OWASP Top Ten

June 5, 2014 at 12:52pm EDT

[codydumont]
SC RESEARCH
Confidential: The following report contains confidential information. Do not distribute,
email, fax, or transfer via any electronic mechanism unless it has been approved by the
recipient company's security policy. All copies and backups of this document should be
saved on protected storage at all times. Do not share any of the information contained
within this report with anyone unless they are authorized to view the information. Violating
any of the previous instructions is grounds for termination.
Table of Contents
About This Report ................................................................................................................................................................................................ 1

Executive Summary .......................................................................................................................................................................................... 2

OWASP Top 10 Security Flaws Details .............................................................................................................................. 7

A1 – Injection ................................................................................................................................................................................................................................... 7
A2 – Broken Authentication and Session Management ...................................................................................................................................................10
A3 – Cross-Site Scripting (XSS) ................................................................................................................................................................................................15
A4 – Insecure Direct Object Reference .................................................................................................................................................................................17
A5 – Security Misconfiguration ............................................................................................................................................................................................... 22
A6 – Sensitive Data Exposure .................................................................................................................................................................................................28
A7 – Missing Functio n Level Access Control .................................................................................................................................................................... 32
A8 – Cross-Site Request Forgery (CSRF) .............................................................................................................................................................................35
A9 – Using Known Vulnerable Components ...................................................................................................................................................................... 36
A10 – Unvalidated Redirects and Forwards ........................................................................................................................................................................ 40

PCI DSS Requirement 6.5 Common Coding Flaws .................................................................................... 42

PCI DSS 6.5.1 Injection Flaws ...................................................................................................................................................................................................42
PCI DSS 6.5.2 Buffer Overflow ................................................................................................................................................................................................45
PCI DSS 6.5.4 Insecure Communications .............................................................................................................................................................................48
PCI DSS 6.5.5 Improper Error Handling ............................................................................................................................................................................... 49
PCI DSS 6.5.6 All High Risk Vulnerabilities .........................................................................................................................................................................50
PCI DSS 6.5.7 Cross-Site Scripting (XSS) ............................................................................................................................................................................. 59
PCI DSS 6.5.8 Improper Access Control .............................................................................................................................................................................. 62
PCI DSS 6.5.9 Cross-site Request Forgery (CSRF) ............................................................................................................................................................67

OWASP Web Events ................................................................................................................................................................................... 68

Web Intrusion ................................................................................................................................................................................................................................ 68
Web Threatlist ............................................................................................................................................................................................................................... 70
Web Stats ........................................................................................................................................................................................................................................ 71
Long Term Web Error Activity ..................................................................................................................................................................................................72
PVS Detected Web Error ........................................................................................................................................................................................................... 74
PVS Detected Web Access .......................................................................................................................................................................................................76
Apache Web Error ....................................................................................................................................................................................................................... 79
Apache Web Access ...................................................................................................................................................................................................................80
IIS Web Error .................................................................................................................................................................................................................................. 81
IIS Web Access .............................................................................................................................................................................................................................82

OWASP SQL Events ..................................................................................................................................................................................... 83

Suspicious SQL User Database Dump ..................................................................................................................................................................................83
Suspicious SQL Command Execution ................................................................................................................................................................................... 85
Suspicious SQL Injection Attack Detected ...........................................................................................................................................................................86
Suspicious SQL Query Detected ............................................................................................................................................................................................ 88
SQL Intrusion .................................................................................................................................................................................................................................89
Database Stats ..............................................................................................................................................................................................................................90
SQL Error ......................................................................................................................................................................................................................................... 91
SQL Login Failure ........................................................................................................................................................................................................................ 92

Table of Contents

OWASP Top Ten i

About This Report
Web application security is a key concern for SecurityCenter users. The software security community
created the Open Web Application Security Project (OWASP) to help educate developers and security
professionals. This dashboard provides SecurityCenter users the ability to monitor web application security
by identifying the top 10 most critical web application security flaws as described in OWASP’s Top Ten
awareness document.
SecurityCenter Continuous View (SCCV) customers have the ability to monitor web application security
through several methods, all of which are described in this report. The chapters in this report are focused on
web application vulnerabilities and logs collected from web servers. Additionally, event logs from SQL servers
are provided.
The Executive Summary chapter is comprised of seven components, starting with two 90-day trend graphs,
depicting critical and high severity vulnerabilities discovered over the past six months. There are two indicator
components that monitor web server, SQL Server, and IDS logs for web application events. The third indicator
component provides a view into several web application security issues starting with injection vulnerabilities
and ending with cross-site scripting (XSS) vulnerabilities. There is a table with all informational vulnerabilities
related to web application security. The final component is a detailed matrix showing vulnerabilities mapped
to the ten most critical web application security risks identified in OWASP’s Top Ten document. https://
www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10 Security Flaws Details – This chapter covers in detail the 10 most common security flaws
identified in the OWASP Top 10. The chapter is broken down into a section for each security flaw, and
contains a pie chart and vulnerability summary table.
PCI DSS Requirement 6.5 Common Coding Flaws – This chapter reviews the requirements in PCI DSS
requirement 6.5. The requirement addresses many of the security flaws found in the OWASP Top 10. The
chapter is broken down into a section for each security flaw, and contains a pie chart and vulnerability
summary table.
OWASP Web Events – This chapter contains events collected by PVS and web applications, and can be used
to analyze the security of web applications. The chapter is broken into several sections and contain network
summary pie chart, list of normalized events, followed by a top 100 IP address summary.
OWASP SQL Events – This chapter contains events collected by Database and SQL applications, and can
be used to analyze the security of web applications. The chapter is broken into several sections and contain
network summary pie chart, list of normalized events, followed by a top 100 IP address summary.

About This Report

OWASP Top Ten 1

Executive Summary
The OWASP Top 10 Indicators is a matrix comprised of three columns, with the first displaying a count of
affected hosts, followed by the number of vulnerabilities. The vulnerability count includes low, medium, high
and critical severities. The third column provides an analysis of known exploitable vulnerabilities. The data
collected by the matrix reports on vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers
plugin families for both active and passive vulnerabilities. The CGI Abuses family Checks for web-based CGI
programs with publicly documented vulnerabilities. These checks include SQL injection, Local File Inclusion
(LFI), Remote File Inclusion (RFI), Directory Traversal, and more.
For web-based CGI programs with publicly documented cross-site scripting (XSS) vulnerabilities, the CGI
Abuses : XSS plugin family is used. For web server vulnerabilities, the Web Server plugin family can detect
vulnerabilities in web servers such as Apache HTTP Server, IBM Lotus Domino, Microsoft IIS, and many more.

OWASP Top 10 Indicators

System Vulnerabilities Exploitable

A1 – Injection 2 10 60 % .
A2 – Broken Authentication 5 34 21 % .
and Session Management
A3 – Cross-Site Scripting (XSS) 2 6 60 % .
A4 – Insecure Direct 5 49 45 % .
Object Reference
A5 – Security Misconfiguration 7 54 44 % .
A6 – Sensitive Data Exposure 5 30 . 6%
A7 – Missing Functio 4 13 92 % .
n Level Access Control
A8 – Cross-Site Request 0 0 % .
Forgery (CSRF)
A9 – Using Known 4 22 68 % .
Vulnerable Components
A10 – Unvalidated 1 5 40 % .
Redirects and Forwards

The Web Application Result Indicator matrix provides a summary of the common web application security
flaws recommended for tracking in PCI DSS v3 Section 6.5.

Web Application Result Indicator

Injection Overflow
SSL Error Handling
CGI Generic XSS
High Web Vulns Critical Web Vulns

Executive Summary

OWASP Top Ten 2

The 90 Day Trend Analysis for Critical Severity Web Vulnerabilities graph collects the vulnerabilities from the
CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities.
The CGI Abuses family Checks for web-based CGI programs with publicly documented vulnerabilities. These
checks include SQL injection, Local File Inclusion (LFI), Remote File Inclusion (RFI), Directory Traversal, and
more. For web-based CGI programs with publicly documented cross-site scripting (XSS) vulnerabilities, the
CGI Abuses : XSS plugin family is used. For web server vulnerabilities, the Web Server plugin family can
detect vulnerabilities in web servers such as Apache HTTP Server, IBM Lotus Domino, Microsoft IIS, and
many more. The trend graph provides a trend analysis of all critical severity vulnerabilities over the past three
months.

90 Day Trend Analysis for Critical Severity Web Vulnerabilities

The Web Events matrix provides indicators for logs collected by LCE that reflect potential vulnerabilities to
web applications. The indicators focus on the intrusion, threatlist, stats, web-access, and web-error event
types. The indicators for threatlist and intrusion turn red when a match is found. The red indicator means
immediate attention is required to determine if a system has been compromised. The other indicators will turn
yellow when a match is found; these indicators suggest a warning, and should be reviewed to determine the
severity.

OWASP Web Events

Web Intrusion Web Threatlist

Web Stats Long Term Web Error Activity
PVS Detected Web Error PVS Detected Web Access
Apache Web Error Apache Web Access
IIS Web Error IIS Web Access

Executive Summary

OWASP Top Ten 3

The 90 Day Trend Analysis for High Severity Web Vulnerabilities graph collects the vulnerabilities from the
CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities.
The CGI Abuses family Checks for web-based CGI programs with publicly documented vulnerabilities. These
checks include SQL injection, Local File Inclusion (LFI), Remote File Inclusion (RFI), Directory Traversal, and
more. For web-based CGI programs with publicly documented cross-site scripting (XSS) vulnerabilities, the
CGI Abuses : XSS plugin family is used. For web server vulnerabilities, the Web Server plugin family can
detect vulnerabilities in web servers such as Apache HTTP Server, IBM Lotus Domino, Microsoft IIS, and many
more. The trend graph provides a trend analysis of all high severity vulnerabilities over the past three months.

90 Day Trend Analysis for High Severity Web Vulnerabilities

The SQL Events matrix provides indicators for logs collected by LCE that reflect potential vulnerabilities to
databases used in web applications. The first four indicators monitor specific normalized events, which are
commonly seen if a web application is compromised. These indicators will turn red when a match is found
and immediate attention is warranted. The fifth indicator is for all SQL intrusion events and will turn red when
a match is found and immediate attention is warranted. The remaining three indicators are for various SQL
related issues, which could indicate an attack is underway and will turn yellow when a match is found.

OWASP SQL Events

Suspicious SQL User Database Dump Suspicious SQL Command Execution

Suspicious SQL Injection Attack Detected Suspicious SQL Query Detected
SQL Intrusion Database Stats
SQL Error SQL Login Failure

Executive Summary

OWASP Top Ten 4

The Web Informational Vulnerabilities table provides detailed information about web application services. The
information provided includes application versions, external URLs, harvested email addresses, file inventories
and more. This information may not represent a vulnerability; however, the information should be reviewed to
properly assess risk.

