Nessus Report

Nessus Scan Report

27/Jun/2013:04:58:03

Table Of Contents
Remediations
Suggested Remediations
Vulnerabilities By Plugin
10357 (1) - Microsoft IIS MDAC RDS (msadcs.dll) Arbitrary Remote Command Execution
11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)
11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)
11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)
12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)
13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check)
18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)
19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)
19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)
20008 (1) - MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)
21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)
21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)
21655 (1) - MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)
22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)
33850 (1) - Unsupported Unix Operating System
34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)
47709 (1) - Microsoft Windows 2000 Unsupported Installation Detection
33929 (3) - PCI DSS compliance
11161 (1) - Microsoft Data Access Components RDS Data Stub Remote Overflow
22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)
22466 (1) - OpenSSH < 4.4 Multiple Vulnerabilities
34460 (1) - Unsupported Web Server Detection
44077 (1) - OpenSSH < 4.5 Multiple Vulnerabilities
44078 (1) - OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass
12213 (2) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS
10079 (1) - Anonymous FTP Enabled
10572 (1) - Microsoft IIS 5.0 Form_JScript.asp XSS
10573 (1) - Microsoft IIS 5.0 ServerVariables_Jscript.asp Path Disclosure
10956 (1) - Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure
11213 (1) - HTTP TRACE / TRACK Methods Allowed
12229 (1) - Microsoft IIS Cookie information disclosure
17703 (1) - OpenSSH < 5.9 Multiple DoS
17704 (1) - OpenSSH S/KEY Authentication Account Enumeration
17705 (1) - OPIE w/ OpenSSH Account Enumeration
17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing
18585 (1) - Microsoft Windows SMB Service Enumeration via \srvsvc
18602 (1) - Microsoft Windows SMB svcctl MSRPC Interface SCM Service Enumeration
26920 (1) - Microsoft Windows SMB NULL Session Authentication
31737 (1) - OpenSSH X11 Forwarding Session Hijacking
39466 (1) - CGI Generic Cross-Site Scripting (quick test)
44065 (1) - OpenSSH < 5.2 CBC Plaintext Disclosure
44076 (1) - OpenSSH < 4.3 scp Command Line Filename Processing Command Injection
44079 (1) - OpenSSH < 4.9 'ForceCommand' Directive Bypass
44081 (1) - OpenSSH < 5.7 Multiple Vulnerabilities
44136 (1) - CGI Generic Cookie Injection Scripting
45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)
47831 (1) - CGI Generic Cross-Site Scripting (comprehensive test)
49067 (1) - CGI Generic HTML Injections (quick test)
55903 (1) - CGI Generic Cross-Site Scripting (extended patterns)
56208 (1) - PCI DSS Compliance : Insecure Communication Has Been Detected
56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials
56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials
56283 (1) - Linux Kernel TCP Sequence Number Generation Security Weakness
56818 (1) - CGI Generic Cross-Site Request Forgery Detection (potential)
57608 (1) - SMB Signing Disabled
67140 (1) - OpenSSH LoginGraceTime / MaxStartups DoS
19592 (1) - OpenSSH < 4.2 Multiple Vulnerabilities
34324 (1) - FTP Supports Clear Text Authentication
44080 (1) - OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
53841 (1) - Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
70658 (1) - SSH Server CBC Mode Ciphers Enabled
71049 (1) - SSH Weak MAC Algorithms Enabled
11219 (14) - Nessus SYN scanner
10736 (7) - DCE Services Enumeration
22964 (5) - Service Detection
10114 (2) - ICMP Timestamp Request Remote Date Disclosure
10287 (2) - Traceroute Information
10662 (2) - Web mirroring
11011 (2) - Microsoft Windows SMB Service Detection
11032 (2) - Web Server Directory Enumeration
11936 (2) - OS Identification
19506 (2) - Nessus Scan Information
20094 (2) - VMware Virtual Machine Detection
25220 (2) - TCP/IP Timestamps Supported
35716 (2) - Ethernet Card Manufacturer Detection
45590 (2) - Common Platform Enumeration (CPE)
54615 (2) - Device Type
56209 (2) - PCI DSS Compliance : Remote Access Software Has Been Detected
60020 (2) - PCI DSS Compliance : Handling False Positives
66334 (2) - Patch Report
10077 (1) - Microsoft FrontPage Extensions Check
10092 (1) - FTP Server Detection
10107 (1) - HTTP Server Type and Version
10150 (1) - Windows NetBIOS / SMB Remote Host Information Disclosure
10263 (1) - SMTP Server Detection
10267 (1) - SSH Server Type and Version Information
10394 (1) - Microsoft Windows SMB Log In Possible
10395 (1) - Microsoft Windows SMB Shares Enumeration
10397 (1) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
10661 (1) - Microsoft IIS 5 .printer ISAPI Filter Enabled
10785 (1) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
10859 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration
10860 (1) - SMB Use Host SID to Enumerate Local Users
10881 (1) - SSH Protocol Versions Supported
10902 (1) - Microsoft Windows 'Administrators' Group User List
10904 (1) - Microsoft Windows 'Backup Operators' Group User List
10913 (1) - Microsoft Windows - Local Users Information : Disabled accounts
10914 (1) - Microsoft Windows - Local Users Information : Never changed passwords
10915 (1) - Microsoft Windows - Local Users Information : User has never logged on
10916 (1) - Microsoft Windows - Local Users Information : Passwords never expire
11422 (1) - Web Server Unconfigured - Default Install Page Present
11424 (1) - WebDAV Detection
11874 (1) - Microsoft IIS 404 Response Service Pack Signature
12053 (1) - Host Fully Qualified Domain Name (FQDN) Resolution
17651 (1) - Microsoft Windows SMB : Obtains the Password Policy
17975 (1) - Service Detection (GET request)
18261 (1) - Apache Banner Linux Distribution Disclosure
22319 (1) - MSRPC Service Detection
24260 (1) - HyperText Transfer Protocol (HTTP) Information
24269 (1) - Windows Management Instrumentation (WMI) Available
24786 (1) - Nessus Windows Scan Not Performed with Admin Privileges
26917 (1) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
33817 (1) - CGI Generic Tests Load Estimation (all tests)
39470 (1) - CGI Generic Tests Timeout
40984 (1) - Browsable Web Directories
43111 (1) - HTTP Methods Allowed (per directory)
47830 (1) - CGI Generic Injectable Parameter
49704 (1) - External URLs
59861 (1) - Remote web server screenshot
70657 (1) - SSH Algorithms and Languages Supported

