Vulnerability Scans Remote Support 15.1

Vulnerability Scans Remote Support 15.1 215 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC:4/23/215

VULNERABILITY SCANS REMOTE SUPPORT 15.1 Table of Contents About Vulnerability Scanning 3 IBM Security AppScan Report 4 Nexpose Scan Report 15 QualysGuard PCI Scan Results 29 CONTACT BOMGAR info@bomgar.com 866.25.365 (US) +44 () 1628 48 21 (UK/EMEA) BOMGAR.COM 2 215 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC: 4/23/215

VULNERABILITY SCANS REMOTE SUPPORT 15.1 About Vulnerability Scanning To ensure the security and value of our product, Bomgar incorporates vulnerability scanning in our software testing process. We eagerly commit to addressing, with the utmost urgency, security vulnerabilities as they are detected by industry security professionals. We track the results of vulnerability scans performed prior to a software release and prioritize resolution based on severity and criticality of any issues uncovered. Should a critical or high-risk vulnerability surface after a software release, a subsequent maintenance version release addresses the vulnerability. Updated maintenance versions are distributed to our customers via the update manager interface within the Bomgar administrative interface. Where necessary, Bomgar Technical Support will contact customers directly, describing special procedures to follow to obtain an updated maintenance version. Our customers can rely on our commitment to address security issues at our earliest opportunity. Note: The contents of this document comprise the latest scan results from IBM Security AppScan, Nexpose, and QualysGuard. All scans were performed against an installation of Bomgar 15.1. CONTACT BOMGAR info@bomgar.com 866.25.365 (US) +44 () 1628 48 21 (UK/EMEA) BOMGAR.COM 3 215 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC: 4/23/215

Web Application Report Thisreportincludesimportantsecurityinformationaboutyourweb application. The Payment Card Industry Data Security Standard (PCI DSS) Compliance Report ThisreportwascreatedbyIBMSecurityAppScanStandard9...1,Rules:1718 Scanstarted:4/2/2159::24AM

Regulations The Payment Card Industry Data Security Standard (PCI) Version 3. Summary ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholder datasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.pcidssprovidesa baselineoftechnicalandoperationalrequirementsdesignedtoprotectcardholderdata. PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedby additionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations. Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonallyidentifiable informationorotherdataelements(forexample,cardholdername).pcidssdoesnotsupersedelocalorregional laws,governmentregulations,orotherlegalrequirements. ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdata environment.thecardholderdataenvironment(cde)iscomprisedofpeople,processesandtechnologiesthatstore, process,ortransmitcardholderdataorsensitiveauthenticationdata. Systemcomponents includenetworkdevices,servers,computingdevices,andapplications.examplesofsystem componentsincludebutarenotlimitedtothefollowing:systemsthatprovidesecurityservices(forexample, authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(for example,nameresolutionorwebredirectionservers)thecde. Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtual applications/desktops,andhypervisors. Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,network appliances,andothersecurityappliances. Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTime Protocol(NTP),andDomainNameSystem(DNS). Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet) applications.anyothercomponentordevicelocatedwithinorconnectedtothecde. CoveredEntities 4/2/215 1

PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing includingmerchants,processors,acquirers, issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(chd) and/orsensitiveauthenticationdata(sad). PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/or sensitiveauthenticationdata)isstored,processedortransmitted.somepcidssrequirementsmayalsobe applicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheircde1. Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsiblefor ensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablepcidssrequirements. CompliancePenalties Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,the cardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent. ComplianceRequiredBy PCIDSSversion3.hasreplacedPCIDSSv.2andiseffectiveasofJanuary1st214.ThePCIDSSv.2maybe usedforpcidsscomplianceuntildecember31,214. Regulators ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancial Services,JCB,MasterCardWorldwideandVisaInternational. FormoreinformationonthePCIDataSecurityStandard,pleasevisit: https://www.pcisecuritystandards.org./index.htm Formoreinformationonsecuringwebapplications,pleasevisithttp://www- 1.ibm.com/software/rational/offerings/websecurity/ Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.Any useofthismaterialissubjecttothepcisecuritystandardscouncil,llclicenseagreementthatcan befoundat: https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstrate potential vulnerabilities in your application that should be corrected in order to reduce the likelihood that your information will be compromised. As legal advice must be tailored to the specific application of each law, and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. 4/2/215 2