Web Informational Vulnerabilities

Plugin Plugin Name Family Severity Total

HyperText Transfer Protocol (HTTP)
24260 Web Servers Info 25
Information
10107 HTTP Server Type and Version Web Servers Info 25
43111 HTTP Methods Allowed (per directory) Web Servers Info 23
49704 External URLs Web Servers Info 13
47830 CGI Generic Injectable Parameter CGI abuses Info 13
CGI Generic Tests Load Estimation (all
33817 CGI abuses Info 13
tests)
10662 Web mirroring Web Servers Info 13
39470 CGI Generic Tests Timeout CGI abuses Info 11
11032 Web Server Directory Enumeration Web Servers Info 10
48243 PHP Version Web Servers Info 9
Web Application Potentially Sensitive CGI
40773 CGI abuses Info 9
Parameter Detection
40984 Browsable Web Directories CGI abuses Info 6
Web Server SSL Port HTTP Traffic
15588 Web Servers Info 6
Detection
49705 Web Server Harvested Email Addresses Web Servers Info 4
Apache Banner Linux Distribution
18261 Web Servers Info 4
Disclosure
10757 Webmin Detection CGI abuses Info 4
40406 CGI Generic Tests HTTP Errors CGI abuses Info 3
1442 Web Server Detection Web Servers Info 3
57323 OpenSSL Version Detection Web Servers Info 2
Web Server / Application favicon.ico
20108 Web Servers Info 2
Vendor Fingerprinting
18297 WordPress Detection CGI abuses Info 2
17219 phpMyAdmin Detection CGI abuses Info 2
15779 phpBB Detection CGI abuses Info 2
Web Server Unconfigured - Default Install
11422 Web Servers Info 2
Page Present
11419 Web Server Office File Inventory CGI abuses Info 2
Web Server robots.txt Information
10302 Web Servers Info 2
Disclosure
HTTP Server Insecure Authentication
6479 Web Servers Info 2
(Basic)
4667 Persistent Cookie Utilization Web Servers Info 2
4666 Internal IP Address Disclosure Web Servers Info 2
43401 phpLDAPadmin Detection CGI abuses Info 1
Apache Tomcat Default Error Page
39446 Web Servers Info 1
Version Detection

Executive Summary

OWASP Top Ten 5

 Plugin Plugin Name Family Severity Total
10386 Web Server No 404 Error Code Check Web Servers Info 1

Executive Summary

OWASP Top Ten 6

OWASP Top 10 Security Flaws Details
A1 – Injection
A1 – Injection: Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an
interpreter as part of a command or query.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 7

Vulnerability Summary

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php topic_id Parameter
11767 CGI abuses High 1
SQL Injection
Description: There is a flaw in the version of phpBB hosted on the remote web server
that may allow anyone to inject arbitrary SQL commands, which could in
turn be used to gain administrative access on the remote host or to
obtain the MD5 hash of the password of any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB < 2.0.7 Multiple Script SQL Injecti
11938 CGI abuses High 1
on
Description: The remote host is running a version of phpBB older than 2.0.7.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands, which may in turn be used to gain administrative
access on the remote host or to obtain the MD5 hash of the password of
any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php highlight Parameter
15780 CGI abuses High 1
SQL Injection
Description: The remote host is running phpBB.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands in the login form.

An attacker could exploit this flaw to bypass the authentication of the

remote host or execute arbitrary SQL statements against the remote
database.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

49067 CGI Generic HTML Injections (quick test) CGI abuses : XSS Medium 1
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML to be executed in a

OWASP Top 10 Security Flaws Details

OWASP Top Ten 8

user's browser within the security context of the affected site.

The remote web server may be vulnerable to IFRAME injections or

cross-site scripting attacks :

- IFRAME injections allow 'virtual defacement' that

might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks.

- XSS are extensively tested by four other scripts.

- Some applications (e.g. web forums) authorize a subset

of HTML without any ill effect. In this case, ignore
this warning.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

44135 Web Server Generic Cookie Injection CGI abuses Medium 1
Description: The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to inject arbitrary cookies. Depending
on the structure of the web application, it may be possible to launch
a 'session fixation' attack using this mechanism.

Please note that :

- Nessus did not check if the session fixation attack is

feasible.

- This is not the only vector of session fixation.

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

OWASP Top 10 Security Flaws Details

OWASP Top Ten 9

A2 – Broken Authentication and Session Management
A2 – Broken Authentication and Session Management: Application functions related to authentication and
session management are often not implemented correctly, allowing attackers to compromise passwords,
keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 10

Vulnerability Summary

Plugin Plugin Name Family Severity Total

PHP 5.3.7 crypt() MD5 Incorrect Return
6017 Web Servers High 1
Value
Description: PHP version 5.3.7 contains a bug in the crypt() function when generating salted MD5 hashes. The function only returns the salt rather than
the salt and hash. Any authentication mechanism that uses crypt() could authorize all authentication attempts due to this bug.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.35 Multiple
6332 Web Servers High 1
Vulnerabilities
Description: Versions of Apache Tomcat 6.0.35 are potentially affected by multiple vulnerabilities :

- Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to
authentication bypass and disclosure of sensitive information. Note this vulnerability only occurs when the following are true (CVE-2011-3190):

- the org.apache.jk.server.JkCoyoteHandler AJP connector is not used.

- POST requests are accepted.
- Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php topic_id Parameter
11767 CGI abuses High 1
SQL Injection
Description: There is a flaw in the version of phpBB hosted on the remote web server
that may allow anyone to inject arbitrary SQL commands, which could in
turn be used to gain administrative access on the remote host or to
obtain the MD5 hash of the password of any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB < 2.0.7 Multiple Script SQL Injecti
11938 CGI abuses High 1
on
Description: The remote host is running a version of phpBB older than 2.0.7.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands, which may in turn be used to gain administrative
access on the remote host or to obtain the MD5 hash of the password of
any user.

OWASP Top 10 Security Flaws Details

OWASP Top Ten 11

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

13655 phpBB < 2.0.9 Multiple Vulnerabilities CGI abuses High 1
Description: The remote host is running a version of phpBB older than 2.0.9.

There is a flaw in the remote software that may allow anyone

to inject arbitrary SQL commands, which may in turn be used to
gain administrative access on the remote host or to obtain
the MD5 hash of the password of any user.

One vulnerability is reported to exist in 'admin_board.php'.

The other pertains to improper characters in the session id variable.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php highlight Parameter
15780 CGI abuses High 1
SQL Injection
Description: The remote host is running phpBB.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands in the login form.

An attacker could exploit this flaw to bypass the authentication of the

remote host or execute arbitrary SQL statements against the remote
database.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Web Server Allows Password Auto-
56306 Web Servers Medium 5
Completion (PCI-DSS variant)
Description: The remote web server contains at least HTML form field containing an
input of type 'password' where 'autocomplete' is not set to 'off'.

While this does not represent a risk to this web server per se, it
does mean that users who use the affected forms may have their
credentials saved in their browsers, which could in turn lead to a
loss of confidentiality if any of them use a shared host or their
machine is compromised at some point.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

Autocomplete Not Disabled for 'Password'
2810 Web Servers Medium 1
Field

OWASP Top 10 Security Flaws Details

OWASP Top Ten 12

Description: The remote web server is hosting a form that calls for a user password. However, the 'Autocomplete' functionality has not been disabled
for the password. When Autocomplete is enabled, the client machine will store the form data for future use. This can be very dangerous as attackers can
target confidential data that has been stored on the client computer.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.33 Multiple
6018 Web Servers Medium 1
Vulnerabilities
Description: Versions of Tomcat 6.x earlier than 6.0.33 are potentially affected by multiple vulnerabilities :

- An error handling issue exists related to the MemoryUserDatabase that allows user passwords to be disclosed through log files. (CVE-2011-2204)

- An input validation error exists that allows a local attacker to either bypass security or carry out denial of service attacks when the APR or NIO
connectors are enabled. (CVE-2011-2526)

- A component that Apache Tomcat relies on called 'jsvc' contains an error in that it does not drop capabilities after starting and can allow access to
sensitive files owned by the super user. Note this vulnerability only affects Linux operating systems and only when the following are true: jsvc is compiled
with libpcap and the '-user' parameter is used. (CVE-2011-2729)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.36 Multiple
6657 Web Servers Medium 1
Vulnerabilities
Description: Apache Tomcat versions earlier than 6.0.36 are potentially affected by multiple vulnerabilities :

- A flaw exists within the parseHeaders() function that could allow for a crafted header to cause a remote denial of service. (CVE-2012-2733)

- An error exists related to FORM authentication that can allow security bypass if 'j_security_check' is appended to the request. (CVE-2012-3546)

- An error exists in the file 'filters/CsrfPreventionFilter.java' that can allow cross-site request forgery (CSRF) attacks to bypass the filtering. This can allow
access to protected resources without a session identifier. (CVE-2012-4431)

- An error exists related to the 'NIO' connector when HTTPS and 'sendfile' are enabled that can force the application into an infinite loop.
(CVE-2012-4534)

- Replay-countermeasure functionality in HTTP Digest Access Authentication tracks cnonce values instead of nonce values, which makes it easier for
attackers to bypass access restrictions by sniffing the network for valid requests. (CVE-2012-5885)

- HTTP Digest Access Authentication implementation caches information about the authenticated user, which could potentially allow an attacker to
bypass authentication via session ID. (CVE-2012-5886)

- HTTP Digest Access Authentication implementation does not properly check for stale nonce values with enforcement of proper credentials, which
allows an attacker to bypass restrictions by sniffing requests. (CVE-2012-5887)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.37 Multiple
6832 Web Servers Medium 1
Vulnerabilities
Description: Versions of Apache Tomcat earlier than 6.0.37 are potentially affected by multiple vulnerabilities :

- An error exists related to chunked transfer encoding and extensions that could allow limited denial of service attacks. (CVE-2012-3544)

- An error exists related to HTML form authentication and session fixation that could allow an attacker to carry out requests using a victim's credentials.
(CVE-2013-2067)
Hosts in Repository 'net_10_31_112':

OWASP Top 10 Security Flaws Details

OWASP Top Ten 13

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (compreh
47831 CGI abuses : XSS Medium 1
ensive test)
Description: The remote web server hosts CGI scripts that fail to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site. These XSS are likely to be 'non-persistent' or
'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

57640 Web Application Information Disclosure CGI abuses Medium 1
Description: At least one web application hosted on the remote web server
discloses the physical path to its directories when a malformed
request is sent to it.

Leaking this kind of information may help an attacker fine-tune

attacks against the application and its backend.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Web Server Uses Plain Text Authent
26194 Web Servers Low 2
ication Forms
Description: The remote web server contains several HTML form fields containing
an input of type 'password' which transmit their information to
a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and

server may obtain logins and passwords of valid users.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

Plugin Plugin Name Family Severity Total

Web Server Uses Basic Authentication
34850 Web Servers Low 1
Without HTTPS
Description: The remote web server contains web pages that are protected by 'Basic'
authentication over plain text.

An attacker eavesdropping the traffic might obtain logins and passwords

of valid users.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

OWASP Top 10 Security Flaws Details

OWASP Top Ten 14

A3 – Cross-Site Scripting (XSS)
A3 – Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to
a web browser without proper validation or escaping.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 15

Vulnerability Summary

Plugin Plugin Name Family Severity Total

13840 phpBB < 2.0.10 Multiple XSS CGI abuses : XSS Medium 1
Description: The remote host is running a version of phpBB older than 2.0.10.

phpBB contains a flaw that allows a remote cross-site scripting attack.

This flaw exists because the application does not validate user-supplied
input in the 'search_author' parameter.