Remediations

[-] Collapse All
[+] Expand All

Suggested Remediations

Taking the following actions across 2 hosts would resolve 42% of the vulnerabilities on the network:
Action to take Vulns Hosts
OpenSSH LoginGraceTime / MaxStartups DoS: Upgrade to OpenSSH 6.2 and review the associated server configuration settings. 27 1
MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 4 1
Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure: Apply the patch referenced above. 1 1
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1
MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1

Vulnerabilities By Plugin

[-] Collapse All
[+] Expand All

10357 (1) - Microsoft IIS MDAC RDS (msadcs.dll) Arbitrary Remote Command Execution

Synopsis

The remote web server is affected by a remote command execution vulnerability.

Description

The web server is probably susceptible to a common IIS vulnerability discovered by 'Rain Forest Puppy'. This vulnerability enables an attacker to execute arbitrary commands on the server with Administrator Privileges.

*** Nessus solely relied on the presence of the file /msadc/msadcs.dll
*** so this might be a false positive

See Also

http://support.microsoft.com/default.aspx?scid=kb;[LN];184375
http://technet.microsoft.com/en-us/security/bulletin/ms98-004
http://technet.microsoft.com/en-us/security/bulletin/ms99-025

Solution

Upgrade to MDAC version 2.1 SP2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Delete the /msadc virtual directory in IIS.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

9.5 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 529
CVE CVE-1999-1011
XREF OSVDB:272
XREF CWE:264
XREF MSFT:MS98-004
XREF MSFT:MS99-025

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2000/04/01, Modification date: 2012/06/07

Hosts

192.168.1.146 (tcp/80)

11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges.

