Scribd
Upload
65 views

Website Vulnerability Scanner Report (Light)

The light vulnerability scan of a website found the following issues: - Several vulnerabilities were found in Apache HTTP Server 2.4.29 that could allow remote code execution or replay of HTTP requests. - An insecure HTTP cookie was found missing the "Secure" and "HttpOnly" flags. - Directory listing was enabled on an images directory, exposing file structures. - The server was running Ubuntu with Apache 2.4.29 and other software like MODX, FlexSlider, Google Analytics, and jQuery 1.8.3.

Uploaded by

User Name
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
65 views

Website Vulnerability Scanner Report (Light)

The light vulnerability scan of a website found the following issues: - Several vulnerabilities were found in Apache HTTP Server 2.4.29 that could allow remote code execution or replay of HTTP requests. - An insecure HTTP cookie was found missing the "Secure" and "HttpOnly" flags. - Directory listing was enabled on an images directory, exposing file structures. - The server was running Ubuntu with Apache 2.4.29 and other software like MODX, FlexSlider, Google Analytics, and jQuery 1.8.3.

Uploaded by

User Name
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Website Vulnerability Scanner Report (Light)

Get a PRO Account to unlock the FULL capabilities of this scanner

See wh at th e FULL scan n er can d o

Perform in-depth website scanning and discover high risk vulnerabilities.

Testi n g areas Li gh t scan Fu l l scan

Website fingerprinting  

Version-based vulnerability detection  

Common configuration issues  

SQL injection  

Cross-Site Scripting  

Local/Remote File Inclusion  

Remote command execution  


Discovery of sensitive files  

 https://www.e-angajare.md/

Summary

Ov erall risk lev el: Risk rat ings: Scan informat ion:
H igh High: 1 Start time: 2020-10-27 08:02:32 UTC+02
Medium: 2 Finish time: 2020-10-27 08:02:37 UTC+02

Low: 3 Scan duration: 5 sec

Info: 4 Tests performed: 10/10

Scan status: Finished

Findings

 Vulnerabilities found for server-side software


Ris k A ffe c te d
C VS S C VE S umma ry E xploit
Le ve l s oftwa re

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or
prefork, code executing in less-privileged child processes or threads (including
http_server
 7.2 CVE-2019-0211 scripts executed by an in-process scripting interpreter) could execute arbitrary N/A
2.4.29
code with the privileges of the parent process (usually root) by manipulating the
scoreboard. Non-Unix systems are not affected.

In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a
newline character in a malicious filename, rather than matching only the end of
http_server
 6.8 CVE-2017-15715 the filename. This could be exploited in environments where uploads of some N/A
2.4.29
files are are externally blocked, but only by matching the trailing portion of the
filename.

1/4
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication
challenge, the nonce sent to prevent reply attacks was not correctly generated
using a pseudo-random seed. In a cluster of servers using a common Digest http_server
 6.8 CVE-2018-1312 N/A
authentication configuration, HTTP requests could be replayed across servers by 2.4.29
an attacker without detection.

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2
http_server
 6.4 CVE-2019-10082 session handling could be made to read memory after being freed, during N/A
2.4.29
connection shutdown.

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in
mod_auth_digest when running in a threaded server could allow a user with valid http_server
 6 CVE-2019-0217 N/A
credentials to authenticate using another username, bypassing configured 2.4.29
access control restrictions.

 Details

Ris k de s c ription:
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of service
attacks. An attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to attack the
system.

Re c omme nda tion:


We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

 Insecure HTTP cookies


C ookie Na me Fla g s mis s ing

SN51ed349f1b694 Secure, HttpOnly

 Details

Ris k de s c ription:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made.
Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie
of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Lack of the HttpOnly flag permits the browser to access the cookie from client-side scripts (ex. JavaScript, VBScript, etc). This can be exploited
by an attacker in conjuction with a Cross-Site Scripting (XSS) attack in order to steal the affected cookie. If this is a session cookie, the attacker
could gain unauthorized access to the victim's web session.

Re c omme nda tion:


We recommend reconfiguring the web server in order to set the flag(s) Secure , HttpOnly to all sensitive cookies.

More information about this issue:


https://blog.dareboost.com/en/2016/12/secure-cookies-secure-httponly-flags/.

 Directory listing is enabled


https://www.e-angajare.md/images/

 Details

Ris k de s c ription:
An attacker can see the entire structure of files and subdirectories from the affected URL. It is often the case that sensitive files are 'hidden'
among public files in that location and attackers can use this vulnerability to access them.

Re c omme nda tion:


We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive files
at the mentioned URLs.

More information about this issue:


http://projects.webappsec.org/w/page/13246922/Directory%20Indexing.

 Server software and technology found

2/4
S oftwa re / Ve rs ion C a te g ory

Ubuntu Operating Systems

Apache 2.4.29 Web Servers

MODX CMS

FlexSlider Widgets

Google Analytics Analytics

jQuery 1.8.3 JavaScript Frameworks

 Details

Ris k de s c ription:
An attacker could use this information to mount specific attacks against the identified software type and version.

Re c omme nda tion:


We recommend you to eliminate the information which permit the identification of software platform, technology, server and operating system:
HTTP server headers, HTML meta information, etc.

More information about this issue:


https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html.

 Missing HTTP security headers


H T T P S e c urity H e a de r H e a de r Role S ta tus

X-Frame-Options Protects against Clickjacking attacks Not set

X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set

Strict-Transport-Security Protects against man-in-the-middle attacks Not set

X-Content-Type-Options Prevents possible phishing or XSS attacks Not set

 Details

Ris k de s c ription:
Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By
manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus
performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described
in detail here:
https://owasp.org/www-community/attacks/Clickjacking

The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS)
attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

The HTTP Strict-Transport-Security header instructs the browser not to load the website via plain HTTP connection but always use HTTPS. Lack of
this header exposes the application users to the risk of data theft or unauthorized modification in case the attacker implements a man-in-the-
middle attack and intercepts the communication between the user and the server.

The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web
page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site
Scripting or phishing.

Re c omme nda tion:


We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking
attacks.
More information about this issue:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

We recommend setting the X-XSS-Protection header to "X-XSS-Protection: 1; mode=block".


More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

We recommend setting the Strict-Transport-Security header.

3/4
More information about this issue:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

We recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff".


More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

 Robots.txt file found


https://www.e-angajare.md/robots.txt

 Details

Ris k de s c ription:
There is no particular security risk in having a robots.txt file. However, this file is often misused to try to hide some web pages from the users.
This should not be done as a security measure because these URLs can easily be read from the robots.txt file.

Re c omme nda tion:


We recommend you to remove the entries from robots.txt which lead to sensitive locations in the website (ex. administration panels,
configuration files, etc).

More information about this issue:


https://www.theregister.co.uk/2015/05/19/robotstxt/

 Communication is secure

 No security issue found regarding client access policies

 No password input found (auto-complete test)

 No password input found (clear-text submission test)

Scan coverage information

List of tests performed (10/ 10)


 Fingerprinting the server software and technology...
 Checking for vulnerabilities of server-side software...
 Analyzing the security of HTTP cookies...
 Analyzing HTTP security headers...
 Checking for secure communication...
 Checking robots.txt file...
 Checking client access policies...
 Checking for directory listing (quick scan)...
 Checking for password auto-complete (quick scan)...
 Checking for clear-text submission of passwords (quick scan)...

Scan parameters
Website URL: https://www.e-angajare.md/
Scan type: Light
Authentication: False

4/4

You might also like