This version is also vulnerable to an HTTP response splitting attack

that permits the injection of CRLF characters in the HTTP headers.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

10815 Web Server Generic XSS CGI abuses : XSS Medium 1
Description: The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

Plugin Plugin Name Family Severity Total

phpBB < 2.0.17 Nested BBCode URL Tags
18626 CGI abuses Low 1
XSS
Description: According to its banner, the remote host is running a version of phpBB
that fails to sanitize BBCode containing nested URL tags, which
enables attackers to cause arbitrary HTML and script code to be
executed in a user's browser within the context of the affected site.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

OWASP Top 10 Security Flaws Details

OWASP Top Ten 16

A4 – Insecure Direct Object Reference
A4 – Insecure Direct Object References: A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, or database key.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 17

Vulnerability Summary

Plugin Plugin Name Family Severity Total

PHP 5.3 < 5.3.6 String To Double Convers
5824 Web Servers High 1
ion DoS
Description: Versions of PHP 5.3 earlier than 5.3.6 are potentially affected by multiple vulnerabilities :

- An error exists in the function '_zip_name_locate()' in the file 'ext/zip/lib/zip_name_locate.c' which allows a NULL pointer to be dereferenced when
processing an empty archive. (CVE-2011-0421)

- A variable casting error exists in the Exif extension's C function 'exif_process_IFD_TAG()' in the file 'ext/exif/exif.c' could allow arbitrary code execution.
(CVE-2011-0708)

- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read' in the file 'ext/shmop/shmop.c'. (CVE-2011-1092)

- An error exists in the file 'phar/phar_object.c' n which calls to 'zend_throw_exception_ex()' pass data as a string format parameter which could lead to
information disclosure or memory corruption when handling PHP archives. (CVE-2011-1153)

- A buffer overflow error exists in the C function 'xbuf_format_converter' in the file 'main/snprintf.c' when the PHP configuration setting for 'precision' is
set to a large value. (Bug 54055)

- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache on Windows mod_alias URL
17694 Validation Canonicalization CGI Source CGI abuses Medium 4
Information Disclosure
Description: The version of Apache installed on the remote Windows host can be
tricked into disclosing the source of its CGI scripts because of a
configuration issue. Specifically, if the CGI directory is located
within the document root, then requests that alter the case of the
directory name will bypass the mod_cgi cgi-script handler and be
treated as requests for ordinary files.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

Apache Mixed Platform AddType Directive
17695 Web Servers Medium 4
Information Disclosure
Description: The remote host appears to be running Apache. When Apache runs on a
Unix host with a document root on a Windows SMB share, remote,
unauthenticated attackers could obtain the unprocessed contents of the
directory. For example, requesting a PHP file with a trailing
backslash could display the file's source instead of executing it.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

OWASP Top 10 Security Flaws Details

OWASP Top Ten 18

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

46803 PHP expose_php Information Disclosure Web Servers Medium 4
Description: The PHP install on the remote server is configured in a way that
allows disclosure of potentially sensitive information to an attacker
through a special URL. Such a URL triggers an Easter egg built into
PHP itself.

Other such Easter eggs likely exist, but Nessus has not checked for
them.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

57640 Web Application Information Disclosure CGI abuses Medium 2
Description: At least one web application hosted on the remote web server
discloses the physical path to its directories when a malformed
request is sent to it.

Leaking this kind of information may help an attacker fine-tune

attacks against the application and its backend.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

OpenSSL < 0.9.8r / 1.0.0d OCSP Stapling
5782 Web Servers Medium 1
Denial of Service
Description: Versions of OpenSSL earlier than 0.9.8r and 1.0.0d are potentially affected by a vulnerability wherein an incorrectly formatted ClientHello
handshake message could cause OpenSSL to parse past the end of the message which could cause the web server to crash. There is also the potential
for information disclosure if OCSP nonce extensions are used.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache 2.2 < 2.2.23 Multiple Vulnerabilitie
6576 Web Servers Medium 1
s
Description: Apache versions earlier than 2.2.23 are affected by the following vulnerabilities.

- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility
could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution. (CVE-2012-0883)

OWASP Top 10 Security Flaws Details

OWASP Top Ten 19

- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.
(CVE-2012-2687)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6928 PHP 5.3.x < 5.3.27 Information Disclosure Web Servers Medium 1
Description: PHP versions 5.3.x earlier than 5.3.23 are affected by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external
entities. This error could cause PHP to parse remote XML documents defined by an attacker and could allow access to arbitrary filesthe buffer overflow
error that exists in the function '_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache mod_info /server-info Information
10678 Web Servers Medium 1
Disclosure
Description: It is possible to obtain an overview of the remote Apache web server's
configuration by requesting the URL '/server-info'. This overview
includes information such as installed modules, their configuration,
and assorted run-time settings.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Web Server info.php / phpinfo.php Detecti
11229 CGI abuses Medium 1
on
Description: Many PHP installation tutorials instruct the user to create a PHP file
that calls the PHP function 'phpinfo()' for debugging purposes.
Various PHP applications may also include such a file. By accessing
such a file, a remote attacker can discover a large amount of
information about the remote web server, including :

- The username of the user who installed PHP and if they

are a SUDO user.

- The IP address of the host.

- The version of the operating system.

- The web server version.

- The root directory of the web server.

- Configuration information about the remote PHP

installation.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (quick
39466 CGI abuses : XSS Medium 1
test)
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.

OWASP Top 10 Security Flaws Details

OWASP Top Ten 20

These XSS are likely to be 'non persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache HTTP Server httpOnly Cookie
57792 Web Servers Medium 1
Information Disclosure
Description: The version of Apache HTTP Server running on the remote host has an
information disclosure vulnerability. Sending a request with HTTP
headers long enough to exceed the server limit causes the web server
to respond with an HTTP 400. By default, the offending HTTP header
and value are displayed on the 400 error page. When used in
conjunction with other attacks (e.g., cross-site scripting), this
could result in the compromise of httpOnly cookies.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

66585 PHP 5.4.x < 5.4.13 Information Disclosure CGI abuses Medium 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.13. It is, therefore, potentially affected
by an information disclosure vulnerability.

The fix for CVE-2013-1643 was incomplete and an error still exists in
the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to
handling external entities. This error could cause PHP to parse remote
XML documents defined by an attacker and could allow access to arbitrary
files.

Note that this plugin does not attempt to exploit the vulnerability, but
instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

71927 PHP 5.4.x < 5.4.24 Multiple Vulnerabilities CGI abuses Medium 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.24. It is, therefore, potentially
affected by the following vulnerabilities :

- A heap-based buffer overflow error exists in the file

'ext/date/lib/parse_iso_intervals.c' related to
handling DateInterval objects that could allow denial
of service attacks. (CVE-2013-6712)

- An integer overflow error exists in the function

'exif_process_IFD_TAG' in the file 'ext/exif/exif.c'
that could allow denial of service attacks or arbitrary
memory reads. (Bug #65873)

Note that this plugin does not attempt to exploit the vulnerabilities,
but instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

OWASP Top 10 Security Flaws Details

OWASP Top Ten 21

A5 – Security Misconfiguration
A5 – Security Misconfiguration: Good security requires having a secure configuration defined and deployed
for the application, frameworks, application server, web server, database server, and platform.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 22

Vulnerability Summary

Plugin Plugin Name Family Severity Total

PHP 5.3 < 5.3.6 String To Double Convers
5824 Web Servers High 1
ion DoS
Description: Versions of PHP 5.3 earlier than 5.3.6 are potentially affected by multiple vulnerabilities :

- An error exists in the function '_zip_name_locate()' in the file 'ext/zip/lib/zip_name_locate.c' which allows a NULL pointer to be dereferenced when
processing an empty archive. (CVE-2011-0421)

- A variable casting error exists in the Exif extension's C function 'exif_process_IFD_TAG()' in the file 'ext/exif/exif.c' could allow arbitrary code execution.
(CVE-2011-0708)

- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read' in the file 'ext/shmop/shmop.c'. (CVE-2011-1092)

- An error exists in the file 'phar/phar_object.c' n which calls to 'zend_throw_exception_ex()' pass data as a string format parameter which could lead to
information disclosure or memory corruption when handling PHP archives. (CVE-2011-1153)

- A buffer overflow error exists in the C function 'xbuf_format_converter' in the file 'main/snprintf.c' when the PHP configuration setting for 'precision' is
set to a large value. (Bug 54055)

- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.3.9 php_register_variable_ex()
6304 Web Servers High 1
Code Execution
Description: PHP version 5.3.9 is reportedly affected by a code execution vulnerability. Specifically, the fix for the hash collision denial of service
vulnerability (CVE-2011-4885) itself has introduced a remote code execution vulnerability in the php_register_variable_ex() in the file php_variables.c.
A new configuration variable, max_input_vars, was added as part of the fix. If the number of input variables exceeds this value and the variable being
processed is an array, code execution can occur.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.3.x < 5.3.13 CGI Query String Code
6494 Web Servers High 1
Execution
Description: PHP versions earlier than 5.3.13 are affected by a code execution vulnerability.

The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code and code execution via query
paramenters are still possible.

Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6495 PHP 5.4.x < 5.4.3 Multiple Vulnerabilities Web Servers High 1
Description: PHP versions earlier than 5.4.3 are affected by the following vulnerabilities.

- The fix for CVE-2012-1823 does not completely correct the CGI query parameter vulnerability. Disclosure of PHP source code and code execution via
query paramenters are still possible. Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php'
is not an exploitable configuration. (CVE-2012-2311, CVE-2012-2335, CVE-2012-2336)

- An unspecified buffer overflow exists related to the function 'apache_request_headers'. (CVE-2012-2329)

Hosts in Repository 'net_10_31_112':

OWASP Top 10 Security Flaws Details

OWASP Top Ten 23

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP < 5.3.12 / 5.4.2 CGI Query String
6993 Web Servers High 1
Code Execution
Description: PHP versions earlier than 5.3.12 / 5.4.2 are affected by the following vulnerabilities.

An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or to potentially execute arbitrary
code. In vulnerable configurations, PHP treats certain query string parameters as command line arguments including switches such as '-s', '-d', and '-c'.

Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache mod_suexec Multiple Privilege
17693 Web Servers Medium 4
Escalation Vulnerabilities
Description: The remote host appears to be running Apache and is potentially
affected by the following vulnerabilities:

- Multiple race conditions exist in suexec between the

validation and usage of directories and files. Under
certain conditions local users are able to escalate
privileges and execute arbitrary code through the
renaming of directories or symlink attacks.
(CVE-2007-1741)

- Apache's suexec module only performs partial

comparisons on paths, which could result in privilege
escalation. (CVE-2007-1742)

- Apache's suexec module does not properly verify user

and group IDs on the command line. When the '/proc'
filesystem is mounted, a local user can utilize suexec
to escalate privileges. (CVE-2007-1743)

Note that this plugin only checks for the presence of Apache, and does
not actually check the configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

Apache on Windows mod_alias URL
17694 Validation Canonicalization CGI Source CGI abuses Medium 4
Information Disclosure
Description: The version of Apache installed on the remote Windows host can be
tricked into disclosing the source of its CGI scripts because of a
configuration issue. Specifically, if the CGI directory is located
within the document root, then requests that alter the case of the
directory name will bypass the mod_cgi cgi-script handler and be
treated as requests for ordinary files.

OWASP Top 10 Security Flaws Details

OWASP Top Ten 24

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

46803 PHP expose_php Information Disclosure Web Servers Medium 4
Description: The PHP install on the remote server is configured in a way that
allows disclosure of potentially sensitive information to an attacker
through a special URL. Such a URL triggers an Easter egg built into
PHP itself.

Other such Easter eggs likely exist, but Nessus has not checked for
them.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

Microsoft ASP.NET ValidateRequest Filters
58601 Web Servers Medium 2
Bypass
Description: According to the HTTP headers received from the remote host, the web
server is configured to use the ASP.NET framework.

This framework includes the ValidateRequest feature, which is used by

ASP.NET web applications to filter user input in an attempt to prevent
cross-site scripting attacks. However, this set of filters can be
bypassed if it is the sole mechanism used for protection by a web
application.

