP=344 AP=776 SC=1344 AC=7392
HTTP response splitting : S=9 SP=9 AP=9 SC=9 AC=9
SQL injection : S=175 SP=1075 AP=2425 SC=4200 AC=23100
arbitrary command execution : S=112 SP=688 AP=1552 SC=2688 AC=14784
cross-site scripting (extended patterns) : S=7 SP=7 AP=7 SC=7 AC=7
directory traversal : S=175 SP=1075 AP=2425 SC=4200 AC=23100
web code injection : S=7 SP=43 AP=97 SC=168 AC=924
injectable parameter : S=14 SP=86 AP=194 SC=336 AC=1848
format string : S=14 SP=86 AP=194 SC=336 AC=1848
SSI injection : S=21 SP=129 AP=291 SC=504 AC=2772
HTML injection : S=5 SP=5 AP=5 SC=5 AC=5
unseen parameters : S=245 SP=1505 AP=3395 SC=5880 AC=32340
SQL injection (2nd order) : S=7 SP=43 AP=97 SC=168 AC=924
directory traversal (write access) : S=14 SP=86 AP=194 SC=336 AC=1848
persistent XSS : S=28 SP=172 AP=388 SC=672 AC=3696
All tests : S=1418 SP=8582 AP=19328 SC=33457 AC=183901
Here are the estimated number of requests in miscellaneous modes
for both methods (GET and POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]
blind SQL injection : S=168 SP=1032 AP=2328 SC=4032 AC=22176
directory traversal (extended test) : S=714 SP=4386 AP=9894 SC=17136 AC=94248
arbitrary command execution (time based) : S=84 SP=516 AP=1164 SC=2016 AC=11088
local file inclusion : S=14 SP=86 AP=194 SC=336 AC=1848
header injection : S=4 SP=4 AP=4 SC=4 AC=4
XML injection : S=14 SP=86 AP=194 SC=336 AC=1848
script injection : S=2 SP=2 AP=2 SC=2 AC=2
blind SQL injection (4 requests) : S=56 SP=344 AP=776 SC=1344 AC=7392
on site request forgery : S=2 SP=2 AP=2 SC=2 AC=2
cross-site scripting (comprehensive test): S=112 SP=688 AP=1552 SC=2688 AC=14784
HTTP response splitting : S=18 SP=18 AP=18 SC=18 AC=18
SQL injection : S=350 SP=2150 AP=4850 SC=8400 AC=46200
arbitrary command execution : S=224 SP=1376 AP=3104 SC=5376 AC=29568
cross-site scripting (extended patterns) : S=14 SP=14 AP=14 SC=14 AC=14
directory traversal : S=350 SP=2150 AP=4850 SC=8400 AC=46200
web code injection : S=14 SP=86 AP=194 SC=336 AC=1848
injectable parameter : S=28 SP=172 AP=388 SC=672 AC=3696
format string : S=28 SP=172 AP=388 SC=672 AC=3696
SSI injection : S=42 SP=258 AP=582 SC=1008 AC=5544
HTML injection : S=10 SP=10 AP=10 SC=10 AC=10
unseen parameters : S=490 SP=3010 AP=6790 SC=11760 AC=64680
SQL injection (2nd order) : S=14 SP=86 AP=194 SC=336 AC=1848
directory traversal (write access) : S=28 SP=172 AP=388 SC=672 AC=3696
persistent XSS : S=56 SP=344 AP=776 SC=1344 AC=7392
All tests : S=2836 SP=17164 AP=38656 SC=66914 AC=367802
Your mode : single, GET and POST, Paranoid.
Maximum number of requests : 2836
Some cookies have been set by the web server.
HTTP cookies are pieces of information that are presented by web servers and are sent back by the browser.
As HTTP is a stateless protocol, cookies are a possible mechanism to keep track of sessions.
This plugin displays the list of the HTTP cookies that were set by the web server when it was crawled.
n/a
None
Publication date: 2009/06/19, Modification date: 2011/03/15
path = /
name = vzcpLang
value = ja
version = 1
secure = 1
httponly = 0
This plugin determines which HTTP methods are allowed on various CGI directories.
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
As
this list may be incomplete, the plugin also tests - if 'Thorough
tests' are enabled or 'Enable web applications tests' is set to 'yes'
in
the scan policy - various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.
Note that the plugin output is only
informational and does not necessarily indicate the presence of any
security vulnerabilities.
n/a
None
Publication date: 2009/12/10, Modification date: 2011/07/08
Based on the response to an OPTIONS request :
- HTTP methods GET HEAD OPTIONS POST are allowed on :
/error
/icons
/vz/cp
/vz/js
/vz/skins/winxp.new/images
Based on tests of each method :
- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND
BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX
LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS
ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :
/cgi-bin
/vz/cp
- HTTP methods GET HEAD OPTIONS POST are allowed on :
/
/error
/icons
/vz/js
/vz/skins/winxp.new/images
- Invalid/unknown HTTP methods are allowed on :
/cgi-bin
/vz/cp
It is possible to enumerate CPE names that matched on the remote system.
By
using information obtained from a hackervaccine scan, this plugin reports CPE
(Common Platform Enumeration) matches for various hardware and software
products found on a host.
Note that if an official CPE is not
available for the product, this plugin computes the best possible CPE
based on the information available from the scan.
| http://cpe.mitre.org/ |
n/a
None
Publication date: 2010/04/21, Modification date: 2012/05/21
The remote operating system matched the following CPE :
cpe:/o:canonical:ubuntu_linux:6.06 -> Canonical Ubuntu Linux 6.06
Following application CPE matched on the remote system :
cpe:/a:openbsd:openssh:4.2 -> OpenBSD OpenSSH 4.2
It is possible to guess the remote device type.
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
n/a
None
Publication date: 2011/05/23, Modification date: 2011/05/23
Remote device type : general-purpose
Confidence level : 95
A remote access software has been detected.
Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C in the ASV Program Guide, or disabled / removed. Please consult your ASV if you have questions about this Special Note.
n/a
None
Publication date: 2011/09/15, Modification date: 2012/01/24
An SSH server (remote terminal) is running on the remote host.