A series of worms (Blaster) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-026

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8205
CVE CVE-2003-0352
XREF OSVDB:2100
XREF MSFT:MS03-026

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2003/07/28, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.

An attacker or a worm could use it to gain the control of this host.

Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-039

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8458
BID 8460
CVE CVE-2003-0715
CVE CVE-2003-0528
CVE CVE-2003-0605
XREF OSVDB:11460
XREF OSVDB:11797
XREF OSVDB:2535
XREF MSFT:MS03-039

Plugin Information:

Publication date: 2003/09/10, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.

This plugin actually tests for the presence of this flaw.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-043

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8826
CVE CVE-2003-0717
XREF OSVDB:10936
XREF MSFT:MS03-043

Exploitable with

CANVAS (true)

Plugin Information:

Publication date: 2003/10/16, Modification date: 2013/11/04

Hosts

192.168.1.146 (udp/135)

12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the LSASS service.

Description

The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.

A series of worms (Sasser) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-011

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10108
CVE CVE-2003-0533
XREF OSVDB:5248
XREF MSFT:MS04-011

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2004/04/15, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website.

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://technet.microsoft.com/en-us/security/bulletin/ms04-022

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10708
CVE CVE-2004-0212
XREF OSVDB:7798
XREF MSFT:MS04-022

Plugin Information:

Publication date: 2004/07/29, Modification date: 2012/06/14

Hosts

192.168.1.146 (tcp/1025)

18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description

The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an attacker to execute arbitrary code on the remote host.

An attacker does not need to be authenticated to exploit this flaw.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-027

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2005/06/16, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the Spooler service.

Description

The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service.

An attacker can execute code on the remote host with a NULL session against :

- Windows 2000

An attacker can crash the remote service with a NULL session against :

- Windows 2000
- Windows XP SP1

An attacker needs valid credentials to crash the service against :

- Windows 2003
- Windows XP SP2

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-043

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 14514
CVE CVE-2005-1984
XREF OSVDB:18607
XREF MSFT:MS05-043

Exploitable with

CANVAS (true)Core Impact (true)

Plugin Information:

Publication date: 2005/08/09, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the Plug-And-Play service.

Description

The remote version of Windows contains a flaw in the function 'PNP_QueryResConfList()' in the Plug and Play service that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.

A series of worms (Zotob) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-039

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 14513
CVE CVE-2005-1983
XREF OSVDB:18605
XREF MSFT:MS05-039

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2005/08/09, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

20008 (1) - MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)

Synopsis

A vulnerability in MSDTC could allow remote code execution.

Description

The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that has several remote code execution, local privilege escalation, and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain the complete control of the remote host.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-051

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.4 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 15059
BID 15058
BID 15057
BID 15056
CVE CVE-2005-2119
CVE CVE-2005-1978
CVE CVE-2005-1979
CVE CVE-2005-1980
XREF OSVDB:18828
XREF OSVDB:19902
XREF OSVDB:19903
XREF OSVDB:19904
XREF MSFT:MS05-051

Plugin Information:

Publication date: 2005/10/12, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/1086)

21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)

Synopsis

A flaw in the Plug and Play service may allow an authenticated attacker to execute arbitrary code on the remote host and, therefore, elevate his privileges.

Description

The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data.

An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges.

Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-047

Solution

Microsoft has released a set of patches for Windows 2000 and XP.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 15065
CVE CVE-2005-2120
XREF OSVDB:18830
XREF MSFT:MS05-047

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2007/03/12, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)

Synopsis

A vulnerability in MSDTC could allow remote code execution.

Description

The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that is affected by several remote code execution and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain complete control of the remote host (2000, NT4) or to crash the remote service (XP, 2003).

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-018

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 17905
BID 17906
CVE CVE-2006-0034
CVE CVE-2006-1184
XREF OSVDB:25335
XREF OSVDB:25336
XREF MSFT:MS06-018

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2006/05/10, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/1086)

21655 (1) - MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote host has multiple bugs in its RPC/DCOM implementation (828741).