Violated Section Issuesdetectedacross32sectionsoftheregulation: Sections Number of Issues Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparamete rs. Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaulta ccountsbeforeinstallingasystemonthenetwork.thisappliestoalldefaultpasswords,includingbutn otlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationands ystemaccounts,point-of-sale(pos)terminals,simplenetworkmanagementprotocol(snmp)communi tystrings,etc.) Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefuncti onofthesystem. Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography.Usetechnol ogiessuchasssh,vpn,orssl/tlsforwebbasedmanagementandothernonconsoleadministrative access. Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhosting purposes Hostingprovidersmustprotecteachentity shostedenvironmentanddata. Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. Requirement4.1-Usestrongcryptographyandsecurityprotocols(forexample,SSL/TLS,IPSEC,SSH, etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingth efollowing: Onlytrustedkeysandcertificatesareaccepted. Theprotocolinuseonlysupportssecure versionsorconfigurations. Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto: TheInternet Wirelesstechnologies, including82.11andbluetooth Cellulartechnologies,forexample,GlobalSystemforMobilecommunic ations(gsm),codedivisionmultipleaccess(cdma) GeneralPacketRadioService(GPRS). Satellite communications. Requirement6-Developandmaintainsecuresystemsandapplications. Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesources forsecurityvulnerabilityinformation,andassignariskranking(forexample,as high, medium, or low )tonewlydiscoveredsecurityvulnerabilities. Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabili tiesbyinstallingapplicablevendor-suppliedsecuritypatches.installcriticalsecuritypatcheswithinone monthofrelease. Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrati veaccesstoapplications)securely,asfollows: InaccordancewithPCIDSS(forexample,secureauthe nticationandlogging) Basedonindustrystandardsand/orbestpractices. Incorporatinginformationse curitythroughoutthesoftware-developmentlifecyclenote:thisappliestoallsoftwaredevelopedinternall yaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpass wordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. Requirement6.4.4-Removaloftestdataandaccountsbeforeproductionsystemsbecomeactive. Requirement6.5-5Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollo ws: Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilitie s,andunderstandinghowsensitivedataishandledinmemory. Developapplicationsbasedonsecure codingguidelines.note:thevulnerabilitieslistedat6.5.1through6.5.1werecurrentwithindustrybest practiceswhenthisversionofpcidsswaspublished.however,asindustrybestpracticesforvulnerabil itymanagementareupdated(forexample,theowaspguide,sanscwetop25,certsecurecodin 4/2/215 3

g,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LD APandXPathinjectionflawsaswellasotherinjectionflaws. Requirement6.5.2-Bufferoverflow Requirement6.5.3-Insecurecryptographicstorage Requirement6.5.4-Insecurecommunications Requirement6.5.5-Impropererrorhandling Requirement6.5.7-Crosssitescripting(XSS) Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrict URLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). Requirement6.5.9-Crosssiterequestforgery(CSRF) Requirement6.5.1-BrokenauthenticationandsessionmanagementNote:Requirement6.5.1isabe stpracticeuntiljune3,215,afterwhichitbecomesarequirement Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanong oingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowing methods: Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilityse curityassessmenttoolsormethods,atleastannuallyandafteranychangesnote:thisassessmentisn otthesameasthevulnerabilityscansperformedforrequirement11.2. Installinganautomatedtechnic alsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infront ofpublic-facingwebapplications,tocontinuallycheckalltraffic. Requirement7-Restrictaccesstodatabybusinessneed-to-know Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswho sejobrequiressuchaccess. Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobre sponsibilities. Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementf ornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefol lowingmethodstoauthenticateallusers: Somethingyouknow,suchasapasswordorpassphrase So methingyouhave,suchasatokendeviceorsmartcard Somethingyouare,suchasabiometric. Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords /phrases)unreadableduringtransmissionandstorageonallsystemcomponents. Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplicatio ns,administrators,andallotherusers)isrestrictedasfollows: Alluseraccessto,userqueriesof,andu seractionsondatabasesarethroughprogrammaticmethods. Onlydatabaseadministratorshavethea bilitytodirectlyaccessorquerydatabases. ApplicationIDsfordatabaseapplicationscanonlybeused bytheapplications(andnotbyindividualusersorothernon-applicationprocesses). Section Violation By Issue Uniqueissuesdetectedacross32sectionsoftheregulation: URL Entity Issue Type Sections Detailed Security Issues by Sections 4/2/215 4

Requirement2-Donotusevendor-supplieddefaultsforsystempasswords andothersecurityparameters. Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveor disableunnecessarydefaultaccountsbeforeinstallingasystemonthe network.thisappliestoalldefaultpasswords,includingbutnotlimitedto thoseusedbyoperatingsystems,softwarethatprovidessecurityservices, applicationandsystemaccounts,point-of-sale(pos)terminals,simple NetworkManagementProtocol(SNMP)communitystrings,etc.) Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons, etc.,asrequiredforthefunctionofthesystem. Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts, drivers,features,subsystems,filesystems. Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrong cryptography.usetechnologiessuchasssh,vpn,orssl/tlsforweb basedmanagementandothernonconsoleadministrativeaccess. 4/2/215 5

Requirement2.6-Thissectionappliestowebapplicationsthatareusedby hostingprovidersforhostingpurposes Hostingprovidersmustprotecteach entity shostedenvironmentanddata. Requirement4-Encrypttransmissionofcardholderdataacrossopen,public networks. Requirement4.1-Usestrongcryptographyandsecurityprotocols(for example,ssl/tls,ipsec,ssh,etc.)tosafeguardsensitivecardholderdata duringtransmissionoveropen,publicnetworks,includingthefollowing: Only trustedkeysandcertificatesareaccepted. Theprotocolinuseonlysupports secureversionsorconfigurations. Theencryptionstrengthisappropriatefor theencryptionmethodologyinuse.examplesofopen,publicnetworks includebutarenotlimitedto: TheInternet Wirelesstechnologies,including 82.11andBluetooth Cellulartechnologies,forexample,GlobalSystemfor Mobilecommunications(GSM),Codedivisionmultipleaccess(CDMA) GeneralPacketRadioService(GPRS). Satellitecommunications. Requirement6-Developandmaintainsecuresystemsandapplications. Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities, usingreputableoutsidesourcesforsecurityvulnerabilityinformation,and assignariskranking(forexample,as high, medium, or low )tonewly discoveredsecurityvulnerabilities. Requirement6.2-Ensurethatallsystemcomponentsandsoftwareare protectedfromknownvulnerabilitiesbyinstallingapplicablevendor-supplied securitypatches.installcriticalsecuritypatcheswithinonemonthofrelease. 4/2/215 6

