ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Similar documents
Penetration Testing Report Client: Business Solutions June 15 th 2015

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Criteria for web application security check. Version

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Client logo placeholder XXX REPORT. Page 1 of 37

(WAPT) Web Application Penetration Testing

Web Application Report

Web Application Security

Penetration Testing with Kali Linux

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Internet Banking System Web Application Penetration Test Report

Penetration Test Report

Attack and Penetration Testing 101

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

External Network Penetration Test Report

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Application Security Testing. Generic Test Strategy

The Top Web Application Attacks: Are you vulnerable?

CRYPTUS DIPLOMA IN IT SECURITY

What is Web Security? Motivation

Using Nessus In Web Application Vulnerability Assessments

Vulnerability Assessment and Penetration Testing

Thick Client Application Security

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Check list for web developers

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Rational AppScan & Ounce Products

Internal Penetration Test

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Sample Report. Security Test Plan. Prepared by Security Innovation

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Windows Remote Access

STABLE & SECURE BANK lab writeup. Page 1 of 21

CYBERTRON NETWORK SOLUTIONS

Web Vulnerability Assessment Report

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Web Application Vulnerability Testing with Nessus

The Trivial Cisco IP Phones Compromise

Web application security

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

GFI White Paper PCI-DSS compliance and GFI Software products

Where every interaction matters.

Web App Security Audit Services

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Protecting Your Organisation from Targeted Cyber Intrusion

Ethical Hacking as a Professional Penetration Testing Technique

Penetration Testing: Lessons from the Field

Lecture 11 Web Application Security (part 1)

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Learn Ethical Hacking, Become a Pentester

Advanced Web Security, Lab

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Penetration Testing Workshop

Medical Device Security Health Group Digital Output

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

NetBrain Security Guidance

SECURITY TRENDS & VULNERABILITIES REVIEW 2015


IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Security Considerations

Bust a cap in a web app with OWASP ZAP

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Andreas Dittrich, Philipp Reinecke Testing of Network and System Security. example.

System Security Guide for Snare Server v7.0

Information Security. Training

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

!!!!!!!!!!!!!!!!!!!!!!

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Considerations White Paper for Cisco Smart Storage 1

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Columbia University Web Security Standards and Practices. Objective and Scope

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Common Security Vulnerabilities in Online Payment Systems

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Network Security Audit. Vulnerability Assessment (VA)

Online Vulnerability Scanner Quick Start Guide

Workday Mobile Security FAQ

Penetration Testing. Presented by

Automated Vulnerability Scan Results

Evaluation of Penetration Testing Software. Research

Secure Web Applications. The front line defense

Locking down a Hitachi ID Suite server

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Security and Vulnerability Testing How critical it is?

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

Transcription:

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London NW1 5DA +44 (0)207 060 3775 www.ssl247.co.uk

Contents 1 Management Summary 3 2 Summary of Vulnerabilities 5 3 Key Findings 6 4 Commercial Statements 8 5 Document Version Information 8 6 Presentation of Issues and Findings 9 7 Tool List 10 8 Scope of Work 11 9 Summary of Vulnerabilities 12 10 Vulnerability Findings and Full Technical Details 14 1 P a g e

1 Management Summary The following report outlines the findings of an information systems security review by SSL247 Limited between the dates testing took place. The purpose of this review was to determine the existence of any vulnerability within the web application and the supporting infrastructure. Testing was performed following a black box approach, requiring the tester to discover information via open source intelligence gathering. This was completed using Domain Name enumeration, querying the RIPE NCC (Reseaux IP Europeens - Network Coordination Centre) databases, using Google search techniques and automated data mining tools. The following URL was given by ABC LTD and the IP range identified during the discovery exercise was confirmed by the Client: http://www.abc.com 99.999.99.160-99.999.99.175 The first stage of the review involved scanning the server for open ports and services, then conducting a full vulnerability scan using automated scanners. This yielded very few results demonstrating a well secured server configuration. Minor issues relating to the encryption methods accepted for secure HTTPS connections and debugging functions were discovered. The website was subjected to multiple automated and manual techniques to evaluate the overall security of the ABC website and external infrastructure. The website was tested against the OWASP Top 10 vulnerabilities, including SQL injection and Cross Site Scripting to ensure full security measures have been enforced. There were several critical issues discovered within the ABC application. Default login credentials were used for phpmyadmin. PhpMyAdmin is an open source tool written in PHP intended to handle the administration of MySQL over the World Wide Web. It can perform various tasks such as creating, modifying or deleting databases, tables, fields or rows, executing SQL statements and managing users and permissions. From this the tester was able to view the database tables giving user account information such as; REMOVED FOR SECURITY PURPOSES. Escalation of privileges could be carried out which would allow an attacker to take full control of the server. However this was not exploited in order to maintain the integrity of the server. Another major issue discovered was that the server seemed to have been already compromised. Several local exploit files were found to be present in the remote website server directories. Also discovered was a PHP shell in the SQL database, this would be used by an attacker for command line access to execute commands from the server. This could mean that personal information held in the database has already been compromised by malicious users. 2 P a g e