An attacker may exploit one of these flaws to execute arbitrary code on the remote system.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-012

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.4 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10121
BID 10123
BID 10127
BID 8811
CVE CVE-2003-0813
CVE CVE-2004-0116
CVE CVE-2003-0807
CVE CVE-2004-0124
XREF OSVDB:2670
XREF OSVDB:5245
XREF OSVDB:5246
XREF OSVDB:5247
XREF MSFT:MS04-012

Plugin Information:

Publication date: 2007/03/16, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/135)

22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-040

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2006/08/08, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

33850 (1) - Unsupported Unix Operating System

Synopsis

The remote host is running an obsolete operating system.

Description

According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor or provider.

Lack of support implies that no new security patches will be released for it.

Solution

Upgrade to a newer version.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:

Publication date: 2008/08/08, Modification date: 2013/11/25

Hosts

192.168.1.28 (tcp/0)


Ubuntu 5.10 support ended on 2007-04-13.
Upgrade to Ubuntu 13.10.

For more information, see : https://wiki.ubuntu.com/Releases

34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms08-067

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

STIG Severity

I

References

BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
XREF IAVA:2008-A-0081
XREF CWE:94

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2008/10/23, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)

Synopsis

It is possible to crash the remote host due to a flaw in SMB.

Description

The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host.

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :

http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2009/01/13, Modification date: 2012/10/19

Hosts

192.168.1.146 (tcp/445)

47709 (1) - Microsoft Windows 2000 Unsupported Installation Detection

Synopsis

The remote operating system is no longer supported.

Description

The remote host is running a version of Microsoft Windows 2000.

This operating system is no longer supported by Microsoft. This means not only that there will be no new security patches for it but also that Microsoft is unlikely to investigate or acknowledge reports of vulnerabilities in it.

See Also

http://support.microsoft.com/lifecycle/?p1=7274

Solution

Upgrade to a version of Windows that is currently supported.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:

Publication date: 2010/07/13, Modification date: 2013/09/18

Hosts

192.168.1.146 (tcp/0)

33929 (3) - PCI DSS compliance

Synopsis

Nessus has determined that this host is NOT COMPLIANT with the PCI DSS requirements.

Description

The remote web server is vulnerable to cross-site scripting (XSS) attacks, implements old SSL2.0 cryptography, runs obsolete software, or is affected by dangerous vulnerabilities (CVSS base score >= 4).

If you are conducting this scan through the Nessus Perimeter Service Plugin, and if you disagree with the results, you may submit this report by clicking on 'Submit for PCI Validation' and dispute the findings through our web interface.

See Also

http://www.pcisecuritystandards.org/
http://en.wikipedia.org/wiki/PCI_DSS

Risk Factor

High

Plugin Information:

Publication date: 2008/08/07, Modification date: 2013/06/13

Hosts

192.168.1.28 (tcp/0)

+ Directory browsing is enabled on some web servers
http://192.168.1.28/phpwebsite/themes/
http://192.168.1.28/phpwebsite/themes/clean/
http://192.168.1.28/phpbb/templates/
http://192.168.1.28/phpbb/templates/Aeolus/
http://192.168.1.28/images/
http://192.168.1.28/tmp/
http://192.168.1.28/images/80x15/
http://192.168.1.28/images/88x31/
http://192.168.1.28/images/logo/
+ The remote operating system is not maintained any more. See :
http://www.nessus.org/plugins/index.php?view=single&id=33850
+ 4 high risk flaws were found. See :
http://www.nessus.org/plugins/index.php?view=single&id=44077
http://www.nessus.org/plugins/index.php?view=single&id=22466
http://www.nessus.org/plugins/index.php?view=single&id=44078
http://www.nessus.org/plugins/index.php?view=single&id=33850
+ 9 medium risk flaws were found. See :
http://www.nessus.org/plugins/index.php?view=single&id=17744
http://www.nessus.org/plugins/index.php?view=single&id=56283
http://www.nessus.org/plugins/index.php?view=single&id=31737
http://www.nessus.org/plugins/index.php?view=single&id=17704
http://www.nessus.org/plugins/index.php?view=single&id=44065
http://www.nessus.org/plugins/index.php?view=single&id=44076
http://www.nessus.org/plugins/index.php?view=single&id=44081
http://www.nessus.org/plugins/index.php?view=single&id=44079
http://www.nessus.org/plugins/index.php?view=single&id=17705