Since Nessus is unable to remotely gather enough information to

determine if the ValidateRequest feature is used in an unsafe manner,
this plugin will report all web servers using ASP.NET when the 'Report
Paranoia' configuration setting is set to 'Paranoid (more false
alarms)'. Determining if an actual security risk exists requires
manual verification.
Hosts in Repository 'net_10_31_113':

10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':

10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2

Plugin Plugin Name Family Severity Total

6707 PHP 5.3.x < 5.3.22 Multiple Vulnerabilities Web Servers Medium 1
Description: PHP versions 5.3.x earlier than 5.3.22 are affected by the following vulnerabilities :

OWASP Top 10 Security Flaws Details

OWASP Top Ten 25

- An error exists in the file 'ext/soap/soap.c' related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote
'wsdl' files to be written to arbitrary locations. (CVE-2013-1635)

- An error exists in the file 'ext/soap/php_xml.c' related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML
documents defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.39 Multiple
8141 Web Servers Medium 1
Vulnerabilities
Description: Versions of Tomcat 6.0.x earlier than 6.0.39 are potentially affected by the following vulnerabilities:

- The version of Java used to build the application could generate Javadoc containing a frame injection error. (CVE-2013-1571)

- The fix for CVE-2005-2090 was not complete and the application does not reject requests with multiple Content-Length HTTP headers or with Content-
Length HTTP headers when using chunked encoding. (CVE-2013-4286)

- The fix for CVE-2012-3544 was not complete and limits are not properly applied to chunk extensions and whitespaces in certain trailing headers. This
error could allow denial of service attacks. (CVE-2013-4322)

- The application allows XML External Entity (XXE) processing that could disclose sensitive information. (CVE-2013-4590)

- An error exists related to the 'disableURLRewriting' configuration option and session IDs. (CVE-2014-0033)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache mod_info /server-info Information
10678 Web Servers Medium 1
Disclosure
Description: It is possible to obtain an overview of the remote Apache web server's
configuration by requesting the URL '/server-info'. This overview
includes information such as installed modules, their configuration,
and assorted run-time settings.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Web Server info.php / phpinfo.php Detecti
11229 CGI abuses Medium 1
on
Description: Many PHP installation tutorials instruct the user to create a PHP file
that calls the PHP function 'phpinfo()' for debugging purposes.
Various PHP applications may also include such a file. By accessing
such a file, a remote attacker can discover a large amount of
information about the remote web server, including :

- The username of the user who installed PHP and if they

are a SUDO user.

- The IP address of the host.

- The version of the operating system.

- The web server version.

- The root directory of the web server.

- Configuration information about the remote PHP

installation.

OWASP Top 10 Security Flaws Details

OWASP Top Ten 26

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

57640 Web Application Information Disclosure CGI abuses Medium 1
Description: At least one web application hosted on the remote web server
discloses the physical path to its directories when a malformed
request is sent to it.

Leaking this kind of information may help an attacker fine-tune

attacks against the application and its backend.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

64993 PHP 5.4.x < 5.4.12 Multiple Vulnerabilities CGI abuses Medium 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.12. It is, therefore, potentially affected
by the following vulnerabilities :

- An error exists in the file 'ext/soap/soap.c'

related to the 'soap.wsdl_cache_dir' configuration
directive and writing cache files that could allow
remote 'wsdl' files to be written to arbitrary
locations. (CVE-2013-1635)

- An error exists in the file 'ext/soap/php_xml.c'

related to parsing SOAP 'wsdl' files and external
entities that could cause PHP to parse remote XML
documents defined by an attacker. This could allow
access to arbitrary files. (CVE-2013-1643)

Note that this plugin does not attempt to exploit the vulnerabilities
but, instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

OWASP Top 10 Security Flaws Details

OWASP Top Ten 27

A6 – Sensitive Data Exposure
A6 – Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit
cards, tax IDs, and authentication credentials.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 28

Vulnerability Summary

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.35 Multiple
6332 Web Servers High 1
Vulnerabilities
Description: Versions of Apache Tomcat 6.0.35 are potentially affected by multiple vulnerabilities :

- Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to
authentication bypass and disclosure of sensitive information. Note this vulnerability only occurs when the following are true (CVE-2011-3190):

- the org.apache.jk.server.JkCoyoteHandler AJP connector is not used.

- POST requests are accepted.
- Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Request Forgery
56818 CGI abuses Medium 5
Detection (potential)
Description: The spider found HTML forms on the remote web server. Some CGI
scripts do not appear to be protected by random tokens, a common
anti-cross-site request forgery (CSRF) protection. The web
application might be vulnerable to CSRF attacks.

Note that :

- Nessus did not exploit the flaw,

- Nessus cannot identify sensitive actions -- for example, on an
online bank, consulting an account is less sensitive than
transferring money.

You will have to audit the source of the CGI scripts and check if they
are actually affected.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

46803 PHP expose_php Information Disclosure Web Servers Medium 4
Description: The PHP install on the remote server is configured in a way that
allows disclosure of potentially sensitive information to an attacker
through a special URL. Such a URL triggers an Easter egg built into
PHP itself.

Other such Easter eggs likely exist, but Nessus has not checked for
them.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

OWASP Top 10 Security Flaws Details

OWASP Top Ten 29

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.33 Multiple
6018 Web Servers Medium 1
Vulnerabilities
Description: Versions of Tomcat 6.x earlier than 6.0.33 are potentially affected by multiple vulnerabilities :

- An error handling issue exists related to the MemoryUserDatabase that allows user passwords to be disclosed through log files. (CVE-2011-2204)

- An input validation error exists that allows a local attacker to either bypass security or carry out denial of service attacks when the APR or NIO
connectors are enabled. (CVE-2011-2526)

- A component that Apache Tomcat relies on called 'jsvc' contains an error in that it does not drop capabilities after starting and can allow access to
sensitive files owned by the super user. Note this vulnerability only affects Linux operating systems and only when the following are true: jsvc is compiled
with libpcap and the '-user' parameter is used. (CVE-2011-2729)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.39 Multiple
8141 Web Servers Medium 1
Vulnerabilities
Description: Versions of Tomcat 6.0.x earlier than 6.0.39 are potentially affected by the following vulnerabilities:

- The version of Java used to build the application could generate Javadoc containing a frame injection error. (CVE-2013-1571)

- The fix for CVE-2005-2090 was not complete and the application does not reject requests with multiple Content-Length HTTP headers or with Content-
Length HTTP headers when using chunked encoding. (CVE-2013-4286)

- The fix for CVE-2012-3544 was not complete and limits are not properly applied to chunk extensions and whitespaces in certain trailing headers. This
error could allow denial of service attacks. (CVE-2013-4322)

- The application allows XML External Entity (XXE) processing that could disclose sensitive information. (CVE-2013-4590)

- An error exists related to the 'disableURLRewriting' configuration option and session IDs. (CVE-2014-0033)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

11411 Backup Files Disclosure CGI abuses Medium 1
Description: By appending various suffixes (ie: .old, .bak, ~, etc...) to the names
of various files on the remote host, it seems possible to retrieve
their contents, which may result in disclosure of sensitive
information.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

17205 phpBB <= 2.0.11 Multiple Vulnerabilities CGI abuses Medium 1
Description: The remote host is running phpBB version 2.0.11 or older. Such
versions suffer from multiple vulnerabilities:

- full path display on critical messages.

- full path disclosure in username handling caused by a PHP 4.3.10 bug.
- arbitrary file disclosure vulnerability in avatar handling functions.
- arbitrary file unlink vulnerability in avatar handling functions.

OWASP Top 10 Security Flaws Details

OWASP Top Ten 30

- path disclosure bug in search.php caused by a PHP 4.3.10 bug.
- path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug.

The path disclosure vulnerabilities can be exploited by remote

attackers to reveal sensitive information about the installation that
can be used in further attacks against the target.

To exploit the avatar handling vulnerabilities, 'Enable gallery

avatars' must be enabled on the target (by default, it is disabled)
and an attacker have a phpBB account on the target.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

55640 SQL Dump Files Disclosed via Web Server CGI abuses Medium 1
Description: The remote web server hosts publicly available files that contain SQL
instructions. These files are most likely database dumps and may
contain sensitive information.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Web Server Uses Plain Text Authent
26194 Web Servers Low 2
ication Forms
Description: The remote web server contains several HTML form fields containing
an input of type 'password' which transmit their information to
a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and

server may obtain logins and passwords of valid users.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

OWASP Top 10 Security Flaws Details

OWASP Top Ten 31

A7 – Missing Functio n Level Access Control
A7 – Missing Function Level Access Control: Most web applications verify function level access rights before
making that functionality visible in the UI.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 32

Vulnerability Summary

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache mod_suexec Multiple Privilege
17693 Web Servers Medium 4
Escalation Vulnerabilities
Description: The remote host appears to be running Apache and is potentially
affected by the following vulnerabilities:

- Multiple race conditions exist in suexec between the

validation and usage of directories and files. Under
certain conditions local users are able to escalate
privileges and execute arbitrary code through the
renaming of directories or symlink attacks.
(CVE-2007-1741)

- Apache's suexec module only performs partial

comparisons on paths, which could result in privilege
escalation. (CVE-2007-1742)

- Apache's suexec module does not properly verify user

and group IDs on the command line. When the '/proc'
filesystem is mounted, a local user can utilize suexec
to escalate privileges. (CVE-2007-1743)

Note that this plugin only checks for the presence of Apache, and does
not actually check the configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

17301 phpBB <= 2.0.13 Multiple Vulnerabilities CGI abuses Medium 1
Description: According to its banner, the remote host is running a version of phpBB
that suffers from multiple flaws:

- A Path Disclosure Vulnerability

A remote attacker can cause phpBB to reveal its installation
path via a direct request to the script 'db/oracle.php'.

- A Cross-Site Scripting Vulnerability

The application does not properly sanitize user input before
using it in 'privmsg.php' and 'viewtopic.php'.

OWASP Top 10 Security Flaws Details

OWASP Top Ten 33

- A Privilege Escalation Vulnerability
In 'session.php' phpBB resets the 'user_id' value when an
autologin fails; it does not, however, reset the 'user_level'
value, which remains as the account that failed the autologin.
Since the software uses the 'user_level' parameter in some
cases to control access to privileged functionality, this flaw
allows an attacker to view information, and possibly even
perform tasks, normally limited to administrators.

- SQL Injection Vulnerabilities

The DLMan Pro and LinksLinks Pro mods, if installed, reportedly
fail to properly sanitize user input to the 'file_id' parameter
of the 'dlman.php' script and the 'id' parameter of the
'links.php' script respectively before using it in a SQL
query. This may allow an attacker to pass malicious input
to database queries.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

OWASP Top 10 Security Flaws Details

OWASP Top Ten 34

A8 – Cross-Site Request Forgery (CSRF)
A8 – Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged
HTTP request, including the victim’s session cookie and any other automatically included authentication
information, to a vulnerable web application.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

Vulnerability Summary

Plugin Plugin Name Family Severity Total

Info
Description:
Hosts in Repository 'Individual Scan':

OWASP Top 10 Security Flaws Details

OWASP Top Ten 35

A9 – Using Known Vulnerable Components
A9 – Using Known Vulnerable Components: Components, such as libraries, frameworks, and other software
modules, almost always run with full privileges.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 36

Vulnerability Summary

Plugin Plugin Name Family Severity Total

phpBB < 2.0.16 viewtopic.php Arbitrary
3038 CGI High 1
Code Execution
Description: The remote host is running phpBB, a web-based forum application written in PHP. There is a flaw in this version of phpBB that will allow
remote attackers to inject arbitrary code into the 'viewtopic.php' script. An attacker exploiting this flaw would only need to be able to send an HTTP
request to the vulnerable script. Successful execution would result in the attacker executing code with the permissions of the webserver.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6495 PHP 5.4.x < 5.4.3 Multiple Vulnerabilities Web Servers High 1
Description: PHP versions earlier than 5.4.3 are affected by the following vulnerabilities.