The tester found it possible to view all files, including configuration and system files on the remote server by exploiting a vulnerability known as directory transversal in the webgrind application found on the server. This would allow an attacker to view the server configuration files, retrieve passwords and system files. Several directory listings were accessible which display the entire directory contents. This can be used by an attacker to retrieve sensitive files and discover more information about the system. Upon further investigation against the website it was found that several other scripts are running such as WordPress and Mailman. Both of these scripts are outdated and should be updated as vulnerabilities currently exist which could be used to compromise the server and the website. The tester discovered that the default manual installation documentation is present for Apache, this contains information which could be used by an attacker to discover further information about the website hosting technologies, as well as default directories and files present on the server. Due to the severity of the vulnerabilities found we must declare the ABC Application: Not Fit For Purpose 3 P a g e

2 Summary of Vulnerabilities In total 10 vulnerability groups have been identified and documented. Vulnerability Category Total Risk Rating Critical High Medium Low All Categories 10 3-4 3 Application Software 10 3-4 3 Database Configuration - - - - - Host Configuration - - - - - Infrastructure Design - - - - - Password Policy - - - - - Security Documentation - - - - - Patch Management - - - - - All security issues are presented with recommendations for mitigating the risks posed. Each recommendation or fix has been assigned an effort rating which estimates how much remedial work will be required to address the item, this is summarised in the following table: Low: up to 1 day of effort Medium: up to 10 days of effort High: over 10 days of effort Remediation Effort Total Risk Rating Critical High Medium Low Total 10 3-4 3 High Effort - - - - - Medium Effort 2 2 - - - Low Effort 8 1-4 3 4 P a g e

3 Key Findings The system was found to be already compromised. Investigation into the attack should take place to discover the level of severity and discover if any data loss occurred. No authentication is needed to access the phpmyadmin panel allowing complete access to the ABC, MySQL, and informational schema tables. Another instance of phpmyadmin was found, allowing root access without authentication, this can lead to complete compromise of the host. An existing PHP shell script was found in the database, indicating that this could be the entry point for the compromise of the host. A directory transversal vulnerability was found at http://defg.abc.com/webgrind Internal IP's are disclosed in the user cookies. This internal IP disclosure should be fixed, as internal IP'S should not be given in cookies. Customer numbers and profile pictures were disclosed in a directory present on the web server. Default files and server errors are in use. Customer server errors should be implemented across the website to prevent information disclosure, as well as default install manuals being removed. The tester found it possible to upload a PHP file as their profile picture. Image extension filtering should be present in the file upload fields to prevent potentially malicious files being uploaded. Outdated versions of WordPress, MailMan and Squirrel Mail are in use. All of these scripts should be updated to prevent exploitation of publicly disclosed vulnerabilities. 5 P a g e

Debugging functions are enabled on the remote web server. It is recommended that the TRACE method is disabled if it is not needed for the functionality of the application. The remote service supports the use of weak and medium strength SSL ciphers. We recommend the use of High strength SSL ciphers and SSLv3. The application should be reconfigured to disallow the use of Medium and Low strength SSL ciphers. 6 P a g e

4 Commercial Statements Confidentiality and Copyright The information contained in this report is confidential and is submitted by SSL247 limited on the understanding that it will be used only by the commissioning client. In particular, the contents of this document not be disclosed in whole or in part to any other party without the prior written consent of SSL247 limited. Validity of Information SSL247 limited has made every effort to ensure that all statements and information contained herein are accurate. 5 Document Version Information Date Author Version Change Reference 06/02/213 ANO1 0.1 Management Summary Key Findings 07/02/2013 ANO1 0.2 Vulnerability Details 07/02/2013 ANO2 0.3 Technical QA 07/02/2013 ANO3 1.0 Final QA And Release Reference: ABC-FEB-15 Version: 1.0 Creation Date: 6th February 2015 Last Update: 7 th February 2015 Authors: ANO1 Test Team: ANO1 Authorisation: CUS01 7 P a g e