Requirement6.3-Developinternalandexternalsoftwareapplications (includingweb-basedadministrativeaccesstoapplications)securely,as follows: InaccordancewithPCIDSS(forexample,secureauthentication andlogging) Basedonindustrystandardsand/orbestpractices. Incorporatinginformationsecuritythroughoutthesoftware-developmentlife cyclenote:thisappliestoallsoftwaredevelopedinternallyaswellas bespokeorcustomsoftwaredevelopedbyathirdparty. Requirement6.3.1-Removedevelopment,testand/orcustomapplication accounts,userids,andpasswordsbeforeapplicationsbecomeactiveorare releasedtocustomers. Requirement6.4.4-Removaloftestdataandaccountsbeforeproduction systemsbecomeactive. Requirement6.5-5Addresscommoncodingvulnerabilitiesinsoftwaredevelopmentprocessesasfollows: Traindevelopersinsecurecoding techniques,includinghowtoavoidcommoncodingvulnerabilities,and understandinghowsensitivedataishandledinmemory. Develop applicationsbasedonsecurecodingguidelines.note:thevulnerabilities listedat6.5.1through6.5.1werecurrentwithindustrybestpracticeswhen thisversionofpcidsswaspublished.however,asindustrybestpractices forvulnerabilitymanagementareupdated(forexample,theowaspguide, SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpractices mustbeusedfortheserequirements. 4/2/215 7

Requirement6.5.1-Injectionflaws,particularlySQLinjection.Alsoconsider OSCommandInjection,LDAPandXPathinjectionflawsaswellasother injectionflaws. Requirement6.5.2-Bufferoverflow Requirement6.5.3-Insecurecryptographicstorage Requirement6.5.4-Insecurecommunications Requirement6.5.5-Impropererrorhandling Requirement6.5.7-Crosssitescripting(XSS) Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobject references,failuretorestricturlaccess,directorytraversal,andfailureto restrictuseraccesstofunctions). Requirement6.5.9-Crosssiterequestforgery(CSRF) 4/2/215 8

Requirement6.5.1-BrokenauthenticationandsessionmanagementNote: Requirement6.5.1isabestpracticeuntilJune3,215,afterwhichit becomesarequirement Requirement6.6-Forpublic-facingwebapplications,addressnewthreats andvulnerabilitiesonanongoingbasisandensuretheseapplicationsare protectedagainstknownattacksbyeitherofthefollowingmethods: Reviewingpublic-facingwebapplicationsviamanualorautomated applicationvulnerabilitysecurityassessmenttoolsormethods,atleast annuallyandafteranychangesnote:thisassessmentisnotthesameasthe vulnerabilityscansperformedforrequirement11.2. Installinganautomated technicalsolutionthatdetectsandpreventsweb-basedattacks(forexample, aweb-applicationfirewall)infrontofpublic-facingwebapplications,to continuallycheckalltraffic. Requirement7-Restrictaccesstodatabybusinessneed-to-know Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatato onlythoseindividualswhosejobrequiressuchaccess. Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivileges necessarytoperformjobresponsibilities. 4/2/215 9

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuserauthenticationmanagementfornon-consumerusersandadministratorsonall systemcomponentsbyemployingatleastoneofthefollowingmethodsto authenticateallusers: Somethingyouknow,suchasapasswordor passphrase Somethingyouhave,suchasatokendeviceorsmartcard Somethingyouare,suchasabiometric. Requirement8.2.1-Usingstrongcryptography,renderallauthentication credentials(suchaspasswords/phrases)unreadableduringtransmissionand storageonallsystemcomponents. Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata (includingaccessbyapplications,administrators,andallotherusers)is restrictedasfollows: Alluseraccessto,userqueriesof,anduseractionson databasesarethroughprogrammaticmethods. Onlydatabase administratorshavetheabilitytodirectlyaccessorquerydatabases. ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications (andnotbyindividualusersorothernon-applicationprocesses). 4/2/215 1

15.1.1 Scan Report Executive Summary 15.1.1 ERS Scan Report - Executive Summary for Bomgar QA Audited on April 2, 215 Page 1

15.1.1 Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: ASV Company: Date scan was completed: April 2, 215 Scan expiration date: July 19, 215 Part 2a. Asset and Vulnerabilities Compliance Overview * An exploit is regarded as "published" if it is available from Metasploit or listed in the Exploit Database. Actual remediation times may differ based on organizational workflows. Part 2b. Component Compliance Summary Part 3a. Vulnerabilities Noted for each IP Address IP Address Vulnerabilities Noted per IP address Severity Level Undefined CVE, Failure to Restrict URL Access CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability high 1. False Positive noted by Jonathan: Page 2