- The fix for CVE-2012-1823 does not completely correct the CGI query parameter vulnerability. Disclosure of PHP source code and code execution via
query paramenters are still possible. Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php'
is not an exploitable configuration. (CVE-2012-2311, CVE-2012-2335, CVE-2012-2336)

- An unspecified buffer overflow exists related to the function 'apache_request_headers'. (CVE-2012-2329)

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP < 5.3.12 / 5.4.2 CGI Query String
6993 Web Servers High 1
Code Execution
Description: PHP versions earlier than 5.3.12 / 5.4.2 are affected by the following vulnerabilities.

An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or to potentially execute arbitrary
code. In vulnerable configurations, PHP treats certain query string parameters as command line arguments including switches such as '-s', '-d', and '-c'.

Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php highlight Parameter
15780 CGI abuses High 1
SQL Injection
Description: The remote host is running phpBB.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands in the login form.

An attacker could exploit this flaw to bypass the authentication of the

remote host or execute arbitrary SQL statements against the remote
database.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

55976 Apache HTTP Server Byte Range DoS Web Servers High 1
Description: The version of Apache HTTP Server running on the remote host is
affected by a denial of service vulnerability. Making a series of
HTTP requests with overlapping ranges in the Range or Request-Range
request headers can result in memory and CPU exhaustion. A remote,

OWASP Top 10 Security Flaws Details

OWASP Top Ten 37

unauthenticated attacker could exploit this to make the system
unresponsive.

Exploit code is publicly available and attacks have reportedly been

observed in the wild.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Microsoft ASP.NET ValidateRequest Filters
58601 Web Servers Medium 2
Bypass
Description: According to the HTTP headers received from the remote host, the web
server is configured to use the ASP.NET framework.

This framework includes the ValidateRequest feature, which is used by

ASP.NET web applications to filter user input in an attempt to prevent
cross-site scripting attacks. However, this set of filters can be
bypassed if it is the sole mechanism used for protection by a web
application.

Since Nessus is unable to remotely gather enough information to

determine if the ValidateRequest feature is used in an unsafe manner,
this plugin will report all web servers using ASP.NET when the 'Report
Paranoia' configuration setting is set to 'Paranoid (more false
alarms)'. Determining if an actual security risk exists requires
manual verification.
Hosts in Repository 'net_10_31_113':

10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':

10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2

Plugin Plugin Name Family Severity Total

Microsoft ASP.NET MS-DOS Device Name
64589 Web Servers Medium 2
DoS (PCI-DSS check)
Description: The web server running on the remote host appears to be using Microsoft
ASP.NET, and may be affected by a denial of service vulnerability.
Requesting a URL containing an MS-DOS device name can cause the web
server to become temporarily unresponsive. An attacker could repeatedly
request these URLs, resulting in a denial of service.

Additionally, there is speculation that this vulnerability could result

in code execution if an attacker with physical access to the machine
connects to a serial port.

This plugin does not attempt to exploit the vulnerability and only runs
when 'Check for PCI-DSS compliance' is enabled in the scan policy. This
plugin reports all web servers using ASP.NET 1.1. If it cannot
determine the version, it will report all web servers using ASP.NET.
Manual verification is required to determine if a vulnerability is
present.
Hosts in Repository 'net_10_31_113':

10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':

10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2

OWASP Top 10 Security Flaws Details

OWASP Top Ten 38

 Plugin Plugin Name Family Severity Total
Twiki rev Parameter Arbitrary Shell
3223 CGI Medium 1
Command Execution
Description: The remote host is running Twiki, an open-source wiki software written in Perl. This version of Twiki is vulnerable to a command insertion
flaw. Specifically, an attacker sending a command (within backticks) to the 'rev' parameter would be able to execute arbitrary code on the web server.
Example:

GET /cgi-bin/TwikiUsers?rev=1%20%7ccat%20/etc/passwd
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

lighttpd mod_fastcgi HTTP Request
26057 Web Servers Medium 1
Header Remote Overflow
Description: The remote web server appears to be lighttpd running with the FastCGI
module (mod_fastcgi).

The version of that module on the remote host appears to be

affected by a buffer overflow vulnerability. By sending a specially
crafted request with a long header, a remote attacker may be able to
exploit this issue to add or replace headers passed to PHP, such as
SCRIPT_FILENAME, which in turn could result in arbitrary code
execution.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

OWASP Top 10 Security Flaws Details

OWASP Top Ten 39

A10 – Unvalidated Redirects and Forwards
A10 – Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other
pages and websites, and use untrusted data to determine the destination pages.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

OWASP Top 10 Security Flaws Details

OWASP Top Ten 40

Vulnerability Summary

Plugin Plugin Name Family Severity Total

23968 phpBB < 2.0.22 Multiple Vulnerabilities CGI abuses Critical 1
Description: The version of phpBB installed on the remote host fails to properly
block 'bad' redirection targets. In addition, it reportedly contains
a non-persistent cross-site scripting flaw involving its private
messaging functionality and several other issues. At a minimum, a
remote attacker can leverage these flaws to launch cross-site
scripting attacks against the affected application.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (compreh
47831 CGI abuses : XSS Medium 1
ensive test)
Description: The remote web server hosts CGI scripts that fail to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site. These XSS are likely to be 'non-persistent' or
'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

57640 Web Application Information Disclosure CGI abuses Medium 1
Description: At least one web application hosted on the remote web server
discloses the physical path to its directories when a malformed
request is sent to it.

Leaking this kind of information may help an attacker fine-tune

attacks against the application and its backend.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

OWASP Top 10 Security Flaws Details

OWASP Top Ten 41

PCI DSS Requirement 6.5 Common
Coding Flaws
PCI DSS 6.5.1 Injection Flaws
PCI 6.5.1 Injection Flaws: Injection flaws, particularly SQL injection. Also consider OS Command Injection,
LDAP and XPath injection flaws as well as other injection flaws.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 42

Vulnerability Summary

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php topic_id Parameter
11767 CGI abuses High 1
SQL Injection
Description: There is a flaw in the version of phpBB hosted on the remote web server
that may allow anyone to inject arbitrary SQL commands, which could in
turn be used to gain administrative access on the remote host or to
obtain the MD5 hash of the password of any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB < 2.0.7 Multiple Script SQL Injecti
11938 CGI abuses High 1
on
Description: The remote host is running a version of phpBB older than 2.0.7.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands, which may in turn be used to gain administrative
access on the remote host or to obtain the MD5 hash of the password of
any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php highlight Parameter
15780 CGI abuses High 1
SQL Injection
Description: The remote host is running phpBB.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands in the login form.

An attacker could exploit this flaw to bypass the authentication of the

remote host or execute arbitrary SQL statements against the remote
database.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

49067 CGI Generic HTML Injections (quick test) CGI abuses : XSS Medium 1
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML to be executed in a

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 43

user's browser within the security context of the affected site.

The remote web server may be vulnerable to IFRAME injections or

cross-site scripting attacks :

- IFRAME injections allow 'virtual defacement' that

might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks.

- XSS are extensively tested by four other scripts.

- Some applications (e.g. web forums) authorize a subset

of HTML without any ill effect. In this case, ignore
this warning.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

44135 Web Server Generic Cookie Injection CGI abuses Medium 1
Description: The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to inject arbitrary cookies. Depending
on the structure of the web application, it may be possible to launch
a 'session fixation' attack using this mechanism.

Please note that :

- Nessus did not check if the session fixation attack is

feasible.

- This is not the only vector of session fixation.

Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 44

PCI DSS 6.5.2 Buffer Overflow
PCI 6.5.2 Buffer Overflows: Buffer overflows occur when an application does not have appropriate bounds
checking on its buffer space.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 45

Vulnerability Summary

Plugin Plugin Name Family Severity Total

PHP 5.4.x < 5.4.5 _php_stream_scandir
60086 CGI abuses Critical 1
Overflow
Description: According to its banner, the version of PHP installed on the remote
host is 5.4.x earlier than 5.4.5, and is, therefore, potentially
affected by an unspecified overflow vulnerability in the function
'_php_stream_scandir' in the file 'main/streams/streams.c'.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

PHP 5.4.x < 5.4.5 _php_stream_scandir
6530 Web Servers High 1
Overflow
Description: PHP versions earlier than 5.4.5 are affected by the following vulnerabilities.

- An unspecified overflow vulnerability in the function '_php_stream_scandir' in the file 'main/streams/streams.c'

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

67260 PHP 5.4.x < 5.4.17 Buffer Overflow CGI abuses High 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.17. It is, therefore, potentially
affected by a buffer overflow error that exists in the function
'_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'.

Note that this plugin does not attempt to exploit this vulnerability,
but instead, relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

PHP < 5.4.16 / 5.3.26 Heap Based Buffer
6866 Web Servers Medium 1
Overflow Vulnerability
Description: PHP versions earlier than 5.4.16 and 5.3.26 are affected by a heap based buffer overflow vulnerability due to lack of user input sanitation
when parsing strings. (An additional security vulnerability exists while parsing 'mimetype' for MP3 files, which can be exploited to cause a crash in version
5.4.15.)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

lighttpd mod_fastcgi HTTP Request
26057 Web Servers Medium 1
Header Remote Overflow
Description: The remote web server appears to be lighttpd running with the FastCGI
module (mod_fastcgi).

The version of that module on the remote host appears to be

affected by a buffer overflow vulnerability. By sending a specially
crafted request with a long header, a remote attacker may be able to
exploit this issue to add or replace headers passed to PHP, such as
SCRIPT_FILENAME, which in turn could result in arbitrary code
execution.
Hosts in Repository 'net_10_31_113':

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 46

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 47

PCI DSS 6.5.4 Insecure Communications
6.5.4 Insecure Communications: applications that fail to adequately encrypt network traffic using strong
cryptography are at increased risk of being compromised and exposing cardholder data.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

Vulnerability Summary

Plugin Plugin Name Severity Total

6129 OpenSSL 0.9.8 < 0.9.8s / 1.x < 1.0.0f Multiple Vulnerabilities High 2
5720 OpenSSL < 0.9.8q / 1.0.0c Multiple Vulnerabilities Medium 2
5782 OpenSSL < 0.9.8r / 1.0.0d OCSP Stapling Denial of Service Medium 2
OpenSSL 0.9.8 < 0.9.8u / 1.0.0 < 1.0.0h Multiple
6400 Medium 2
Vulnerabilities
6868 OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple Vulnerabilities Medium 2
OpenSSL < 0.9.8x / < 1.0.0j / < 1.0.1c Remote Denial of
8064 Medium 2
Service Vulnerability
PHP 5.4.x < 5.4.23 OpenSSL openssl_x509_parse() Memory
71427 Medium 1
Corruption

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 48

PCI DSS 6.5.5 Improper Error Handling
PCI 6.5.5 Improper Error Handling: Applications can unintentionally leak information about their configuration
or internal workings, or expose privileged information through improper error handling methods.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

Vulnerability Summary

Plugin Plugin Name Family Severity Total

Info
Description:
Hosts in Repository 'Individual Scan':

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 49

PCI DSS 6.5.6 All High Risk Vulnerabilities
PCI 6.5.6 All High Risk Vulnerabilities: All vulnerabilities identified by an organization’s vulnerability risk-
ranking process (defined in Requirement 6.1) to be “high risk” and that could affect the application should be
identified and addressed during application development. nt.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 50