6 Presentation of Issues and Findings Issues are presented in a common format to aid readability and assist the client in prioritising issues and, importantly, prioritising remedial action where necessary. The common presentation format contains a number of fields describing the nature of the issue, risk and recommendation as follows: TITLE IMPACT RATING LIKELIHOOD RATING RISK FIX EFFORT ISSUE AFFECTED COMPONENTS RECOMMENDATION NOTES Short form title summarising the security issue A rating of the likely impact resulting from a successful attack or exploitation of the issue. Ratings run Low, Moderate and High. A rating of the likelihood of a successful attack, this incorporates parameters such as availability of exploit code, complexity of attack and compensating controls/mitigating factors. Ratings run Low, Moderate and High. An overall rating of the technical risk posed by the issue. This is generally decided by both the impact and the likelihood, although it is subject to modification based on other factors considered by the security assessor. Ratings run Low, Moderate, High and Critical. A rating of the anticipated effort required to successfully perform remediation work, generally based on the recommendations made for a specific issue. This rating is highly subjective, but is based on the security assessors experience of similar issues and organisations. Ratings run Low, Moderate and High. This can loosely be translated to days as follows: Low: up to 1 days of effort Moderate: up to 10 days of effort High: over 10 days of effort A description of the security issue. A rating of the anticipated effort required to successfully perform remediation work, generally based on the recommendations made for a specific issue. This rating is highly subjective, but is based on the security assessors experience of similar issues and organisations. Ratings run Low, Moderate and High. This can loosely be translated to days as follows: A recommendation or set of recommendations for remediation or otherwise mitigating the risks posed by the issue. Any observations, references or other notes relating to the issue. 8 P a g e

7 Tool List SSL247 limited utilise a wide ranging tool set that often includes bespoke tools and code created for specific purposes during testing. It is important to emphasise that tools represent one aspect of the penetration testing methodology and approach. The effective use of the tools and their output is a very important aspect of the penetration testing methodology. The primary function of the tools is to provide information to the testing consultants so that the information gathering phase is reduced in time. During the testing the primary tool set used by the testers included: NMAP Dig Nessus Tcpjunk Cain Nikto w3af WebEncript NetCat Dirbuster HashCat Arachni ZAP Network Reconnaissance tool/port scanner A DNS enumeration tool Vulnerability analysis tool A tcp data fuzzer General purpose penetration testing tool General purpose web application and server enumeration tool General purpose web application vulnerability detection tool SSL247 limited purpose built web vulnerability scanning tool TCP/IP communications tool Web application directory brute force tool Password Cracking Tool Web Application Scanner Proxy HTTP Testing Tool 9 P a g e

8 Scope of Work EXTERNAL ITHC IN DEPTH PENETRATION TESTING In depth penetration testing of \sensitive{\weburl}. Testing will be performed over the internet from SSL247 s offices. Method will be Black Box and testing should not cause any interruption to services. Testing will begin with fingerprinting of the website followed by manual exploitation with a full review of the results by a senior SSL247 CHECK penetration tester. Incident Response By SSL247 running through a scenario based incident when testing. Intrusion Detection SSL247 inform the organisation when we will be testing to allow them to asses incident identification Configuration Test that web servers etc. are security hardened Patch Management Test that OS software is patched and up to date Web Enabled Applications A full test on the following web site with attempted exploitation: \sensitive{\weburl} ANALYSIS AND REPORTING All results will be analysed by a senior SSL247 Limited consultant and a comprehensive three part report produced. 10 P a g e

9 Summary of Vulnerabilities 9.1 - phpmyadmin Impact: Critical Risk: Critical Likelihood: Critical Fix Effort: Medium 9.2 - Previous Server Compromise Impact: Critical Risk: Critical Likelihood: Critical Fix Effort: Medium 9.3 - Directory Transversal Impact: Critical Risk: Critical Likelihood: Critical 9.4 - Information Disclosure Impact: Low Risk: Medium Likelihood: Low 9.5 - Debugging Functions Impact: Medium Risk: Medium Likelihood: Low 9.6 - Directory Listings Impact: Medium Risk: Medium Likelihood: Medium 9.7 - Profile Picture User ID Enumeration 11 P a g e

Impact: Medium Risk: Medium Likelihood: Medium 9.8 - File Upload Impact: Medium Risk: Low Likelihood: Low 9.9 - Weak And Medium SSL Ciphers Impact: Low Risk: Low Likelihood: Low 9.10 - Resuming SSL Sessions Impact: Low Risk: Low Likelihood: Low Critical High Medium Low 12 P a g e