192.168.1.146 (tcp/0)

+ Directory browsing is enabled on some web servers
http://windows2000/IIsSamples/sdk/asp/transactional/
http://windows2000/IIsSamples/sdk/asp/applications/
http://windows2000/IIsSamples/sdk/asp/
http://windows2000/IIsSamples/sdk/admin/
http://windows2000/IIsSamples/sdk/
http://windows2000/IIsSamples/SDK/admin/
http://windows2000/IIsSamples/SDK/asp/applications/
http://windows2000/IIsSamples/
http://windows2000/IIsSamples/SDK/
http://windows2000/IIsSamples/SDK/asp/
http://windows2000/IIsSamples/SDK/asp/docs/
http://windows2000/IISSamples/sdk/asp/components/
http://windows2000/IISSamples/sdk/asp/applications/
http://windows2000/IISSamples/sdk/asp/
http://windows2000/IISSamples/sdk/admin/
http://windows2000/IISSamples/sdk/
http://windows2000/iissamples/sdk/asp/transactional/
http://windows2000/iissamples/sdk/asp/
http://windows2000/iissamples/sdk/admin/
http://windows2000/IISSamples/
http://windows2000/iissamples/sdk/
http://windows2000/iissamples/
http://windows2000/iissamples/sdk/asp/applications/
http://windows2000/iissamples/sdk/asp/components/
http://windows2000/iissamples/sdk/asp/database/
http://windows2000/iissamples/sdk/asp/docs/
http://windows2000/iissamples/sdk/asp/interaction/
http://windows2000/iissamples/sdk/asp/simple/
http://windows2000/IISSamples/sdk/asp/database/
http://windows2000/IISSamples/sdk/asp/docs/
http://windows2000/IISSamples/sdk/asp/interaction/
http://windows2000/IISSamples/sdk/asp/simple/
http://windows2000/IISSamples/sdk/asp/transactional/
http://windows2000/IIsSamples/SDK/asp/components/
http://windows2000/IIsSamples/SDK/asp/database/
http://windows2000/IIsSamples/SDK/asp/interaction/
http://windows2000/IIsSamples/SDK/asp/simple/
http://windows2000/IIsSamples/SDK/asp/transactional/
http://windows2000/IIsSamples/sdk/asp/components/
http://windows2000/IIsSamples/sdk/asp/database/
http://windows2000/IIsSamples/sdk/asp/docs/
http://windows2000/IIsSamples/sdk/asp/interaction/
http://windows2000/IIsSamples/sdk/asp/simple/
+ The remote operating system is not maintained any more. See :
http://www.nessus.org/plugins/index.php?view=single&id=47709
+ Unsupported software was found. See :
http://www.nessus.org/plugins/index.php?view=single&id=34460
+ A web server is vulnerable to cross-site scripting (XSS)
+ 20 high risk flaws were found. See :
http://www.nessus.org/plugins/index.php?view=single&id=34477
http://www.nessus.org/plugins/index.php?view=single&id=21193
http://www.nessus.org/plugins/index.php?view=single&id=12209
http://www.nessus.org/plugins/index.php?view=single&id=22194
http://www.nessus.org/plugins/index.php?view=single&id=35362
http://www.nessus.org/plugins/index.php?view=single&id=21334
http://www.nessus.org/plugins/index.php?view=single&id=19407
http://www.nessus.org/plugins/index.php?view=single&id=11835
http://www.nessus.org/plugins/index.php?view=single&id=19408
http://www.nessus.org/plugins/index.php?view=single&id=20008
http://www.nessus.org/plugins/index.php?view=single&id=11890
http://www.nessus.org/plugins/index.php?view=single&id=13852
http://www.nessus.org/plugins/index.php?view=single&id=11161
http://www.nessus.org/plugins/index.php?view=single&id=47709
http://www.nessus.org/plugins/index.php?view=single&id=21655
http://www.nessus.org/plugins/index.php?view=single&id=34460
http://www.nessus.org/plugins/index.php?view=single&id=10357
http://www.nessus.org/plugins/index.php?view=single&id=11808
http://www.nessus.org/plugins/index.php?view=single&id=22034
http://www.nessus.org/plugins/index.php?view=single&id=18502
+ 18 medium risk flaws were found. See :
http://www.nessus.org/plugins/index.php?view=single&id=10573
http://www.nessus.org/plugins/index.php?view=single&id=10956
http://www.nessus.org/plugins/index.php?view=single&id=56211
http://www.nessus.org/plugins/index.php?view=single&id=10079
http://www.nessus.org/plugins/index.php?view=single&id=11213
http://www.nessus.org/plugins/index.php?view=single&id=39466
http://www.nessus.org/plugins/index.php?view=single&id=56210
http://www.nessus.org/plugins/index.php?view=single&id=47831
http://www.nessus.org/plugins/index.php?view=single&id=26920
http://www.nessus.org/plugins/index.php?view=single&id=57608
http://www.nessus.org/plugins/index.php?view=single&id=55903
http://www.nessus.org/plugins/index.php?view=single&id=44136
http://www.nessus.org/plugins/index.php?view=single&id=56818
http://www.nessus.org/plugins/index.php?view=single&id=18602
http://www.nessus.org/plugins/index.php?view=single&id=49067
http://www.nessus.org/plugins/index.php?view=single&id=12229
http://www.nessus.org/plugins/index.php?view=single&id=10572
http://www.nessus.org/plugins/index.php?view=single&id=18585