15.1.1 Scan Report Executive Summary instance: /login/session_policy/:id/import instance: /login/login instance: /login/group_policy/:id/import instance: /app/js/util/loginautofocus.js instance: /app/js/util/language_selector.js instance: /app/js/util/ie_tags.js instance: /app/js/util/es5_support.js instance: /app/js/lib/split.js instance: /app/js/lib/require.js instance: /app/js/lib/es5-shim.js instance: /app/js/admin/main.js Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: Page 3

15.1.1 Scan Report Executive Summary instance: /app/img/loading-spinner.svg instance: /app/img/globe.svg instance: /app/img/bomgar_logo.svg instance: /login/status instance: /login/customer_notice/send/:id instance: /login/status instance: /portal/instructions/customer instance: /portal/instructions/clickonce instance: /portal/instructions/applet instance: /portal/instructions/ Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Missing HttpOnly Flag From Cookie Undefined CVE, Missing Secure Flag From SSL Cookie Undefined CVE, Missing Secure Flag From SSL Cookie high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: medium 5. False Positive noted by Jonathan: medium 5. False Positive noted by Jonathan: medium 5. False Positive noted by Jonathan: Page 4

15.1.1 Scan Report Executive Summary instance: /portal/check-rep/ instance: /portal/access-keyconfirmation/web.config instance: /portal/access-keyconfirmation/web-inf/ instance: /portal/access-keyconfirmation/servlet/ instance: /portal/access-keyconfirmation/readme.txt instance: /portal/access-keyconfirmation/index.swf instance: /portal/access-keyconfirmation/index.shtml instance: /portal/access-keyconfirmation/index.php3 instance: /portal/access-keyconfirmation/index.old Page 5

15.1.1 Scan Report Executive Summary instance: /portal/access-keyconfirmation/index.jsp instance: /portal/access-keyconfirmation/index.html instance: /portal/access-keyconfirmation/index.htm instance: /portal/access-keyconfirmation/index.chtml instance: /portal/access-keyconfirmation/index.cgi instance: /portal/access-keyconfirmation/index.cfm instance: /portal/access-keyconfirmation/index.bak instance: /portal/access-keyconfirmation/index.aspx Page 6

15.1.1 Scan Report Executive Summary instance: /portal/access-keyconfirmation/index.asp instance: /portal/access-keyconfirmation/default.wml instance: /portal/access-keyconfirmation/default.shtml instance: /portal/access-keyconfirmation/default.jsp instance: /portal/access-keyconfirmation/default.html instance: /portal/access-keyconfirmation/default.htm instance: /portal/access-keyconfirmation/default.aspx instance: /portal/access-keyconfirmation/default.asp instance: /portal/access-keyconfirmation/adovbs.inc Page 7

15.1.1 Scan Report Executive Summary instance: /portal/access-keyconfirmation/adojavas.inc instance: /portal/access-keyconfirmation/_vti_txt/ instance: /portal/access-keyconfirmation/_vti_shm/ instance: /portal/access-keyconfirmation/_vti_script/ instance: /portal/access-keyconfirmation/_vti_pvt/ instance: /portal/access-keyconfirmation/_vti_log/ instance: /portal/access-keyconfirmation/_vti_cnf/ instance: /portal/access-keyconfirmation/_vti_bot/ Page 8

15.1.1 Scan Report Executive Summary instance: /portal/access-keyconfirmation/_vti_bin/ instance: /portal/access-keyconfirmation/web.sitemap instance: /portal/access-keyconfirmation/ws_ftp.log instance: /portal/access-keyconfirmation/web-inf/ instance: /portal/access-keyconfirmation/trace.axd instance: /portal/access-keyconfirmation/readme.txt instance: /portal/access-keyconfirmation/readme instance: /portal/access-keyconfirmation/deadjoe instance: /portal/access-keyconfirmation/%3f.jsp Page 9

15.1.1 Scan Report Executive Summary instance: /portal/access-keyconfirmation/ instance: /help instance: /download_client_connector/ instance: /download_client_connector instance: /content/public.css instance: /content/portal.js instance: /content/mobile.css instance: /content/lib/jquery.js instance: /content/issue_form.js instance: /content/ie9_public.js Page 1

15.1.1 Scan Report Executive Summary instance: /content/common.css instance: /content/access_key_input.js instance: /check_access_key.ns instance: /check_access_key instance: /app/js/util/loginautofocus.js instance: /app/js/util/language_selector.js instance: /app/js/util/ie_tags.js instance: /app/js/util/es5_support.js instance: /app/js/lib/split.js instance: /app/js/lib/require.js Page 11

15.1.1 Scan Report Executive Summary instance: /app/js/lib/es5-shim.js instance: /app/js/lib/angular/angularcsp.css instance: /app/js/admin/misc/certificate_directive.c ss instance: /app/js/admin/main.js instance: /app/img/loading-spinner.svg instance: /app/img/globe.svg instance: /app/img/bomgar_logo.svg instance: /app/css/private.css instance: /app/css/login.css instance: /app/css/ie8.css Page 12