Vulnerability Summary

Plugin Plugin Name Family Severity Total

23968 phpBB < 2.0.22 Multiple Vulnerabilities CGI abuses Critical 1
Description: The version of phpBB installed on the remote host fails to properly
block 'bad' redirection targets. In addition, it reportedly contains
a non-persistent cross-site scripting flaw involving its private
messaging functionality and several other issues. At a minimum, a
remote attacker can leverage these flaws to launch cross-site
scripting attacks against the affected application.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.4.x < 5.4.5 _php_stream_scandir
60086 CGI abuses Critical 1
Overflow
Description: According to its banner, the version of PHP installed on the remote
host is 5.4.x earlier than 5.4.5, and is, therefore, potentially
affected by an unspecified overflow vulnerability in the function
'_php_stream_scandir' in the file 'main/streams/streams.c'.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

phpBB < 2.0.16 viewtopic.php Arbitrary
3038 CGI High 1
Code Execution
Description: The remote host is running phpBB, a web-based forum application written in PHP. There is a flaw in this version of phpBB that will allow
remote attackers to inject arbitrary code into the 'viewtopic.php' script. An attacker exploiting this flaw would only need to be able to send an HTTP
request to the vulnerable script. Successful execution would result in the attacker executing code with the permissions of the webserver.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.3 < 5.3.6 String To Double Convers
5824 Web Servers High 1
ion DoS
Description: Versions of PHP 5.3 earlier than 5.3.6 are potentially affected by multiple vulnerabilities :

- An error exists in the function '_zip_name_locate()' in the file 'ext/zip/lib/zip_name_locate.c' which allows a NULL pointer to be dereferenced when
processing an empty archive. (CVE-2011-0421)

- A variable casting error exists in the Exif extension's C function 'exif_process_IFD_TAG()' in the file 'ext/exif/exif.c' could allow arbitrary code execution.
(CVE-2011-0708)

- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read' in the file 'ext/shmop/shmop.c'. (CVE-2011-1092)

- An error exists in the file 'phar/phar_object.c' n which calls to 'zend_throw_exception_ex()' pass data as a string format parameter which could lead to
information disclosure or memory corruption when handling PHP archives. (CVE-2011-1153)

- A buffer overflow error exists in the C function 'xbuf_format_converter' in the file 'main/snprintf.c' when the PHP configuration setting for 'precision' is
set to a large value. (Bug 54055)

- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 51

 Plugin Plugin Name Family Severity Total
6015 PHP 5.3 < 5.3.7 Multiple Vulnerabilities Web Servers High 1
Description: Versions of PHP 5.3 earlier than 5.3.7 are potentially affected by multiple vulnerabilities :

- A stack buffer overflow exists in socket_connect(). (CVE-2011-1938)

- A use-after-free vulnerability exists in substr_replace(). (CVE-2011-1148)

- A code execution vulnerability exists in ZipArchive: : addGlob(). (CVE-2011-1657)

- crypt_blowfish was updated to 1.2. (CVE-2011-2483)

- Multiple null pointer dereferences exist.

- An unspecified crash exists in error_log().

- A buffer overflow vulnerability exists in crypt().

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.3.7 crypt() MD5 Incorrect Return
6017 Web Servers High 1
Value
Description: PHP version 5.3.7 contains a bug in the crypt() function when generating salted MD5 hashes. The function only returns the salt rather than
the salt and hash. Any authentication mechanism that uses crypt() could authorize all authentication attempts due to this bug.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache 2.2 < 2.2.20 Multiple Vulnerabilitie
6021 Web Servers High 1
s
Description: Versions of Apache 2.2 earlier than 2.2.20 are potentially affected by a denial of service vulnerability. Making a series of HTTP requests
with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker
could exploit this flaw to make the system unresponsive.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6062 Apache 2.2 < 2.2.21 mod_proxy_ajp DoS Web Servers High 1
Description: Versions of Apache 2.2 earlier than 2.2.21 are potentially affected by a denial of service vulnerability. An error exists in the mod_proxy_ajp
module that can allow specially crafted HTTP requests to cause a backend server to temporarily enter an error state. This vulnerability only occurs when
mod_proxy_ajp is used along with mod_proxy_balancer.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

OpenSSL 0.9.8 < 0.9.8s / 1.x < 1.0.0f
6129 Web Servers High 1
Multiple Vulnerabilities
Description: Versions of OpenSSL 0.9.8 earlier than 0.9.8s, and 1.0.0 earlier than 1.0.0f are potentially affected by the following vulnerabilities :

- An extension of the Vaudenay padding oracle attack exists against CBC mode encryption which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. (CVE-2011-4108)

- If x509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. (CVE-2011-4109)

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 52

- OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records. As a result, in each record, up to 15 bytes of uninitialized memory may
be sent, encrypted, to the SSL peer. (CVE-2011-4576)

- RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack.
(CVE-2011-4577)

- Support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. (CVE-2011-4619)

- A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to a lack of error checking.
(CVE-2012-0027)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6263 PHP < 5.3.9 Multiple Vulnerabilities Web Servers High 1
Description: Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :

- It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash
collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)

- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a
denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)

- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution.
(CVE-2012-0057)

- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer. This causes the
application to crash. (CVE-2012-0781)

- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)

- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption.
(CVE-2012-0789)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache 2.2 < 2.2.22 Multiple Vulnerabilitie
6302 Web Servers High 1
s
Description: Versions of Apache 2.2 earlier than 2.2.22 are potentially affected by the following vulnerabilities :

- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPasssMatch directives could cause the web server to proxy requests to
arbitrary hosts. This could allow a remote attacker to indirectly send request to intranet servers. (CVE-2011-3368, CVE-2011-4317)

- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf' directive and a maliciously crafted
HTTP request header are used. (CVE-2011-3607)

- A format string handling error can allow the server to be crashed via maliciously crafted cookies. (CVE-2012-0021)

- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown. (CVE-2012-0031)

- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use of either long or malformed HTTP
headers. (CVE-2012-0053)

- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to respond could lead to a temporary
denial of service. (CVE-2012-4557)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 53

 Plugin Plugin Name Family Severity Total
PHP 5.3.9 php_register_variable_ex()
6304 Web Servers High 1
Code Execution
Description: PHP version 5.3.9 is reportedly affected by a code execution vulnerability. Specifically, the fix for the hash collision denial of service
vulnerability (CVE-2011-4885) itself has introduced a remote code execution vulnerability in the php_register_variable_ex() in the file php_variables.c.
A new configuration variable, max_input_vars, was added as part of the fix. If the number of input variables exceeds this value and the variable being
processed is an array, code execution can occur.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

Apache Tomcat 6.0.x < 6.0.35 Multiple
6332 Web Servers High 1
Vulnerabilities
Description: Versions of Apache Tomcat 6.0.35 are potentially affected by multiple vulnerabilities :

- Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to
authentication bypass and disclosure of sensitive information. Note this vulnerability only occurs when the following are true (CVE-2011-3190):

- the org.apache.jk.server.JkCoyoteHandler AJP connector is not used.

- POST requests are accepted.
- Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.3.x < 5.3.13 CGI Query String Code
6494 Web Servers High 1
Execution
Description: PHP versions earlier than 5.3.13 are affected by a code execution vulnerability.

The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code and code execution via query
paramenters are still possible.

Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6495 PHP 5.4.x < 5.4.3 Multiple Vulnerabilities Web Servers High 1
Description: PHP versions earlier than 5.4.3 are affected by the following vulnerabilities.

- The fix for CVE-2012-1823 does not completely correct the CGI query parameter vulnerability. Disclosure of PHP source code and code execution via
query paramenters are still possible. Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php'
is not an exploitable configuration. (CVE-2012-2311, CVE-2012-2335, CVE-2012-2336)

- An unspecified buffer overflow exists related to the function 'apache_request_headers'. (CVE-2012-2329)

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP 5.4.x < 5.4.5 _php_stream_scandir
6530 Web Servers High 1
Overflow
Description: PHP versions earlier than 5.4.5 are affected by the following vulnerabilities.

- An unspecified overflow vulnerability in the function '_php_stream_scandir' in the file 'main/streams/streams.c'

Hosts in Repository 'net_10_31_112':

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 54

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

6556 PHP 5.3.x < 5.3.15 Multiple Vulnerabilities Web Servers High 1
Description: PHP versions 5.3.x earlier than 5.3.15 are affected by the following vulnerabilities.

- - An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'. (CVE-2012-2688)

- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed. (CVE-2012-3365)
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

PHP < 5.3.12 / 5.4.2 CGI Query String
6993 Web Servers High 1
Code Execution
Description: PHP versions earlier than 5.3.12 / 5.4.2 are affected by the following vulnerabilities.

An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or to potentially execute arbitrary
code. In vulnerable configurations, PHP treats certain query string parameters as command line arguments including switches such as '-s', '-d', and '-c'.

Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php topic_id Parameter
11767 CGI abuses High 1
SQL Injection
Description: There is a flaw in the version of phpBB hosted on the remote web server
that may allow anyone to inject arbitrary SQL commands, which could in
turn be used to gain administrative access on the remote host or to
obtain the MD5 hash of the password of any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB < 2.0.7 Multiple Script SQL Injecti
11938 CGI abuses High 1
on
Description: The remote host is running a version of phpBB older than 2.0.7.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands, which may in turn be used to gain administrative
access on the remote host or to obtain the MD5 hash of the password of

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 55

any user.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

13655 phpBB < 2.0.9 Multiple Vulnerabilities CGI abuses High 1
Description: The remote host is running a version of phpBB older than 2.0.9.

There is a flaw in the remote software that may allow anyone

to inject arbitrary SQL commands, which may in turn be used to
gain administrative access on the remote host or to obtain
the MD5 hash of the password of any user.

One vulnerability is reported to exist in 'admin_board.php'.

The other pertains to improper characters in the session id variable.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

phpBB viewtopic.php highlight Parameter
15780 CGI abuses High 1
SQL Injection
Description: The remote host is running phpBB.

There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands in the login form.

An attacker could exploit this flaw to bypass the authentication of the

remote host or execute arbitrary SQL statements against the remote
database.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

55976 Apache HTTP Server Byte Range DoS Web Servers High 1
Description: The version of Apache HTTP Server running on the remote host is
affected by a denial of service vulnerability. Making a series of
HTTP requests with overlapping ranges in the Range or Request-Range
request headers can result in memory and CPU exhaustion. A remote,
unauthenticated attacker could exploit this to make the system
unresponsive.

Exploit code is publicly available and attacks have reportedly been

observed in the wild.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

66843 PHP 5.4.x < 5.4.16 Multiple Vulnerabilities CGI abuses High 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.16. It is, therefore, potentially
affected by the following vulnerabilities:

- An error exists in the mimetype detection of 'mp3' files

that could lead to a denial of service. (Bug #64830)

- An error exists in the function 'php_quot_print_encode'

in the file 'ext/standard/quot_print.c' that could allow

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 56

a heap-based buffer overflow when attempting to parse
certain strings. (Bug #64879)

- An integer overflow error exists related to the value

of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'
that could allow denial of service attacks. (Bug #64895)

Note that this plugin does not attempt to exploit these

vulnerabilities, but instead relies only on PHP's self-reported
version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

67260 PHP 5.4.x < 5.4.17 Buffer Overflow CGI abuses High 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.17. It is, therefore, potentially
affected by a buffer overflow error that exists in the function
'_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'.