10 Vulnerability Findings and Full Technical Details The following section details vulnerabilities listed in section 8 above but also includes the following information. Impact Likelihood Risk Fix Effort Issue Description Affected Components Risk Description Recommendation Effort Notes Results are presented as detailed in section 6 of this report and may also refer to appendices for logs and/or screen shots where appropriate. Where possible the method of discovery of the issue is detailed along with any tools and / or logs to support the findings. 13 P a g e

9.1 phpmyadmin Impact: Critical Risk: Critical Likelihood: Critical Fix Effort: Medium Description The tester found it possible to gain access to the MySQL database via phpmyadmin with no authentication, from this the entire database was available to the tester including over 700,000 user entries detailing REMOVED FOR SECURITY PURPOSES. Another instance of phpmyadmin was found in the development domain, which allowed the tester access as the root user, this system seemed to be already compromised, as a PHP shell was found in the database. Risk Description The tester was able to login to the Sever 2 database present at the phpmyadmin manager using no Username or Password to authenticate. After gaining access to the server 2 database and viewing the "ABC" database via phpmyadmin, the tester was able to view all the users and Administrator login details. It was found that several clear text passwords were present in the database which were not encrypted. With over 700,000 table entries in the users table, the amount of personal data which may have been compromised is very large. Below you can see screen shots of the database: REMOVED FOR SECURITY PURPOSES 14 P a g e

We must stress the severity of having unencrypted user passwords present in the database, as this removes an extra line of defence against an attacker. The tester reviewed the password policy in place for the Administrator user group, and attempted to crack the passwords. This attack was successful; below you can see the output from the Administrator group passwords: Another instance of PHPmyAdmin was found at the \url{www.ardev.abc.com}. It was discovered that this instance of phpmyadmin allowed default access as the root user. It was found that the database had already been compromised, as a PHP shell was found in the "test" database, in the "abc" table. REMOVED FOR SECURITY PURPOSES 15 P a g e

There is a high possibility that this was the entry point for the comprise of the host. The default set-up scripts were found. These can be used to alter the phpmyadmin setup and add servers. This script should be removed once phpmyadmin has been setup for the first time, see below for a screen shot of this: Recommendation Do not allow remote root logins, instead you should use "Cookie Auth" to limit which users can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have "grant" or "file_priv". file_priv can be used maliciously because it can be used to read files or upload backdoors. Put in a IP address restriction in your.htaccess for the phpmyadmin folder. Do not have a predictable file location like /phpmyadmin/. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this. Notes None. REMOVED FOR SECURITY PURPOSES 16 P a g e

9.2 - Previous Server Compromise Impact: Critical Risk: Critical Likelihood: Critical Fix Effort: Medium Description It was found by the tester that the web server had already been compromised by a malicious attacker. Risk Description Several Local Root Exploits were found on the remote host, indicating that the server has been previously compromised by an attacker. This could mean that the database has been extracted allowing the attacker to retrieve all 700,000+ client details that were present in the server 2 database. From the date of last modification detailed in the file statistics, it is possible that the host has been compromised multiple times, as the dates in which the files were modified vary from 2009 until November 2011. The following URLs are where the exploits were found: REMOVED FOR SECURITY PURPOSES Below you can see a print screen of a directory containing the exploits: REMOVED FOR SECURITY PURPOSES 17 P a g e

Recommendation A forensic investigation of the attack should take place to verify the extent of the attack and identify whether personal information has been taken from the databases. Notes None. 18 P a g e

9.3 - Directory Transversal Impact: Critical Risk: Critical Likelihood: Critical Description A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with dot-dot-slash (../) sequences and its variations, it was possible to access arbitrary files and directories stored on the file system, including application source code, configuration and critical system files. The attacker uses../ sequences to move up to root directory, thus permitting navigation through the file system. Risk Description It was found that the host was hosting a Xdebug profiling web font end in php called webgrind. This application is vulnerable to directory transversal. After identifying the ardev domain was running on a WAMP server, the tester could start manipulating the application to view files present on the file system. The script was found at the following URL: REMOVED FOR SECURITY PURPOSES An example of the manipulation to view the index file source code is below: REMOVED FOR SECURITY PURPOSES Some screen shots of the vulnerability, showing that an attacker could retrieve files from the QRST server and the server itself: REMOVED FOR SECURITY PURPOSES Recommendation 19 P a g e

The webgrind application should be removed from the web host. Notes None. 20 P a g e