15.1.1 Scan Report Executive Summary instance: /app/css/common.css instance: /api/start_session.js instance: /api/start_session instance: /api/content/core.js instance: / port: 8 instance: HTTP instance: HTTPS Undefined CVE, SHA-1-based Signature in TLS/SSL Server X.59 Certificate Undefined CVE, A running service was discovered Undefined CVE, A running service was discovered low 2.6 False Positive noted by Jonathan: low. low. Part 3b. Special Notes by IP Address NOTE 1 - Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note. NOTE 2 - Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and confirm it is either implemented securely per Appendix D or disabled/removed. Please consult your ASV if you have questions about this Special Note. Page 13

15.1.1 Scan Report Executive Summary NOTE 3 - Note to scan customer: Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, please 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Please consult your ASV if you have questions about this Special Note. NOTE 4 - Note to customer: As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by the PCI DSS. Page 14

Web Application Scan Results 4/2/215 Target Site: security2.bomgar.com Port: 443 Starting URI: /login Authentication: Not Attempted Report Summary Application Title: Bomgar Site: security2.bomgar.com Port: 443 Starting URI: /login Authentication Title: Login Company: Bomgar Corporation User: Jonathan Conerly Scan Type: On Demand Scan Status: Finished Scan Title: 15.1.1ERS Scan Date: 4/2/215 at 19:35:8 Reference: scan/1429558515.53761 Scanner Appliance: 64.39.15.9 (Scanner 7.13.41-1, Vulnerability Signatures 2.2.989-2) Duration: :24:46 Detailed Results 74.112.243.11 (bci243-11.bcims.net,-) Ubuntu / Linux 3.x Potential Vulnerabilities (2) X-Frame-Options header is not set port 443/tcp VULNERABILITY DETAILS CVSS Base Score: - CVSS Temporal Score: - Severity: 1 QID: 1581 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 4/12/214 THREAT: X-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. IMPACT: Attacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed. Web Application Scan Results page 1

SOLUTION: Set the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. RESULT: url: https://security2.bomgar.com/help?show_help=help_session_keys variants: 2 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key?access_key_pretty=1& matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/ matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/download_client_connector matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN X-Frame-Options header is not set security2.bomgar.com:443/tcp VULNERABILITY DETAILS CVSS Base Score: - CVSS Temporal Score: - Severity: 1 QID: 1581 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 4/12/214 THREAT: X-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. IMPACT: Attacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed. SOLUTION: Set the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. RESULT: url: https://security2.bomgar.com/help?show_help=help_session_keys variants: 2 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key?access_key_pretty=1& matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/ Web Application Scan Results page 2

matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/download_client_connector matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN Information Gathered (17) Operating System Detected VULNERABILITY DETAILS Severity: 2 QID: 4517 Category: Information gathering CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 2/9/25 THREAT: Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report. 1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below. Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned. 2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB). 3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information. 4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system. sysdescr" for the operating system. IMPACT: Not applicable SOLUTION: Not applicable RESULT: Operating System Technique ID Ubuntu / Linux 3.x TCP/IP Fingerprint U5933:8 Connection Error Occurred During Web Application Scan port 443/tcp Web Application Scan Results page 3

VULNERABILITY DETAILS Severity: 2 QID: 1518 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 5/15/29 THREAT: Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. IMPACT: Some of the links were not crawled or scanned. Results may be incomplete or incorrect. SOLUTION: Investigate the root cause of failure accessing the listed links. RESULT: Links that led to unexpected errors: https://security2.bomgar.com/download_client_connector?issue_menu=1&customer_nam e=john&customer_company=john&customer_desc=john&=&custom_attributes=&download=1 Connection Error Occurred During Web Application Scan security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 2 QID: 1518 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 5/15/29 THREAT: Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. IMPACT: Some of the links were not crawled or scanned. Results may be incomplete or incorrect. SOLUTION: Investigate the root cause of failure accessing the listed links. RESULT: Links that led to unexpected errors: https://security2.bomgar.com/download_client_connector?issue_menu=1&customer_nam e=john&customer_company=john&customer_desc=john&=&custom_attributes=&download=1 DNS Host Name VULNERABILITY DETAILS Severity: 1 QID: 6 Category: Information gathering Web Application Scan Results page 4

CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/1/2 THREAT: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. RESULT: IP address Host name 74.112.243.11 bci243-11.bcims.net Host Scan Time VULNERABILITY DETAILS Severity: 1 QID: 4538 Category: Information gathering CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 11/19/24 THREAT: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. RESULT: Scan duration: 1481 seconds Start time: Mon, Apr 2 215, 19:36: GMT End time: Mon, Apr 2 215, 2::41 GMT Scan Diagnostics port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 1521 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/16/29 THREAT: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. IMPACT: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Web Application Scan Results page 5

