Patchsets l 12.1.0.2 12.1.0.2.0 patch set for oracle database server 17694377 11.2.0.4 11.2.0.4.0 patch set for oracle database server.
JDK 7 Certification Contexts and Dependency Injection (CDI) Deployment Performance General Issues and Workarounds Administration Console Issues and Workarounds Apache Beehive Support Issues and Workarounds Clustering Issues and Workarounds Configuration Issues and Workarounds Connector (Resource Adapter) Issues and Workarounds Console Extensions Issues and Workarounds Core Server and Core Work Manager Issues and Workarounds Data Source Issues and Workarounds Deployment Issues and Workarounds ...
The purpose of this document is to provide a quick overview of HP-UX Software Distributor frequently refer as SD-UX. HP-UX uses SD-UX as the standard tool to install.
Attribute types can be applied as widely or narrowly as desired. That is, you can apply an attribute type to a specific version of a specific element if desired.
Oracle WebLogic Server Issues
Exploitable with CANVAS true Core Impact true Metasploit true Plugin Information: Publication date: 2003/07/28, Modification date: 2013/11/04.
This chapter describes issues associated with Oracle WebLogic Server. It includes the following topics.
WebLogic Server Known and Resolved Issues. This document describes current known issues as well as issues that were known and are now resolved. For information about.
SAP on Oracle Database 12. C. Engineered Systems Update. Virtualization Update. SAP Bundle Patches. ABAP Core Data Services. Miscellaneous.
How-to Guide SAP NetWeaver 04 How To Fine Tune the J2EE Engine Performance Version 1.00 – September 2005 Applicable Releases: SAP NetWeaver 04.
10357 (1) - Microsoft IIS MDAC RDS (msadcs.dll) Arbitrary Remote Command Execution 11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check) 11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) 11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check) 12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) 13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check) 18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) 19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) 19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) 20008 (1) - MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check) 21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check) 21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check) 21655 (1) - MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) 22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) 33850 (1) - Unsupported Unix Operating System 34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) 35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) 47709 (1) - Microsoft Windows 2000 Unsupported Installation Detection 33929 (3) - PCI DSS compliance 11161 (1) - Microsoft Data Access Components RDS Data Stub Remote Overflow 22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) 22466 (1) - OpenSSH < 4.4 Multiple Vulnerabilities 34460 (1) - Unsupported Web Server Detection 44077 (1) - OpenSSH < 4.5 Multiple Vulnerabilities 44078 (1) - OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass 12213 (2) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS 10079 (1) - Anonymous FTP Enabled 10572 (1) - Microsoft IIS 5.0 Form_JScript.asp XSS 10573 (1) - Microsoft IIS 5.0 ServerVariables_Jscript.asp Path Disclosure 10956 (1) - Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure 11213 (1) - HTTP TRACE / TRACK Methods Allowed 12229 (1) - Microsoft IIS Cookie information disclosure 17703 (1) - OpenSSH < 5.9 Multiple DoS 17704 (1) - OpenSSH S/KEY Authentication Account Enumeration 17705 (1) - OPIE w/ OpenSSH Account Enumeration 17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing 18585 (1) - Microsoft Windows SMB Service Enumeration via \\srvsvc 18602 (1) - Microsoft Windows SMB svcctl MSRPC Interface SCM Service Enumeration 26920 (1) - Microsoft Windows SMB NULL Session Authentication 31737 (1) - OpenSSH X11 Forwarding Session Hijacking 39466 (1) - CGI Generic Cross-Site Scripting (quick test) 44065 (1) - OpenSSH < 5.2 CBC Plaintext Disclosure 44076 (1) - OpenSSH < 4.3 scp Command Line Filename Processing Command Injection 44079 (1) - OpenSSH < 4.9 'ForceCommand' Directive Bypass 44081 (1) - OpenSSH < 5.7 Multiple Vulnerabilities 44136 (1) - CGI Generic Cookie Injection Scripting 45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check) 47831 (1) - CGI Generic Cross-Site Scripting (comprehensive test) 49067 (1) - CGI Generic HTML Injections (quick test) 55903 (1) - CGI Generic Cross-Site Scripting (extended patterns) 56208 (1) - PCI DSS Compliance : Insecure Communication Has Been Detected 56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials 56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials 56283 (1) - Linux Kernel TCP Sequence Number Generation Security Weakness 56818 (1) - CGI Generic Cross-Site Request Forgery Detection (potential) 57608 (1) - SMB Signing Disabled 67140 (1) - OpenSSH LoginGraceTime / MaxStartups DoS 19592 (1) - OpenSSH < 4.2 