9.4 - Information Disclosure Impact: Low Risk: Medium Likelihood: Low Description Default install help files and multiple instances of information disclosure were discovered across the application due to improperly handled exceptions. The information revealed by these error pages were found to contain sensitive server side information. Risk Description The Apache default help manual was found during the testing. Whilst not a vulnerability the information can be used to identify the running services on the web host, to aid in an attack. The manual can be found at the following URL: http://www.abc.com/manual/ Default server errors were also found to be in use, these disclose information which can aid in an attack, below you can see a screen shot of this: REMOVED FOR SECURITY PURPOSES The default PHP information page was found on the web server, located at: http://www.abc.com/info.php Recommendation Replace all standard error pages with custom pages to prevent information disclosure, unnecessary help files should be removed from the server as they can be utilised by an attacker. Notes None. 21 P a g e

9.5 - Debugging Functions Impact: Medium Risk: Medium Likelihood: Low Description The test team discovered that several of the applications allow the TRACE HTTP method, this can be used to perform actions on the web server. This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can mount an attack known as Cross Site Tracing (CST). Risk Description The TRACE method, while thought to be harmless, can be successfully leveraged in some scenarios to steal legitimate user's credentials. This attack technique can be used to bypass the HTTPOnly tag that was introduced to protect cookies from being accessed by JavaScript. Tagging a cookie as HTTPOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario. Recommendation It is recommended that the TRACE method is disabled if it is not needed for the functionality of the application. Notes None. 22 P a g e

9.6 - Directory Listings Impact: Medium Risk: Medium Likelihood: Medium Description All directories found during the testing were found to disclose all other files and subdirectories present, this can assist an attacker to find more information and sensitive files. Risk Description It was found that multiple directories allowed users to view all the files and directories, this would allow an attacker to discover more about the web server, and find other directories which may contain sensitive information. Below you can see a screen shot of this: Recommendation REMOVED FOR SECURITY PURPOSES Reconfigure the server settings or use a URL rewrite script to disallow users from viewing remote directories and their contents. Notes None. 23 P a g e

9.7 - Profile Picture User ID Enumeration Impact: Medium Risk: Medium Likelihood: Medium Description Personal profile pictures were found in a directory present on the web server, the pictures were named with the user ID, allowing user ID numbers to be enumerated. Risk Description By navigating to the following URL the tester found it possible to view all profile pictures uploaded by users of the ABC application. The profile photos are named with the USER ID allowing enumeration of USER ID s present in the system. http://www.abc.com/rf2/img/profile-photos/ This could be exploited by an attacker by conducting a social engineering attack against ABC as an attacker would have multiple USER ID s. Recommendation Session authentication should be implemented to prevent access to other registered member's photos and a URL rewrite script should be implemented to the profile-photos directory. Notes None. 24 P a g e

9.8 - File Upload Impact: Medium Risk: Low Likelihood: Low Description The tester found it possible to upload files which were not images, such as.php and.jsp files. Risk Description Whilst testing, we identified an upload document feature in the application, which was intended to allow users to upload a profile picture to the website. We were able to successfully upload files which are not documents, such as PHP and ASP files. We could not view the uploaded files as the web server would not parse the files, and just presented us with errors instead of the intended code. Recommendation We recommend that extension filtering is put in place to prevent unauthentic files being uploaded to the website via the upload feature. Notes None. 25 P a g e

9.9 - Weak and Medium SSL Ciphers Impact: Low Risk: Low Likelihood: Low Description The remote host supports the use of SSL ciphers that offer weak and medium strength encryption, which are currently regarded as those with key lengths at least 56 bits and less than 112 bits. This is considerably easier to exploit if the attacker is on the same physical network. Risk Description The use of Low and Medium SSL Ciphers could allow an attacker on the same network as the client to exploit this vulnerability and conduct Man In The Middle (MitM) attacks or decrypt communications between the affected service and clients. This would allow and attacker to retrieve login and user data communicated between the client side software and server side application. Recommendation We recommend the use of High strength SSL ciphers and SSLv3, the application should be reconfigured to disallow the use of Medium and Low strength SSL ciphers. Notes None. 26 P a g e

9.10 - Resuming SSL Sessions Impact: Low Risk: Low Likelihood: Low Description The remote host allows resuming SSL sessions. Risk Description The version of OpenSSL on the remote host has been shown to allow resuming sessions with a weaker cipher than was used when the session was initiated. This means that an attacker who sees the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumes of that session to use a weaker cipher chosen by the attacker. Recommendation Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. Notes None. Raw NMAP Output REMOVED FOR SECURITY PURPOSES 27 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information