Note that this plugin does not attempt to exploit this vulnerability,
but instead, relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

69401 PHP 5.4.x < 5.4.18 Multiple Vulnerabilities CGI abuses High 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.18. It is, therefore,
potentially affected by the following vulnerabilities :

- A heap corruption error exists in numerous functions

in the file 'ext/xml/xml.c'. (CVE-2013-4113 /
Bug #65236)

- An error exists related to certificate validation, the

'subjectAltName' field and certificates containing NULL
bytes. This error can allow spoofing attacks.
(CVE-2013-4248)

Note that this plugin does not attempt to exploit these

vulnerabilities, but instead relies only on PHP's self-reported
version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Plugin Plugin Name Family Severity Total

72881 PHP 5.4.x < 5.4.26 Multiple Vulnerabilities CGI abuses High 1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.26. It is, therefore, potentially
affected by the following vulnerabilities :

- An error exists related to the Fileinfo extension and

the bundled libmagic library that could allow denial of
service attacks. (CVE-2014-1943)

- An error exists related to the Fileinfo extension and

the process of analyzing Portable Executable (PE)
format files that could allow denial of service attacks

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 57

or possibly arbitrary code execution. (CVE-2014-2270)

Note that this plugin does not attempt to exploit the vulnerabilities,
but instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 58

PCI DSS 6.5.7 Cross-Site Scripting (XSS)
PCI 6.5.7 Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes user-supplied data and
sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute
script in the victim's browser, which can hijack user sessions, deface web sites, possibly introduce worms, etc.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 59

Vulnerability Summary

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Request Forgery
56818 CGI abuses Medium 5
Detection (potential)
Description: The spider found HTML forms on the remote web server. Some CGI
scripts do not appear to be protected by random tokens, a common
anti-cross-site request forgery (CSRF) protection. The web
application might be vulnerable to CSRF attacks.

Note that :

- Nessus did not exploit the flaw,

- Nessus cannot identify sensitive actions -- for example, on an
online bank, consulting an account is less sensitive than
transferring money.

You will have to audit the source of the CGI scripts and check if they
are actually affected.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (compreh
47831 CGI abuses : XSS Medium 3
ensive test)
Description: The remote web server hosts CGI scripts that fail to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site. These XSS are likely to be 'non-persistent' or
'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Hosts in Repository 'net_10_31_114':

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

Apache 2.2 < 2.2.24 Multiple Cross-Site
6701 Web Servers Medium 1
Scripting Vulnerabilites
Description: The remote host is running a Apache HTTP server.

Versions earlier than 2.4.4 are vulnerable to the following vulnerabilities :

- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and unescaped hostnames and URIs that
could allow cross-site scripting attacks. (CVE-2012-3499)

- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting attacks. (CVE-2012-4558)

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 60

Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (quick
39466 CGI abuses : XSS Medium 1
test)
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
These XSS are likely to be 'non persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (extende
55903 CGI abuses : XSS Medium 1
d patterns)
Description: The remote web server hosts one or more CGI scripts that fail to
adequately sanitize request strings with malicious JavaScript. By
leveraging this issue, an attacker may be able to cause arbitrary HTML
and script code to be executed in a user's browser within the security
context of the affected site. These XSS vulnerabilities are likely to
be 'non-persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 61

PCI DSS 6.5.8 Improper Access Control
PCI 6.5.8 Improper Access Control: Such as insecure direct object references, failure to restrict URL access,
directory traversal, and failure to restrict user access to functions.
These flaws are often listed as CGI Generic vulnerabilities. This section contains two components: a Plugin
Family Summary pie chart and Vulnerability Summary table. The pie chart provides a summary view of
the plugin families used to identify web application security flaws. The pie chart is sorted based on the
vulnerability weight scores. The plugin family with highest weight poses the most risk. The vulnerability
summary table includes the vulnerability details and a list of hosts to which the vulnerability applies. The
list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The table is sorted by the
vulnerability severity.

Plugin Family Summary

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 62

Vulnerability Summary

Plugin Plugin Name Family Severity Total

11139 CGI Generic SQL Injection CGI abuses High 1
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read

confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Request Forgery
56818 CGI abuses Medium 5
Detection (potential)
Description: The spider found HTML forms on the remote web server. Some CGI
scripts do not appear to be protected by random tokens, a common
anti-cross-site request forgery (CSRF) protection. The web
application might be vulnerable to CSRF attacks.

Note that :

- Nessus did not exploit the flaw,

- Nessus cannot identify sensitive actions -- for example, on an
online bank, consulting an account is less sensitive than
transferring money.

You will have to audit the source of the CGI scripts and check if they
are actually affected.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (compreh
47831 CGI abuses : XSS Medium 3
ensive test)
Description: The remote web server hosts CGI scripts that fail to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site. These XSS are likely to be 'non-persistent' or
'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap

Hosts in Repository 'net_10_31_114':

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 63

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (quick
39466 CGI abuses : XSS Medium 1
test)
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
These XSS are likely to be 'non persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

42056 CGI Generic Local File Inclusion CGI abuses Medium 1
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings. By leveraging this issue, an attacker may be able
to include a local file and disclose its content.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

49067 CGI Generic HTML Injections (quick test) CGI abuses : XSS Medium 1
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML to be executed in a
user's browser within the security context of the affected site.

The remote web server may be vulnerable to IFRAME injections or

cross-site scripting attacks :

- IFRAME injections allow 'virtual defacement' that

might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks.

- XSS are extensively tested by four other scripts.

- Some applications (e.g. web forums) authorize a subset

of HTML without any ill effect. In this case, ignore
this warning.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Plugin Plugin Name Family Severity Total

CGI Generic Cross-Site Scripting (extende
55903 CGI abuses : XSS Medium 1
d patterns)
Description: The remote web server hosts one or more CGI scripts that fail to
adequately sanitize request strings with malicious JavaScript. By
leveraging this issue, an attacker may be able to cause arbitrary HTML
and script code to be executed in a user's browser within the security
context of the affected site. These XSS vulnerabilities are likely to
be 'non-persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 64

 Plugin Plugin Name Family Severity Total
CGI Generic Tests Load Estimation (all
33817 CGI abuses Info 5
tests)
Description: This script computes the maximum number of requests that would be done
by the generic web tests, depending on miscellaneous options.
It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or

the complexity of additional manual tests.

Note that the script does not try to compute this duration based
on external factors such as the network and web servers loads.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

39470 CGI Generic Tests Timeout CGI abuses Info 5
Description: Some generic CGI tests ran out of time during the scan.
The results may be incomplete.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

47830 CGI Generic Injectable Parameter CGI abuses Info 5
Description: Nessus was able to to inject innocuous strings into CGI parameters
and read them back in the HTTP response.

The affected parameters are candidates for extended injection tests

like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed
up other scripts. The results may be useful for a human pen-tester.
Hosts in Repository 'net_10_31_112':

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu

Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':

10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 65

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

Plugin Plugin Name Family Severity Total

40406 CGI Generic Tests HTTP Errors CGI abuses Info 2
Description: Nessus ran into trouble while running its generic CGI tests against
the remote web server (for example, connection refused, timeout, etc).
When this happens, Nessus aborts the current test and switches to the
next CGI script on the same port or to another web server. Thus, test
results may be incomplete.
Hosts in Repository 'net_10_31_113':

10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab

Hosts in Repository 'net_10_31_114':

10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 66

PCI DSS 6.5.9 Cross-site Request Forgery (CSRF)
6.5.9 Cross-site Request Forgery (CSRF): A CSRF attack forces a logged-on victim's browser to send a pre-
authenticated request to a vulnerable web application, which then enables the attacker to perform any state-
changing operations the victim is authorized to perform.
This section contains two components: a Plugin Family Summary pie chart and Vulnerability Summary table.
The pie chart provides a summary view of the plugin families used to identify web application security flaws.
The pie chart is sorted based on the vulnerability weight scores. The plugin family with highest weight poses
the most risk. The vulnerability summary table includes the vulnerability details and a list of hosts to which the
vulnerability applies. The list of hosts includes the IP address, MAC address, FQDN, and NetBIOS name. The
table is sorted by the vulnerability severity.

Plugin Family Summary

Vulnerability Summary

Plugin Plugin Name Family Severity Total

Info
Description:
Hosts in Repository 'Individual Scan':

PCI DSS Requirement 6.5 Common Coding Flaws

OWASP Top Ten 67

OWASP Web Events
Web Intrusion
The Web Intrusion section includes normalized intrusion events with key word "Web" in the name. There are
intrusion events related to web servers or web attacks. The intrusion event type denotes logs from network
IDS, firewalls, applications and operating systems that indicate some sort of network attack. Post scans, denial
of service and logs that indicate virus probes are normalized to their own LCE event types.
The Subnet Summary pie chart provides a summary view of the subnets where the Web Intrusion is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Web Intrusion query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

Normalized Event Summary

OWASP Web Events

OWASP Top Ten 68

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Web Intrusion query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

IP Summary

OWASP Web Events

OWASP Top Ten 69

Web Threatlist
The Web Threatlist section includes normalized threatlist events with key word "Web" in the name. Threatlist
events are defined by a list of hostile IPv4 addresses, maintained by LCE, that are known to be participating
in botnets. The LCE considers connections and network events to detect when a hostile IP address connects
inbound to your network, as well as when a host on your network connects outbound. These events are
normalized to the threatlist event type.
The Subnet Summary pie chart provides a summary view of the subnets where the Web Threatlist is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Web Threatlist query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Web Threatlist has been
observed over the passed 7 days.

IP Summary

OWASP Web Events

OWASP Top Ten 70

Web Stats
The Web Stats section includes normalized stats events with key word "Web" in the name. For every unique
type of event, the LCE will profile the frequency of events and alert when there is a statistical deviation for
any event. These events are normalized to the stats LCE event type. For example, for a given host, if the LCE
detected a sudden increase in the frequency of web-access events over past hour compared to the same
window in previous days, LCE would issue a Statistics-Web_Access_Minor_Anomaly.
The Subnet Summary pie chart provides a summary view of the subnets where the Web Stats is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Web Stats query is represented with normalized event name, and trend graph
depicting the number of events over the past 7 days. The order of the events is based on the total count of
events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Web Stats has been observed
over the passed 7 days.

IP Summary

OWASP Web Events

OWASP Top Ten 71

Long Term Web Error Activity
The Long Term Web Error Activity section focuses specifically on the Long_Term_Web_Error_Activity
normalized event. The Long_Term_Web_Error_Activity normalized event occurs when the LCE has detected
multiple web logs which referred to 40x or 50x web server errors over a long period of time. This could
indicate a problem with your web server or perhaps a concerted attack against a web application.
The Subnet Summary pie chart provides a summary view of the subnets where the Long Term Web Error
Activity is most commonly seen. The chart using the Class C Summary tool to provide a list of subnets on
the 24-bit CIDR boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are
displayed based on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Long Term Web Error Activity query is represented with normalized event
name, and trend graph depicting the number of events over the past 7 days. The order of the events is based
on the total count of events.

Normalized Event Summary

Event Count May 29, 2014 12:52:38 to Jun 5, 2014 12:52:38

Long_Term_Web_Error_A
16
ctivity

OWASP Web Events

OWASP Top Ten 72

The IP Summary table provides a summary of the top 100 systems where the Long Term Web Error Activity
has been observed over the passed 7 days.

IP Summary

IP Address LCE Count

10.31.100.74 lce01.melcara.int 16
10.31.112.10 lce01.melcara.int 16

OWASP Web Events

OWASP Top Ten 73

PVS Detected Web Error
The PVS Detected Web Error section includes web-error events with the prefix "PVS" in the name. The
web-error events denote any type of web access event that is denied because the file does not exist, the
server responded with an error. or a firewall or web application firewall blocked the access. These logs are
generated every day by users who reference incorrect URLs, but are also generated during web application
probes. These events specify all web access events collected by PVS and sent to LCE.
The Subnet Summary pie chart provides a summary view of the subnets where the PVS Detected Web Error
is most commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit
CIDR boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed
based on event count.

Subnet Summary

OWASP Web Events

OWASP Top Ten 74

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the PVS Detected Web Error query is represented with normalized event name,
and trend graph depicting the number of events over the past 7 days. The order of the events is based on the
total count of events.

Normalized Event Summary

Event Count May 29, 2014 12:52:38 to Jun 5, 2014 12:52:38

PVS-Web_4xx_Error 6776

PVS-Web_4xx 1606

PVS-Web_5xx_Error 109

PVS-Web_5xx 2

The IP Summary table provides a summary of the top 100 systems where the PVS Detected Web Error has
been observed over the passed 7 days.