SOLUTION: No action is required. RESULT: Ineffective Session Protection. no tests enabled. HSTS Analysis no tests enabled. Permanent Redirect HSTS Analysis no tests enabled. Collected 33 links overall. Batch # Path manipulation: estimated time < 1 minutes (115 tests, 22 inputs) Path manipulation: 115 vulnsigs tests, completed 938 requests, 18 seconds. Completed 938 requests of 253 estimated requests (37.751%). All tests completed. WSEnumeration no tests enabled. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 2 inputs) Batch #1 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 7 seconds. Completed 92 requests of 92 estimated requests (1%). All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs) Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 seconds. Completed 18 requests of 54 estimated requests (33.3333%). All tests completed. Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs) Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 8 seconds. Completed 22 requests of 22 estimated requests (1%). All tests completed. Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 138 estimated requests (66.6667%). All tests completed. Batch #2 Form parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 Form parameter manipulation (no auth): 46 vulnsigs tests, completed 598 requests, 79 seconds. Completed 598 requests of 138 estimated requests (433.333%). All tests completed. Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 secon ds. Completed 18 requests of 81 estimated requests (22.2222%). All tests completed. Batch #2 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 81 requests, 45 seconds. Completed 81 requests of 81 estimated requests (1%). All tests completed. Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 9 seconds. Completed 22 requests of 33 estimated requests (66.6667%). All tests completed. Batch #2 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 Form field time-based tests (no auth): 11 vulnsigs tests, completed 99 requests, 58 seconds. Completed 99 requests of 33 estimated requests (3%). All tests completed. HTTP call manipulation no tests enabled. SSL Downgrade. no tests enabled. Open Redirect no tests enabled. CSRF no tests enabled. Static Session ID no tests enabled. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 19 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed requests, seconds. Completed requests of 19 estimated requests (%). All tests completed. Batch #4 Cookie manipulation: estimated time < 1 minutes (33 tests, 2 inputs) Batch #4 Cookie manipulation: 33 vulnsigs tests, completed 18 requests, 21 seconds. Completed 18 requests of 99 estimated requests (18.1818%). XSS optimization removed 36 links. All tests completed. Batch #4 Header manipulation: estimated time < 1 minutes (33 tests, 15 inputs) Batch #4 Header manipulation: 33 vulnsigs tests, completed 272 requests, 27 seconds. Completed 272 requests of 99 estimated requests (27.4747%). XSS optimization removed 36 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 15 inputs) Batch #4 shell shock detector: 1 vuln sigs tests, completed 16 requests, 3 seconds. Completed 16 requests of 15 estimated requests (16.667%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 3 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 4 requests, 1 seconds. Completed 4 requests of 3 estimated requests (133.333%). All tests completed. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute ( tests, 1 inputs) Batch #5 HTTP Time Bandit: vulnsigs tests, completed requests, seconds. No tests to execute. Total requests made: 2665 Average server response time:.37 seconds Most recent links: 2 https://security2.bomgar.com/help?show_help=help_issues_menu 2 https://security2.bomgar.com/help?show_help=help_rep_list 2 https://security2.bomgar.com/help?show_help=help_session_keys 32 https://security2.bomgar.com/login 2 https://security2.bomgar.com/login/login 2 https://security2.bomgar.com/login/login 2 https://security2.bomgar.com/check_access_key?access_key_pretty=1& 32 https://security2.bomgar.com/login/login -FORMDATA- _token=icxuteo8ur1ocxseyoxnookg1hkk3oktovj21lap&fake_password=password&username=john&password=password 2 https://security2.bomgar.com/download_client_connector -FORMDATA- Web Application Scan Results page 6

issue_menu=1&customer_name=john&customer_company=john&customer_desc=john& 2 https://security2.bomgar.com/login/login Scan launched using PCI WAS stand-alone mode. External Links Discovered port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 151 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/19/27 THREAT: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. RESULT: Number of links: 2 http://www.bomgar.com/ http://www.bomgar.com/products Scan Diagnostics security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 1521 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/16/29 THREAT: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. IMPACT: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. SOLUTION: No action is required. RESULT: Ineffective Session Protection. no tests enabled. HSTS Analysis no tests enabled. Permanent Redirect HSTS Analysis no tests enabled. Collected 32 links overall. Batch # Path manipulation: estimated time < 1 minutes (115 tests, 21 inputs) Path manipulation: 115 vulnsigs tests, completed 913 requests, 18 seconds. Completed 913 requests of 2415 estimated requests (37.854%). All tests completed. WSEnumeration no tests enabled. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 2 inputs) Batch #1 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 92 estimated requests (1%). All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs) Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 3 seconds. Completed 18 requests of 54 estimated requests (33.3333%). All tests completed. Web Application Scan Results page 7

Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs) Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 9 seconds. Completed 22 requests of 22 estimated requests (1%). All tests completed. Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 138 estimated requests (66.6667%). All tests completed. Batch #2 Form parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 Form parameter manipulation (no auth): 46 vulnsigs tests, completed 598 requests, 79 seconds. Completed 598 requests of 138 estimated requests (433.333%). All tests completed. Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 secon ds. Completed 18 requests of 81 estimated requests (22.2222%). All tests completed. Batch #2 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 81 requests, 43 seconds. Completed 81 requests of 81 estimated requests (1%). All tests completed. Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 8 seconds. Completed 22 requests of 33 estimated requests (66.6667%). All tests completed. Batch #2 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 Form field time-based tests (no auth): 11 vulnsigs tests, completed 99 requests, 59 seconds. Completed 99 requests of 33 estimated requests (3%). All tests completed. HTTP call manipulation no tests enabled. SSL Downgrade. no tests enabled. Open Redirect no tests enabled. CSRF no tests enabled. Static Session ID no tests enabled. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 18 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed requests, seconds. Completed requests of 18 estimated requests (%). All tests completed. Batch #4 Cookie manipulation: estimated time < 1 minutes (33 tests, 2 inputs) Batch #4 Cookie manipulation: 33 vulnsigs tests, completed 18 requests, 19 seconds. Completed 18 requests of 99 estimated requests (18.1818%). XSS optimization removed 36 links. All tests completed. Batch #4 Header manipulation: estimated time < 1 minutes (33 tests, 15 inputs) Batch #4 Header manipulation: 33 vulnsigs tests, completed 272 requests, 27 seconds. Completed 272 requests of 99 estimated requests (27.4747%). XSS optimization removed 36 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 15 inputs) Batch #4 shell shock detector: 1 vuln sigs tests, completed 16 requests, 2 seconds. Completed 16 requests of 15 estimated requests (16.667%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 3 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 4 requests, 2 seconds. Completed 4 requests of 3 estimated requests (133.333%). All tests completed. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute ( tests, 1 inputs) Batch #5 HTTP Time Bandit: vulnsigs tests, completed requests, seconds. No tests to execute. Total requests made: 264 Average server response time:.37 seconds Most recent links: 2 https://security2.bomgar.com/help?show_help=help_issues_menu 2 https://security2.bomgar.com/help?show_help=help_rep_list 2 https://security2.bomgar.com/help?show_help=help_session_keys 32 https://security2.bomgar.com/login 2 https://security2.bomgar.com/login/login 2 https://security2.bomgar.com/login/login 2 https://security2.bomgar.com/check_access_key?access_key_pretty=1& 32 https://security2.bomgar.com/login/login -FORMDATA- _token=xkgjwxlhve3ykrqzpfi4jptkorreebywzdkwhvh&fake_password=password&username=john&password=password 2 https://security2.bomgar.com/download_client_connector -FORMDATAissue_menu=1&customer_name=John&customer_company=John&customer_desc=John& 2 https://security2.bomgar.com/login/login Scan launched using PCI WAS stand-alone mode. External Links Discovered security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 151 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/19/27 THREAT: Web Application Scan Results page 8

The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. RESULT: Number of links: 2 http://www.bomgar.com/ http://www.bomgar.com/products Cookies Collected security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 1528 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/16/29 THREAT: The cookies listed in the Results section were received from the web application during the crawl phase. IMPACT: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. SOLUTION: Review cookie values to ensure that sensitive information such as passwords are not present within them. RESULT: Total cookies: 2 ns_sl=eyjpdii6inc4rfvysmixxc93uhe3nepxnmlku2tr1wxc9xympcl2htdu5svefrv1q2mkk9ii widmfsdwuioiiwzmxclznpqtbhnejdwej1vg95cfjkm1urwk5lr1byukpmtmn1nddlwwh1vhe1eww2bl ZCa1pwcWlzWlBkdFMwbDlYNWJzelNNR3VnVXBOTGkzNl2eGc9PSIsIm1hYyI6ImIzZDQzMGMZTYzND kyowimtnjzgu2mjuzywunjexzjvkyjgwnzllytdlzjfhyjy2zgjjmjdjyzrjmmjmmtuifq%3d%3d; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/login ns_s=cfd99b939cb2a24663a29e3fd53ef4833487391f; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/help?show_help=help_rep_list Links Crawled security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 159 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 4/14/215 THREAT: The list of unique links crawled and HTML forms submitted by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list and requests for the same link made as an anonymous and authenticated user. RESULT: Web Application Scan Results page 9

Duration of crawl phase (seconds): 83. Number of links: 15 (This number excludes form requests and links re-requested during authentication.) http://security2.bomgar.com/api http://security2.bomgar.com/app http://security2.bomgar.com/app/css http://security2.bomgar.com/app/js http://security2.bomgar.com/app/js/admin http://security2.bomgar.com/app/js/util https://security2.bomgar.com/ https://security2.bomgar.com/check_access_key https://security2.bomgar.com/check_access_key?access_key_pretty=1& https://security2.bomgar.com/download_client_connector https://security2.bomgar.com/help?show_help=help_issues_menu https://security2.bomgar.com/help?show_help=help_rep_list https://security2.bomgar.com/help?show_help=help_session_keys https://security2.bomgar.com/login https://security2.bomgar.com/login/login Web Application Authentication Not Attempted security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 156 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/19/27 THREAT: Web application authentication was enabled for the scan, but it was not performed for this particular host. The scan was not performed for the host because a login page was not discovered, or a login page was discovered that submits via HTTP and the credentials may only be submitted via HTTPS. IMPACT: Vulnerabilities that require authentication may not be detected. SOLUTION: To allow Web application authentication to this host, create an authentication record that includes this target's virtual host. If the Web application does not support HTTPS, then the option profile may not forbid transmission of credentials over non-encrypted (i.e. clear text) connections. RESULT: Application authentication was specified, but no login forms were discovered during the crawl. Cookies Collected port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 1528 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/16/29 THREAT: The cookies listed in the Results section were received from the web application during the crawl phase. IMPACT: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. Web Application Scan Results page 1