192.168.1.146 (tcp/80)


The remote web server is vulnerable to cross-site scripting (XSS)

11161 (1) - Microsoft Data Access Components RDS Data Stub Remote Overflow

Synopsis

The remote host is affected by a remote buffer overflow vulnerability.

Description

The remote DLL /msadc/msadcs.dll is accessible by anyone. Several flaws have been found in it in the past. We recommend that you restrict access to MSADC only to trusted hosts.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms02-065
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html

Solution

- Launch the Internet Services Manager
- Select your web server
- Right-click on MSADC and select 'Properties'
- Select the tab 'Directory Security'
- Click on the 'IP address and domain name restrictions'
option
- Make sure that by default, all computers are DENIED access to this resource
- List the computers that should be allowed to use it

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 6214
CVE CVE-2002-1142
XREF OSVDB:14502
XREF MSFT:MS02-065

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2002/11/22, Modification date: 2012/06/14

Hosts

192.168.1.146 (tcp/80)


*** Nessus did not test for any security vulnerability but solely relied
*** on the presence of this resource to issue this warning, so this
*** might be a false positive.

22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-035

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2006/07/12, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

22466 (1) - OpenSSH < 4.4 Multiple Vulnerabilities

Synopsis

The remote SSH server is affected by multiple vulnerabilities.

Description

According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities :

- A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled.

- A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled.

- When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service.

- On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs.

See Also

http://www.openssh.com/txt/release-4.4

Solution

Upgrade to OpenSSH 4.4 or later.

Risk Factor

High

CVSS Base Score

9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

6.9 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

References

BID 20216
BID 20241
BID 20245
CVE CVE-2006-4924
CVE CVE-2006-4925
CVE CVE-2006-5051
CVE CVE-2006-5052
CVE CVE-2006-5229
CVE CVE-2007-3102
CVE CVE-2008-4109
XREF OSVDB:29152
XREF OSVDB:29264
XREF OSVDB:29266
XREF OSVDB:29494
XREF OSVDB:32721
XREF OSVDB:39214
XREF CWE:362

Plugin Information:

Publication date: 2006/09/28, Modification date: 2011/11/16

Hosts

192.168.1.28 (tcp/22)

34460 (1) - Unsupported Web Server Detection

Synopsis

The remote web server is obsolete / unsupported.

Description

According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.