IP Summary

IP Address LCE Count

10.31.100.74 lce01.melcara.int 8493
10.31.112.10 lce01.melcara.int 8493

OWASP Web Events

OWASP Top Ten 75

PVS Detected Web Access
The PVS Detected Web Access section includes web-access events with the prefix "PVS" in the name. Web-
access events are any type of log that indicates a successful connection to a web resource is normalized as
a web-access LCE event type. Logs gathered by web servers, web proxies, firewalls and load balancers that
indicate connections to web services are logged here. Note that web-access events can refer to a host on
the Internet connecting to a public web server, or internal users accessing the Internet through a web proxy.
These events specify all web access events collected by PVS and sent to LCE.
The Subnet Summary pie chart provides a summary view of the subnets where the PVS Detected Web
Access is most commonly seen. The chart using the Class C Summary tool to provide a list of subnets on
the 24-bit CIDR boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are
displayed based on event count.

Subnet Summary

OWASP Web Events

OWASP Top Ten 76

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the PVS Detected Web Access query is represented with normalized event name,
and trend graph depicting the number of events over the past 7 days. The order of the events is based on the
total count of events.

Normalized Event Summary

Event Count May 29, 2014 12:52:38 to Jun 5, 2014 12:52:38

PVS-Web_Query_Request 14048

PVS-Web_Request 8086

PVS-Web_Content_PH
7875
P_Request

PVS-Web_Content_HT
1755
ML_Request

PVS-Web_Content_CG
318
I_Request

PVS-Web_Content_HT
94
M_Request

PVS-Web_Office_TXT
72
_Request

PVS-Web_Executable
48
_EXE_Request

PVS-Web_File_GZ_Re
46
quest

PVS-Web_File_XML_R
38
equest

PVS-DLL_File_Downloaded 26

PVS-HTTP_Plaintext
23
_Authentication

PVS-Web_Content_AS
20
P_Request

PVS-Web_Executable
19
_JS_Request

PVS-Web_File_RAR_R
13
equest

PVS-Web_Office_PDF
13
_Request

PVS-Web_File_ZIP_R
9
equest

OWASP Web Events

OWASP Top Ten 77

 Event Count May 29, 2014 12:52:38 to Jun 5, 2014 12:52:38

PVS-Web_Disk_ISO_R
6
equest

PVS-Web_Image_GIF_
4
Request

The IP Summary table provides a summary of the top 100 systems where the PVS Detected Web Access has
been observed over the passed 7 days.

IP Summary

IP Address LCE Count

10.31.100.74 lce01.melcara.int 32513
10.31.112.10 lce01.melcara.int 32513

OWASP Web Events

OWASP Top Ten 78

Apache Web Error
The Apache Web Error section includes web-error events with the keyword "Apache" in the name. The
web-error events denote any type of web access event that is denied because the file does not exist, the
server responded with an error, or a firewall or web application firewall blocked the access. These logs are
generated every day by users who reference incorrect URLs, but are also generated during web application
probes. These events specify all web access events collected by PVS and sent to LCE.
The Subnet Summary pie chart provides a summary view of the subnets where the Apache Web Error is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Apache Web Error query is represented with normalized event name, and
trend graph depicting the number of events over the past 7 days. The order of the events is based on the
total count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Apache Web Error has been
observed over the passed 7 days.

IP Summary

OWASP Web Events

OWASP Top Ten 79

Apache Web Access
The Apache Web Access section includes web-access events with the keyword "Apache" in the name. Web-
access events are any type of log that indicates a successful connection to a web resource is normalized as
a web-access LCE event type. Logs gathered by web servers, web proxies, firewalls and load balancers that
indicate connections to web services are logged here. Note that web-access events can refer to a host on
the Internet connecting to a public web server, or internal users accessing the Internet through a web proxy.
These events specify all web access events collected by PVS and sent to LCE.
The Subnet Summary pie chart provides a summary view of the subnets where the Apache Web Access is
most commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit
CIDR boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed
based on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Apache Web Access query is represented with normalized event name, and
trend graph depicting the number of events over the past 7 days. The order of the events is based on the
total count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Apache Web Access has been
observed over the passed 7 days.

IP Summary

OWASP Web Events

OWASP Top Ten 80

IIS Web Error
The IIS Web Error section includes web-error events with the keyword "IIS" in the name. The web-error events
denote any type of web access event that is denied because the file does not exist, the server responded
with an error, or a firewall or web application firewall blocked the access. These logs are generated every day
by users who reference incorrect URLs, but are also generated during web application probes. These events
specify all web access events collected by PVS and sent to LCE.
The Subnet Summary pie chart provides a summary view of the subnets where the IIS Web Error is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the IIS Web Error query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the IIS Web Error has been
observed over the passed 7 days.

IP Summary

OWASP Web Events

OWASP Top Ten 81

IIS Web Access
The IIS Web Access section includes web-access events with the keyword "IIS" in the name. Web-access
events are any type of log that indicates a successful connection to a web resource is normalized as a web-
access LCE event type. Logs gathered by web servers, web proxies, firewalls and load balancers that indicate
connections to web services are logged here. Note that web-access events can refer to a host on the Internet
connecting to a public web server, or internal users accessing the Internet through a web proxy. These events
specify all web access events collected by PVS and sent to LCE.
The Subnet Summary pie chart provides a summary view of the subnets where the IIS Web Access is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the IIS Web Access query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the IIS Web Access has been
observed over the passed 7 days.

IP Summary

OWASP Web Events

OWASP Top Ten 82

OWASP SQL Events
Suspicious SQL User Database Dump
The Suspicious SQL User Database Dump section focuses specifically on the Suspicious_SQL-
User_Database_Dump normalized event. The Suspicious_SQL-User_Database_Dump normalized event is
triggered when a suspicious SQL query was detected which attempted to dump a list of system users.
The Subnet Summary pie chart provides a summary view of the subnets where the Suspicious SQL User
Database Dump is most commonly seen. The chart using the Class C Summary tool to provide a list of
subnets on the 24-bit CIDR boundary. The event counts are calculated over the past 7 days, and the top 10
subnets are displayed based on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Suspicious SQL User Database Dump query is represented with normalized
event name, and trend graph depicting the number of events over the past 7 days. The order of the events is
based on the total count of events.

Normalized Event Summary

OWASP SQL Events

OWASP Top Ten 83

The IP Summary table provides a summary of the top 100 systems where the Suspicious SQL User Database
Dump has been observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 84

Suspicious SQL Command Execution
The Suspicious SQL Command Execution section focuses specifically on the Suspicious_SQL-
Command_Execution normalized event. The Suspicious_SQL-Command_Execution normalized event is
triggered when a suspicious SQL query with a potential SQL injection event was detected.
The Subnet Summary pie chart provides a summary view of the subnets where the Suspicious SQL Command
Execution is most commonly seen. The chart using the Class C Summary tool to provide a list of subnets on
the 24-bit CIDR boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are
displayed based on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Suspicious SQL Command Execution query is represented with normalized
event name, and trend graph depicting the number of events over the past 7 days. The order of the events is
based on the total count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Suspicious SQL Command
Execution has been observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 85

Suspicious SQL Injection Attack Detected
The Suspicious SQL Injection Attack Detected section focuses specifically on the Suspicious_SQL-
Injection_Attack_Detected normalized event. The Suspicious_SQL-Injection_Attack_Detected normalized
event is triggered when LCE has detected a SQL query containing patterns commonly found with large-scale
automated SQL injection attacks. These queries commonly contain long strings of characters, repetitive string
concatenation, and other uncommon SQL usage. Examining the query in question, especially against other
queries commonly executed against the same database, should show that it stands out and requires review to
see if any malicious commands have been executed.
The Subnet Summary pie chart provides a summary view of the subnets where the Suspicious SQL Injection
Attack Detected is most commonly seen. The chart using the Class C Summary tool to provide a list of
subnets on the 24-bit CIDR boundary. The event counts are calculated over the past 7 days, and the top 10
subnets are displayed based on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7
days. Each normalized event with the Suspicious SQL Injection Attack Detected query is represented with
normalized event name, and trend graph depicting the number of events over the past 7 days. The order of
the events is based on the total count of events.

Normalized Event Summary

OWASP SQL Events

OWASP Top Ten 86

The IP Summary table provides a summary of the top 100 systems where the Suspicious SQL Injection Attack
Detected has been observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 87

Suspicious SQL Query Detected
The Suspicious SQL Query Detected section focuses specifically on the Suspicious_SQL_Query_Detected
normalized event. The Suspicious_SQL_Query_Detected normalized event is triggered when LCE has
detected a suspicious SQL query was detected.
The Subnet Summary pie chart provides a summary view of the subnets where the Suspicious SQL Query
Detected is most commonly seen. The chart using the Class C Summary tool to provide a list of subnets on
the 24-bit CIDR boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are
displayed based on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Suspicious SQL Query Detected query is represented with normalized event
name, and trend graph depicting the number of events over the past 7 days. The order of the events is based
on the total count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Suspicious SQL Query Detected
has been observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 88

SQL Intrusion
The SQL Intrusion section includes normalized intrusion events with key word "SQL" in the name. There are
intrusion events related to web servers or web attacks. The intrusion event type denotes logs from network
IDS, firewalls, applications and operating systems that indicate some sort of network attack. Post scans, denial
of service and logs that indicate virus probes are normalized to their own LCE event types.
The Subnet Summary pie chart provides a summary view of the subnets where the SQL Intrusion is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the SQL Intrusion query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the SQL Intrusion has been
observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 89

Database Stats
The Database Stats section includes normalized stats events with key word "Database" in the name. For every
unique type of event, the LCE will profile the frequency of events and alert when there is a statistical deviation
for any event. These events are normalized to the stats LCE event type. For example, for a given host, if the
LCE detected a sudden increase in the frequency of database events over past hour compared to the same
window in previous days, LCE would issue a Statistics-Database_Minor_Anomaly.
The Subnet Summary pie chart provides a summary view of the subnets where the Database Stats is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the Database Stats query is represented with normalized event name, and trend
graph depicting the number of events over the past 7 days. The order of the events is based on the total
count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the Database Stats has been
observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 90

SQL Error
The SQL Error section includes normalized error events with key word "SQL" in the name. The error event
type denotes any type of system, application, router, or switch log that indicates some sort of error. Logs that
indicate crashes and hung process are sent to the process event type.
The Subnet Summary pie chart provides a summary view of the subnets where the SQL Error is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the SQL Error query is represented with normalized event name, and trend graph
depicting the number of events over the past 7 days. The order of the events is based on the total count of
events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the SQL Error has been observed
over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 91

SQL Login Failure
The SQL Login Failure section includes normalized login-failure events with key word "SQL" in the name. The
login-failure event type denotes any type of authentication log that indicates credentials were presented and
were incorrect. This is distinct from application logs that show blocking of an IP address or that access to
resources that were denied. These log as event types of firewall or access-denied respectively.
The Subnet Summary pie chart provides a summary view of the subnets where the SQL Login Failure is most
commonly seen. The chart using the Class C Summary tool to provide a list of subnets on the 24-bit CIDR
boundary. The event counts are calculated over the past 7 days, and the top 10 subnets are displayed based
on event count.

Subnet Summary

The Normalized Event Summary table provides a summary view of the normalized over the passed 7 days.
Each normalized event with the SQL Login Failure query is represented with normalized event name, and
trend graph depicting the number of events over the past 7 days. The order of the events is based on the
total count of events.

Normalized Event Summary

The IP Summary table provides a summary of the top 100 systems where the SQL Login Failure has been
observed over the passed 7 days.

IP Summary

OWASP SQL Events

OWASP Top Ten 92