Nessus Report. Report 21/Mar/2012:16:43:56 GMT



Similar documents
Payment Card Industry (PCI) Executive Report 10/27/2015

Payment Card Industry (PCI) Executive Report 08/04/2014

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Payment Card Industry (PCI) Executive Report. Pukka Software

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

CONTENTS. PCI DSS Compliance Guide

Setting Up Scan to SMB on TaskALFA series MFP s.

Vulnerability Scans Remote Support 15.1

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Payment Card Industry (PCI) Data Security Standard

PCI Compliance Updates

MANAGED SECURITY TESTING

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Where every interaction matters.

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Payment Card Industry (PCI) Data Security Standard

Lab 9: Pen Testing (NESSUS)

What is Web Security? Motivation

April 11, (Revision 2)

Cyber Essentials PLUS. Common Test Specification

How to complete the Secure Internet Site Declaration (SISD) form

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Cyber Security Scan Report

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

CS5008: Internet Computing

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

SecurityMetrics Vision whitepaper

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Overview of the Penetration Test Implementation and Service. Peter Kanters

OWASP Top Ten Tools and Tactics

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Directory and File Transfer Services. Chapter 7

!!!!!!!!!!!!!!!!!!!!!!

Catapult PCI Compliance

Document TMIC-003-PD Version 1.1, 23 August

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

Ethical Hacking as a Professional Penetration Testing Technique

Basics of Internet Security

SAST, DAST and Vulnerability Assessments, = 4

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

File Transfer Examples. Running commands on other computers and transferring files between computers

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

A Decision Maker s Guide to Securing an IT Infrastructure

PCI Compliance Considerations

Web Application Vulnerability Testing with Nessus

Client logo placeholder XXX REPORT. Page 1 of 37

Performing PCI DSS and OWASP Web Application Audits with Nessus

F-SECURE MESSAGING SECURITY GATEWAY

Web Application Report

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

How To Manage Web Content Management System (Wcm)

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Essential IT Security Testing

Attack Vector Detail Report Atlassian

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Passing PCI Compliance How to Address the Application Security Mandates

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Payment Card Industry (PCI) Approved Scanning Vendors. Program Guide Reference 1.0 PCI DSS Version 1.2

Web Application Security Assessment and Vulnerability Mitigation Tests

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

PCI Compliance Report

74% 96 Action Items. Compliance

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

The McAfee SECURE TM Standard

How To Pass An Asv Scan

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Linux Network Security

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Cyber Essentials. Test Specification

Penetration Testing Report Client: Business Solutions June 15 th 2015

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Thick Client Application Security

Common Criteria Web Application Security Scoring CCWAPSS

Achieving PCI-Compliance through Cyberoam

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Cloud Security:Threats & Mitgations

Running a Default Vulnerability Scan SAINTcorporation.com

Sitefinity Security and Best Practices

Web App Security Audit Services

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Chapter 17. Transport-Level Security

Cyber Exercises, Small and Large

Managed File Transfer and the PCI Data Security Standards

SERENA SOFTWARE Serena Service Manager Security

ASV Scan Report Attestation of Scan Compliance

Transcription:

Nessus Report Report 21/Mar/2012:16:43:56 GMT

Table Of Contents Vulnerabilities By Plugin...3 33929 (4) - PCI DSS compliance... 4 56208 (5) - PCI DSS compliance : Insecure Communication Has Been Detected... 5 33931 (1) - PCI DSS Compliance: Tests Requirements... 7 56306 (1) - Web Server Allows Password Auto-Completion (PCI-DSS variant)... 8 56209 (2) - PCI DSS compliance : Remote Access Software Has Been Detected...10

Vulnerabilities By Plugin

33929 (4) - PCI DSS compliance Synopsis Nessus has determined that this host is NOT COMPLIANT with the PCI DSS requirements. Description The remote web server is vulnerable to cross-site scripting (XSS) attacks, implements old SSL2.0 cryptography, runs obsolete software, or is affected by dangerous vulnerabilities (CVSS base score >= 4). See Also http://www.pcisecuritystandards.org/ http://en.wikipedia.org/wiki/pci_dss Risk Factor None Hosts 192.168.150.100 (tcp/0) + The remote operating system is not maintained any more. See : http://www.nessus.org/plugins/index.php?view=single&id=47709 + Unsupported software was found. See : http://www.nessus.org/plugins/index.php?view=single&id=34460 + A web server is vulnerable to cross-site scripting (XSS) + 21 high risk flaws were found. See : http://www.nessus.org/plugins/index.php?view=single&id=34477 http://www.nessus.org/plugins/index.php?view=single&id=21193 http://www.nessus.org/plugins/index.php?view=single&id=12209 http://www.nessus.org/plugins/index.php?view=single&id=22194 http://www.nessus.org/plugins/index.php?view=single&id=35362 http://www.nessus.org/plugins/index.php?view=single&id=21334 http://www.nessus.org/plugins/index.php?view=single&id=19407 http://www.nessus.org/plugins/index.php?view=single&id=11835 http://www.nessus.org/plugins/index.php?view=single&id=19408 http://www.nessus.org/plugins/index.php?view=single&id=20008 http://www.nessus.org/plugins/index.php?view=single& [...] 192.168.150.100 (tcp/80) The remote web server is vulnerable to cross-site scripting (XSS) 192.168.150.131 (tcp/0) + Directory browsing is enabled on some web servers http://192.168.150.131/phpmyadmin/themes/darkblue_orange/img/ http://192.168.150.131/phpmyadmin/themes/darkblue_orange/css/ http://192.168.150.131/dvwa/dvwa/includes/dbms/ http://192.168.150.131/phpmyadmin/themes/darkblue_orange/ http://192.168.150.131/awstatsicons/os/ http://192.168.150.131/dvwa/dvwa/css/ http://192.168.150.131/phpmyadmin/themes/original/css/ http://192.168.150.131/phpmyadmin/themes/ http://192.168.150.131/awstatsicons/ http://192.168.150.131/dvwa/dvwa/ http://192.168.150.131/phpmyadmin/themes/original/ http://192.168.150.131/board/images/ http://192.168.150.131/phpmyadmin/themes/original/img/ http://192.168.150.131/dvwa/dvwa/images/ http://192.168.150.131/awstatsicons/other/ http://192.168.150.131/awstatsicons/clock/ http://192.168.150.131/dvwa/dvwa/includes/ http://192.168.150.131/dvwa/dvwa/js/ http://192.168.150.131/awstatsicons/browser/ http://192.168.150.131/awstatsicons/cpu/ http://192.168.150. [...] 192.168.150.131 (tcp/80) The remote web server is vulnerable to cross-site scripting (XSS) 4

