Website Vulnerability Scanner Report

 https://173.212.236.192/royahsoft/
Target added due to a redirect from https://173.212.236.192

The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.

Summary

Overall risk level: Risk ratings: Scan information:

High High: 1 Start time: Jul 02, 2024 / 06:12:38
Medium: 1 Finish time: Jul 02, 2024 / 06:13:52
Low: 5 Scan duration: 1 min, 14 sec

Info: 12 Tests performed: 19/19

Scan status: Finished

Findings

 Vulnerabilities found for server-side software UNCONFIRMED 

Risk Affected
CVSS CVE Summary
Level software

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using
Apache and PHP-CGI on Windows, if the system is set up to use certain code pages,
Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 php
 9.8 CVE-2024-4577
API functions. PHP CGI module may misinterpret those characters as PHP options, which may 8.2.12
allow a malicious user to pass options to PHP binary being run, and thus reveal the source
code of scripts, run arbitrary PHP code on the server, etc.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-
2024-1874 does not work if the command name includes trailing spaces. Original
php
 8.8 CVE-2024-5585 issue: when using proc_open() command with array syntax, due to insufficient escaping, if
8.2.12
the arguments of the executed command are controlled by a malicious user, the user can
supply arguments that would execute arbitrary commands in Windows shell.

1/8
 Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths. This can lead to potential truncation
or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness,

which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or

EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
the key and IV have been established. Any alterations to the key length,
via the "keylen" parameter or the IV length, via the "ivlen" parameter,
within the OSSL_PARAM array will not take effect as intended, potentially
causing truncation or overreading of these values. The following ciphers
and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in
loss of confidentiality. For example, when following NIST's SP 800-38D
section 8.2.1 guidance for constructing a deterministic IV for AES in
GCM mode, truncation of the counter portion could lead to IV reuse.
openssl
 7.5 CVE-2023-5363
Both truncations and overruns of the key and overruns of the IV will 3.1.3
produce incorrect results and could, in some cases, trigger a memory
exception. However, these issues are not currently assessed as security
critical.

Changing the key and/or IV lengths is not considered to be a common operation

and the vulnerable API was recently introduced. Furthermore it is likely that
application developers will have spotted this problem during testing since
decryption would fail unless both peers in the communication were similarly
vulnerable. For these reasons we expect the probability of an application being
vulnerable to this to be quite low. However if an application is vulnerable then
this issue is considered very serious. For these reasons we have assessed this
issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because
the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

Issue summary: The POLY1305 MAC (message authentication code) implementation

contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC

algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for

PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can

openssl
 6.5 CVE-2023-6129 be various - from no consequences, if the calling application does not
3.1.3
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the

CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.

2/8
 The openssl_private_decrypt function in PHP, when using PKCS1 padding
(OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless
it is used with an OpenSSL version that includes the changes from this pull request:
https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes
are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux
distributions, as well as to the PHP builds provided for Windows since the previous release. php
 5.9 CVE-2024-2408
All distributors and builders should ensure that this version is used to prevent PHP from 8.2.12
being vulnerable.

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL
patches that fix the vulnerability.

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
openssl
 5.5 CVE-2024-0727 files from an untrusted source using the OpenSSL APIs then that application will
3.1.3
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),

PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this

function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Issue summary: Generating excessively long X9.42 DH keys or checking

excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to

generate an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817),

DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large

P, it doesn't check for an excessively large Q.
openssl
 5.3 CVE-2023-5678
3.1.3
An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of

other OpenSSL functions. An application calling any of those other
functions may similarly be affected. The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code
logic error, filtering functions such as filter_var when validating
URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user php
 5.3 CVE-2024-5458
information (username + password part of URLs) being treated as valid user information. This 8.2.12
may lead to the downstream code accepting invalid URLs as valid and parsing them
incorrectly.

 Details

3/8
 Risk description:
The risk is that an attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

Recommendation:
We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

Classification:
CWE : CWE-1026
OWASP Top 10 - 2013 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2017 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2021 : A6 - Vulnerable and Outdated Components

 Directory listing is enabled CONFIRMED

URL

https://173.212.236.192/royahsoft/wp-includes/

 Details

Risk description:
The risk is that it's often the case that sensitive files are "hidden" among public files in that location and attackers can use this vulnerability
to access them.

Recommendation:
We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive
files at the mentioned URLs.

References:
http://projects.webappsec.org/w/page/13246922/Directory%20Indexing

Classification:
CWE : CWE-548
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A1 - Broken Access Control

Screenshot:

Figure 1. Directory Listing

 Missing security header: X-Content-Type-Options CONFIRMED

4/8
 URL Evidence

Response headers do not include the X-Content-Type-Options HTTP security header

https://173.212.236.192/royahsoft/
Request / Response

 Details

Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.

Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Strict-Transport-Security CONFIRMED

URL Evidence

Response headers do not include the HTTP Strict-Transport-Security header

https://173.212.236.192/royahsoft/
Request / Response

 Details

Risk description:
The risk is that lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to the server, thus
opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).

Recommendation:
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months.
A value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Referrer-Policy CONFIRMED

URL Evidence

Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with
https://173.212.236.192/royahsoft/ name 'referrer' is not present in the response.
Request / Response

 Details

Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.

References:

5/8
 https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Content-Security-Policy CONFIRMED

URL Evidence

Response does not include the HTTP Content-Security-Policy security header or meta tag
https://173.212.236.192/royahsoft/
Request / Response

 Details

Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.

Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

Software / Version Category

Ionicons Font scripts

jQuery UI JavaScript libraries

Windows Server Operating systems

MySQL Databases

OpenSSL 3.1.3 Web server extensions

PHP 8.2.12 Programming languages

Contact Form 7 5.9 WordPress plugins

Elementor 3.19.4 Page builders, WordPress plugins

Font Awesome Font scripts

Bootstrap UI frameworks

jQuery Migrate 3.4.1 JavaScript libraries

Apache HTTP Server 2.4.58 Web servers

jQuery JavaScript libraries

OWL Carousel JavaScript libraries

Sectigo SSL/TLS certificate authorities

Webpack Miscellaneous

6/8
 Module Federation Miscellaneous

WordPress 6.5.5 CMS, Blogs

Slider Revolution Widgets, Photo galleries

 Details

Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

URL

Missing: https://173.212.236.192/.well-known/security.txt

 Details

Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Website is accessible.

 Nothing was found for client access policies.

 Nothing was found for robots.txt file.

 Nothing was found for use of untrusted certificates.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for enabled HTTP OPTIONS method.

7/8
 Nothing was found for secure communication.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for HttpOnly flag of cookie.

 Nothing was found for Secure flag of cookie.

 Nothing was found for unsafe HTTP header Content Security Policy.

Scan coverage information

List of tests performed (19/19)

 Starting the scan...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for missing HTTP header - Referrer...
 Checking for missing HTTP header - Content Security Policy...
 Checking for directory listing...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for enabled HTTP OPTIONS method...
 Checking for secure communication...
 Checking for domain too loose set for cookies...
 Checking for HttpOnly flag of cookie...
 Checking for Secure flag of cookie...
 Checking for unsafe HTTP header Content Security Policy...

Scan parameters
Target: https://173.212.236.192/royahsoft/
Scan type: Light
Authentication: False

Scan stats
Unique Injection Points Detected: 338
URLs spidered: 3
Total number of HTTP requests: 13
Average time until a response was
1604ms
received:

8/8