SOLUTION: Review cookie values to ensure that sensitive information such as passwords are not present within them. RESULT: Total cookies: 2 ns_sl=eyjpdii6ilruedjrcudbehzkvgtzk3jtag9mumrwd3nscuhpnkvmdgnwtnbun1pqazg9iiwidm FsdWUiOiJyTVBodmMdwxVlJPM21mQXBQUDUzOEMeVhrVWdYRJlVFwvdlBDRjlGaUFnYlh3VDZyaW pctnhnqtqwdku1mtfeqjfftdi2y3nfrfz2etler1fxd1e9psisim1hyyi6immwzdyyjvjyji3mze4nt FkNWZjNjcZTcNjEyNjU5Yjc5YWE5ZWZkMjg2NDYwZDM3OWExM2QN2UwYmNjYmYifQ%3D%3D; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/login ns_s=69c1a5966c24be92811aabcead4242c27ea4d; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/help?show_help=help_rep_list Links Crawled port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 159 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 4/14/215 THREAT: The list of unique links crawled and HTML forms submitted by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list and requests for the same link made as an anonymous and authenticated user. RESULT: Duration of crawl phase (seconds): 84. Number of links: 16 (This number excludes form requests and links re-requested during authentication.) http://security2.bomgar.com/api http://security2.bomgar.com/app http://security2.bomgar.com/app/css http://security2.bomgar.com/app/js http://security2.bomgar.com/app/js/admin http://security2.bomgar.com/app/js/util http://security2.bomgar.com/favicon.ico https://security2.bomgar.com/ https://security2.bomgar.com/check_access_key https://security2.bomgar.com/check_access_key?access_key_pretty=1& https://security2.bomgar.com/download_client_connector https://security2.bomgar.com/help?show_help=help_issues_menu https://security2.bomgar.com/help?show_help=help_rep_list https://security2.bomgar.com/help?show_help=help_session_keys https://security2.bomgar.com/login https://security2.bomgar.com/login/login Web Application Authentication Not Attempted port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 156 Category: Web Application CVE ID: - Vendor Reference: - Web Application Scan Results page 11

Bugtraq ID: - Last Update: 1/19/27 THREAT: Web application authentication was enabled for the scan, but it was not performed for this particular host. The scan was not performed for the host because a login page was not discovered, or a login page was discovered that submits via HTTP and the credentials may only be submitted via HTTPS. IMPACT: Vulnerabilities that require authentication may not be detected. SOLUTION: To allow Web application authentication to this host, create an authentication record that includes this target's virtual host. If the Web application does not support HTTPS, then the option profile may not forbid transmission of credentials over non-encrypted (i.e. clear text) connections. RESULT: Application authentication was specified, but no login forms were discovered during the crawl. Open TCP Services List VULNERABILITY DETAILS Severity: 1 QID: 8223 Category: TCP/IP CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 6/15/29 THREAT: The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections. The Results section displays the port number (Port), the default service listening on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected). IMPACT: Unauthorized users can exploit this information to test vulnerabilities in each of the open services. SOLUTION: Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site. RESULT: Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port 8 www World Wide Web HTTP http 443 https http protocol over TLS/SSL http over ssl Host Names Found VULNERABILITY DETAILS Severity: 1 QID: 4539 Category: Information gathering CVE ID: - Web Application Scan Results page 12

Vendor Reference: - Bugtraq ID: - Last Update: 2/14/25 THREAT: The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query. RESULT: Host Name bci243-11.bcims.net Source FQDN Web Application Scan Results page 13

Appendices Option Profile Scan Mode: Crawl and test for vulnerabilities Limit Scan to Starting URI: No Max URIs to scan: 3 Form Submission: Both GET & POST Method Header Injection: - Blacklist URLs: - Scanned TCP Ports: None Scanned UDP Ports: None Scan Dead Hosts: Off Load Balancer Detection: Enabled Password Brute Forcing: Standard Vulnerability Detection: Partial Windows Authentication: Disabled SSH Authentication: Disabled Oracle Authentication: Disabled SNMP Authentication: Disabled Perform 3-way Handshake: Off Overall Performance: Custom Hosts to Scan in Parallel-External Scanner: 1 Hosts to Scan in Parallel-Scanner Appliances: 1 Processes to Run in Parallel-Total: 1 Processes to Run in Parallel-HTTP: 5 Packet (Burst) Delay: Medium Advanced Hosts Discovery: TCP Standard Scan, UDP Standard Scan, ICMP On Ignore RST packets: Off Ignore firewall-generated SYN-ACK packets: Off Do not send ACK or SYN-ACK packets during host discovery: Off Web Application Scan Results page 14