Multiple Vulnerabilities 34324 (1) - FTP Supports Clear Text Authentication 44080 (1) - OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking 53841 (1) - Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure 70658 (1) - SSH Server CBC Mode Ciphers Enabled 71049 (1) - SSH Weak MAC Algorithms Enabled 11219 (14) - Nessus SYN scanner 10736 (7) - DCE Services Enumeration 22964 (5) - Service Detection 10114 (2) - ICMP Timestamp Request Remote Date Disclosure 10287 (2) - Traceroute Information 10662 (2) - Web mirroring 11011 (2) - Microsoft Windows SMB Service Detection 11032 (2) - Web Server Directory Enumeration 11936 (2) - OS Identification 19506 (2) - Nessus Scan Information 20094 (2) - VMware Virtual Machine Detection 25220 (2) - TCP/IP Timestamps Supported 35716 (2) - Ethernet Card Manufacturer Detection 45590 (2) - Common Platform Enumeration (CPE) 54615 (2) - Device Type 56209 (2) - PCI DSS Compliance : Remote Access Software Has Been Detected 60020 (2) - PCI DSS Compliance : Handling False Positives 66334 (2) - Patch Report 10077 (1) - Microsoft FrontPage Extensions Check 10092 (1) - FTP Server Detection 10107 (1) - HTTP Server Type and Version 10150 (1) - Windows NetBIOS / SMB Remote Host Information Disclosure 10263 (1) - SMTP Server Detection 10267 (1) - SSH Server Type and Version Information 10394 (1) - Microsoft Windows SMB Log In Possible 10395 (1) - Microsoft Windows SMB Shares Enumeration 10397 (1) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure 10661 (1) - Microsoft IIS 5 .printer ISAPI Filter Enabled 10785 (1) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure 10859 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration 10860 (1) - SMB Use Host SID to Enumerate Local Users 10881 (1) - SSH Protocol Versions Supported 10902 (1) - Microsoft Windows 'Administrators' Group User List 10904 (1) - Microsoft Windows 'Backup Operators' Group User List 10913 (1) - Microsoft Windows - Local Users Information : Disabled accounts 10914 (1) - Microsoft Windows - Local Users Information : Never changed passwords 10915 (1) - Microsoft Windows - Local Users Information : User has never logged on 10916 (1) - Microsoft Windows - Local Users Information : Passwords never expire 11422 (1) - Web Server Unconfigured - Default Install Page Present 11424 (1) - WebDAV Detection 11874 (1) - Microsoft IIS 404 Response Service Pack Signature 12053 (1) - Host Fully Qualified Domain Name (FQDN) Resolution 17651 (1) - Microsoft Windows SMB : Obtains the Password Policy 17975 (1) - Service Detection (GET request) 18261 (1) - Apache Banner Linux Distribution Disclosure 22319 (1) - MSRPC Service Detection 24260 (1) - HyperText Transfer Protocol (HTTP) Information 24269 (1) - Windows Management Instrumentation (WMI) Available 24786 (1) - Nessus Windows Scan Not Performed with Admin Privileges 26917 (1) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry 33817 (1) - CGI Generic Tests Load Estimation (all tests) 39470 (1) - CGI Generic Tests Timeout 40984 (1) - Browsable Web Directories 43111 (1) - HTTP Methods Allowed (per directory) 47830 (1) - CGI Generic Injectable Parameter 49704 (1) - External URLs 59861 (1) - Remote web server screenshot 70657 (1) - SSH Algorithms and Languages Supported Action to take Vulns Hosts OpenSSH LoginGraceTime / MaxStartups DoS: Upgrade to OpenSSH 6.2 and review the associated server configuration settings. 27 1 MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 4 1 Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure: Apply the patch referenced above. 1 1 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1 MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1 Description The web server is probably susceptible to a common IIS vulnerability discovered by 'Rain Forest Puppy'. This vulnerability enables an attacker to execute arbitrary commands on the server with Administrator Privileges. *** Nessus solely relied on the presence of the file /msadc/msadcs.dll *** so this might be a false positive Description The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild. Description The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Description A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually tests for the presence of this flaw. Description The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild. Description The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service. An attacker can execute code on the remote host with a NULL session against : - Windows 2000 An attacker can crash the remote service with a NULL session against : - Windows 2000 - Windows XP SP1 An attacker needs valid credentials to crash the service against : - Windows 2003 - Windows XP SP2 Description The remote version of Windows contains a flaw in the function 'PNP_QueryResConfList()' in the Plug and Play service that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Zotob) are known to exploit this vulnerability in the wild. Description The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that has several remote code execution, local privilege escalation, and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host. Description The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges. Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing. Description The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that is affected by several remote code execution and denial of service vulnerabilities. An attacker may exploit these flaws to obtain complete control of the remote host (2000, NT4) or to crash the remote service (XP, 2003). Description The remote host is running a version of Microsoft Windows 2000. This operating system is no longer supported by Microsoft. This means not only that there will be no new security patches for it but also that Microsoft is unlikely to investigate or acknowledge reports of vulnerabilities in it. Description The remote web server is vulnerable to cross-site scripting (XSS) attacks, implements old SSL2.0 cryptography, runs obsolete software, or is affected by dangerous vulnerabilities (CVSS base score >= 4). If you are conducting this scan through the Nessus Perimeter Service Plugin, and if you disagree with the results, you may submit this report by clicking on 'Submit for PCI Validation' and dispute the findings through our web interface. Solution - Launch the Internet Services Manager - Select your web server - Right-click on MSADC and select 'Properties' - Select the tab 'Directory Security' - Click on the 'IP address and domain name restrictions' option - Make sure that by default, all computers are DENIED access to this resource - List the computers that should be allowed to use it Description The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host. Description According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs. Description According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side null pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726) Description According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted. Description The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc). Description The script /iissamples/sdk/asp/interaction/Form_JScript.asp (of Form_VBScript.asp) allows you to insert information into a form field and once submitted re-displays the page, printing the text you entered. This .asp doesn't perform any input validation. An attacker can exploit this flaw to execute arbitrary script code in the browser of an unsuspecting victim. Description Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html. 192.168.1.146 (tcp/80) Use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1207113733.html HTTP/1.1 Connection: Close Host: windows2000 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 25 Nov 2013 19:03:00 GMT Content-Type: message/http Content-Length: 313 TRACE /Nessus1207113733.html HTTP/1.1 Connection: Keep-Alive Host: windows2000 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ Description The remote host is running Microsoft IIS with what appears to be a a vulnerable disclosure of cookie usage. That is, when sent a Cookie with the '=' character, Microsoft IIS will either respond with an error (if actually processing the cookie via a specific asp page) or disclose information of the .inc file used. This can be used to map applications which are processing cookies. Description According to its banner, the version of OpenSSH running on the remote host is prior to version 5.9. Such versions are affected by multiple denial of service vulnerabilities : - A denial of service vulnerability exists in the gss-serv.c 'ssh_gssapi_parse_ename' function. A remote attacker may be able to trigger this vulnerability if gssapi-with-mic is enabled to create a denial of service condition via a large value in a certain length field. (CVE-2011-5000) - On FreeBSD, NetBSD, OpenBSD, and other products, a remote, authenticated attacker could exploit the remote_glob() and process_put() functions to cause a denial of service (CPU and memory consumption). (CVE-2010-4755) Description When OpenSSH has S/KEY authentication enabled, it is possible to determine remotely if an account configured for S/KEY authentication exists. Note that Nessus has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host. As a result, it will not detect if the remote host has implemented a workaround. Description When using OPIE for PAM and OpenSSH, it is possible for remote attackers to determine the existence of certain user acounts. Note that Nessus has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host. As a result, it does not detect if the remote host actually has OPIE for PAM installed. Description It is possible to anonymously read the event logs of the remote Windows 2000 host by connecting to the \\srvsvc pipe and binding to the event log service, OpenEventLog(). An attacker may use this flaw to anonymously read the system logs of the remote host. As system logs typically include valuable information, an attacker may use them to perform a better attack against the remote host. Description The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or password). Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the remote host. Description According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. Description The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non persistent' or 'reflected'. Description The version of OpenSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Description According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp. Description According to its banner, the version of OpenSSH running on the remote host is earlier than 5.7. Versions before 5.7 may be affected by the following vulnerabilities : - A security bypass vulnerability because OpenSSH does not properly validate the public parameters in the J-PAKE protocol. This could allow an attacker to authenticate without the shared secret. Note that this issue is only exploitable when OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default, and that Nessus has not checked whether J-PAKE support is indeed enabled. (CVE-2010-4478) - The auth_parse_options function in auth-options.c in sshd provides debug messages containing authorized_keys command options, which allows remote, authenticated users to obtain potentially sensitive information by reading these messages. (CVE-2012-0814) Description The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism. Please note that : - Nessus did not check if the session fixation attack is feasible. - This is not the only vector of session fixation. Description The remote web server hosts CGI scripts that fail to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non-persistent' or 'reflected'. Description The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site. The remote web server may be vulnerable to IFRAME injections or cross-site scripting attacks : - IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks. - XSS are extensively tested by four other scripts. - Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning. Description The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS vulnerabilities are likely to be 'non-persistent' or 'reflected'. 192.168.1.146 (tcp/80) Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to cross-site scripting (extended patterns) : + The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI : /IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=509"%20src="http://www.examp le.com/exploit509.js -------- output -------- <center> <h4><b> <A href ="509" src="http://www.example.com/exploit509.js?DontFrame=1" ta rget = "SampMain" >Overview </A> | <A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...] < A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...] ------------------------ + The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI : /IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=504%20onerror="alert(504); -------- output -------- <A href ="?DontFrame=1" target = "SampMain" >Overview </A> | <A href="/IIsSamples/SDK/asp/504 onerror="alert(504);_VBScript.asp [...] < A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/SDK/as p/504 onerror="alert(504);_VBScript.asp" target = "SampMain"> VBScript S ource </A> | <A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...] </b></h4> ------------------------ + The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI : /IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=509"%20src="http://www.examp le.com/exploit509.js&srcfile= -------- output -------- <center> <h4><b> <A href ="509" src="http://www.example.com/exploit509.js?DontFrame=1" ta rget = "SampMain" >Overview </A> | <A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...] < A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...] ------------------------ + The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI : /IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=&srcfile=504%20onerror="aler t(504); -------- output -------- <A href ="?DontFrame=1" target = "SampMain" >Overview </A> | <A href="/IIsSamples/SDK/asp/504 onerror="alert(504);_VBScript.asp [...] < A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/SDK/as p/504 onerror="alert(504);_VBScript.asp" target = "SampMain"> VBScript S ource </A> | <A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...] </b></h4> ------------------------ Description The Linux kernel is prone to a security weakness related to TCP sequence number generation. Attackers can exploit this issue to inject arbitrary packets into TCP sessions using a brute force attack. An attacker may use this vulnerability to create a denial of service condition or a man-in-the-middle attack. Note that this plugin may fire as a result of a network device (such as a load balancer, VPN, IPS, transparent proxy, etc.) that is vulnerable and that re-writes TCP sequence numbers, rather than the host itself being vulnerable. Description The spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by random tokens, a common anti-cross-site request forgery (CSRF) protection. The web application might be vulnerable to CSRF attacks. Note that : - Nessus did not exploit the flaw, - Nessus cannot identify sensitive actions -- for example, on an online bank, consulting an account is less sensitive than transfering money. You will have to audit the source of the CGI scripts and check if they are actually affected. Description According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The default configuration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and MaxStartups thresholds by periodically making a large number of new TCP connections and thereby prevent legitimate users from gaining access to the service. Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerable configuration. Instead, it has simply checked the version of OpenSSH running on the remote host. Description According to its banner, the version of OpenSSH installed on the remote host has the following vulnerabilities : - X11 forwarding may be enabled unintentionally when multiple forwarding requests are made on the same session, or when an X11 listener is orphaned after a session goes away. (CVE-2005-2797) - GSSAPI credentials may be delegated to users who log in using something other than GSSAPI authentication if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798) - Attempting to log in as a nonexistent user causes the authentication process to hang, which could be exploited to enumerate valid user accounts. Only OpenSSH on Mac OS X 10.4.x is affected. (CVE-2006-0393) - Repeatedly attempting to log in as a nonexistent user could result in a denial of service. Only OpenSSH on Mac OS X 10.4.x is affected. (CVE-2006-0393) Description According to its banner, the version of SSH installed on the remote host is older than 5.1 and may allow a local user to hijack the X11 forwarding port. The application improperly sets the 'SO_REUSEADDR' socket option when the 'X11UseLocalhost' configuration option is disabled. Note that most operating systems, when attempting to bind to a port that has previously been bound with the 'SO_REUSEADDR' option, will check that either the effective user-id matches the previous bind (common BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). This is not the case with other operating systems such as HP-UX. Description According to its banner, the version of OpenSSH running on the remote host is earlier than 5.8p2. Such versions may be affected by a local information disclosure vulnerability that could allow the contents of the host's private key to be accessible by locally tracing the execution of the ssh-keysign utility. Having the host's private key may allow the impersonation of the host. Note that installations are only vulnerable if ssh-rand-helper was enabled during the build process, which is not the case for *BSD, OS X, Cygwin and Linux. Description This script displays, for each tested host, information about the scan itself : - The version of the plugin set - The type of scanner (Nessus or Nessus Home) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - Whether credentialed or third-party patch management checks are possible - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel 192.168.1.28 (tcp/0) Information about this scan : Nessus version : 5.2.4 Plugin feed version : 201311250916 Scanner edition used : Nessus Scan policy used : PCI Scan Scanner IP : 192.168.1.232 Port scanner(s) : nessus_syn_scanner Port range : 1-65535 Thorough tests : no Experimental tests : no Paranoia level : 2 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : enabled Web application tests : enabled Web app tests - Test mode : single Web app tests - Try all HTTP methods : yes Web app tests - Maximum run time : 10 minutes. Web app tests - Stop at first flaw : param Max hosts : 20 Max checks : 4 Recv timeout : 15 Backports : None Allow post-scan editing: Yes Scan Start Date : 2013/6/27 4:24 Scan duration : 1636 sec 192.168.1.146 (tcp/0) Information about this scan : Nessus version : 5.2.4 Plugin feed version : 201311250916 Scanner edition used : Nessus Scan policy used : PCI Scan Scanner IP : 192.168.1.232 Port scanner(s) : nessus_syn_scanner Port range : 1-65535 Thorough tests : no Experimental tests : no Paranoia level : 2 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : enabled Web application tests : enabled Web app tests - Test mode : single Web app tests - Try all HTTP methods : yes Web app tests - Maximum run time : 10 minutes. Web app tests - Stop at first flaw : param Max hosts : 20 Max checks : 4 Recv timeout : 15 Backports : None Allow post-scan editing: Yes Scan Start Date : 2013/6/27 4:24 Scan duration : 2025 sec Description By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. 192.168.1.146 (tcp/445) - Administrator (id 500, Administrator account) - Guest (id 501, Guest account) - IUSR_WINDOWS2000 (id 1000) - IWAM_WINDOWS2000 (id 1001) - paul (id 1002) - kevin (id 1003) - josh (id 1004) - mike (id 1005) - nessus (id 1006) - bgates (id 1007) Note that, in addition to the Administrator and Guest accounts, Nessus has enumerated only those local users with IDs between 1000 and 1200. To use a different range, edit the scan policy and change the 'Start UID' and/or 'End UID' preferences for this plugin, then re-run the scan.
Nessus Scan Report