56208 (5) - PCI DSS compliance : Insecure Communication Has Been Detected Synopsis An insecure port, protocol or service has been detected. Description Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data. If an attacker is able to exploit weak cryptographic processes, he/she may be able to gain control of an application or even gain clear-text access to encrypted data. Solution Properly encrypt all authenticated and sensitive communications. Risk Factor Medium Hosts 192.168.150.100 (tcp/21) This FTP server does not support 'AUTH TLS'. 192.168.150.131 (tcp/21) This FTP server does not support 'AUTH TLS'. 192.168.150.131 (tcp/23) Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------ Ubuntu 9.10 SECURITYFAIL login: ------------------------------ snip ------------------------------ 192.168.150.131 (tcp/80) Page : /board/ Destination page : /board/index.php Page : /board/?d=a Destination page : /board/index.php Page : /phpmyadmin/ Destination page : index.php Input name : pma_password Page : /phpmyadmin/?d=a Destination page : index.php Input name : pma_password Page : /board/register.php Destination page : register_script.php 2 Page : /board/index.php?username=&password=&cookie=yes&submit=submit&page=&forumid= Destination page : /board/index.php Page : /board/message.php?reply=0 Destination page : /board/message.php 5

Page : /dvwa/login.php Destination page : login.php Page : /phpmyadmin/index.php? phpmyadmin=ec1a515150b712760566bab7a00e0a4bf149235b&db=&table=&lang=enutf-8&convcharset=utf-8&collation_connection=utf8_general_ci&token=5464357048baf63cc6907e2b30f403e7&phpmyadmin utf-8&phpmyadmin=ec1a [...] 6

33931 (1) - PCI DSS Compliance: Tests Requirements Synopsis Nessus is not properly configured for PCI DSS validation. Description The scan settings did not fulfill the PCI DSS scan validation requirements. Even if the technical tests passed, this report may be insufficient to certify this server. See Also http://en.wikipedia.org/wiki/pci_dss http://www.nessus.org/u?870f3331 Risk Factor None Hosts 192.168.150.131 (tcp/0) + A database is reachable on a private network. Start the scan again from a public IP address to check that it is not reachable from the Internet. 7

56306 (1) - Web Server Allows Password Auto-Completion (PCI-DSS variant) Synopsis Auto-complete is not disabled on password fields. Description The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' is not set to 'off'. While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point. Solution Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials. Risk Factor Medium CVSS Base Score 4.7 (CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N) Hosts 192.168.150.131 (tcp/80) Page : /board/ Destination Page : /board/index.php Page : /board/?d=a Destination Page : /board/index.php Page : /phpmyadmin/ Destination Page : index.php Input name : pma_password Page : /phpmyadmin/?d=a Destination Page : index.php Input name : pma_password Page : /board/register.php Destination Page : register_script.php 2 Page : /board/index.php?username=&password=&cookie=yes&submit=submit&pag e=&forumid= Destination Page : /board/index.php Page : /board/message.php?reply=0 Destination Page : /board/message.php 8

Page : /phpmyadmin/index.php?phpmyadmin=ec1a515150b712760566bab7a00e0a4b f149235b&db=&table=&lang=en-utf-8&convcharset=utf-8&collation_connection =utf8_general_ci&token=5464357048baf63cc6907e2b30f403e7&phpmyadmin=ec1a5 15150b712760566bab7a00e0a4bf149235b&lang=srlat-utf-8&phpMyAdmin=ec1a5151 50b712760566bab7a00e0a4bf149235b Destination Page : i [...] 9

56209 (2) - PCI DSS compliance : Remote Access Software Has Been Detected Synopsis A remote access software has been detected. Description Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C in the ASV Program Guide, or disabled / removed. Please consult your ASV if you have questions about this Special Note. Solution n/a Risk Factor None Hosts 192.168.150.100 (tcp/0) An SMB server is running on the remote host. A CIFS server is running on the remote host. 192.168.150.131 (tcp/0) An SSH server (remote terminal) is running on the remote host. A Telnet server (remote terminal) is running on the remote host. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information