A lack of support implies that no new security patches are being released for it.

Solution

Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to another server.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin Information:

Publication date: 2008/10/21, Modification date: 2013/10/29

Hosts

192.168.1.146 (tcp/80)


Product : Microsoft IIS 5.0
Server response header : Microsoft-IIS/5.0
Support ended : 2010-07-13
Supported versions : Microsoft IIS 7.5 / 7.0 / 6.0 / 5.1
Additional information : http://support.microsoft.com/lifecycle/?p1=2095

44077 (1) - OpenSSH < 4.5 Multiple Vulnerabilities

Synopsis

The remote SSH service is affected by multiple vulnerabilities.

Description

According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities :

- A client-side null pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925)

- A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794)

- An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726)

See Also

http://www.openssh.org/txt/release-4.5
http://support.apple.com/kb/TA24626
http://openssh.com/security.html

Solution

Upgrade to OpenSSH 4.5 or later.
For Mac OS X 10.3, apply Security Update 2007-003.
For Mac OS X 10.4, upgrade to 10.4.9.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 20956
CVE CVE-2006-4925
CVE CVE-2006-5794
CVE CVE-2007-0726
XREF OSVDB:29494
XREF OSVDB:30232
XREF OSVDB:34850

Plugin Information:

Publication date: 2011/10/04, Modification date: 2013/08/06

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 4.5

44078 (1) - OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass

Synopsis

Remote attackers may be able to bypass authentication.

Description

According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

See Also

http://www.openssh.com/txt/release-4.7

Solution

Upgrade to OpenSSH 4.7 or later.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

STIG Severity

II

References

BID 25628
CVE CVE-2007-4752
CVE CVE-2007-2243
XREF OSVDB:34600
XREF OSVDB:43371
XREF IAVT:2008-T-0046
XREF CWE:20

Plugin Information:

Publication date: 2011/10/04, Modification date: 2012/08/18

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 4.7

12213 (2) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS

Synopsis

It may be possible to send spoofed RST packets to the remote system.

Description

The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc).

See Also

https://downloads.avaya.com/elmodocs2/security/ASA-2006-217.htm
http://www.kb.cert.org/vuls/id/JARL-5ZQR4D
http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949
http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950
http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006
http://www.juniper.net/support/security/alerts/niscc-236929.txt
http://technet.microsoft.com/en-us/security/bulletin/ms05-019
http://technet.microsoft.com/en-us/security/bulletin/ms06-064
http://www.kb.cert.org/vuls/id/JARL-5YGQ9G
http://www.kb.cert.org/vuls/id/JARL-5ZQR7H
http://www.kb.cert.org/vuls/id/JARL-5YGQAJ
http://www.nessus.org/u?9a548ae4
http://isc.sans.edu/diary.html?date=2004-04-20

Solution

Contact the vendor for a patch or mitigation advice.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References

BID 10183
CVE CVE-2004-0230
XREF OSVDB:4030
XREF CERT:415294
XREF EDB-ID:276
XREF EDB-ID:291

Plugin Information:

Publication date: 2004/04/25, Modification date: 2012/12/28

Hosts

192.168.1.28 (tcp/0)

192.168.1.146 (tcp/0)

10079 (1) - Anonymous FTP Enabled

Synopsis

Anonymous logins are allowed on the remote FTP server.

Description

This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a password or unique credentials. This allows a user to access any files made available on the FTP server.

Solution

Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not available.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-1999-0497
XREF OSVDB:69

Plugin Information:

Publication date: 1999/06/22, Modification date: 2013/01/25

Hosts

192.168.1.146 (tcp/21)

10572 (1) - Microsoft IIS 5.0 Form_JScript.asp XSS

Synopsis

The remote web server is hosting an ASP script that is affected by a cross-site scripting vulnerability.

Description

The script /iissamples/sdk/asp/interaction/Form_JScript.asp (of Form_VBScript.asp) allows you to insert information into a form field and once submitted re-displays the page, printing the text you entered. This .asp doesn't perform any input validation. An attacker can exploit this flaw to execute arbitrary script code in the browser of an unsuspecting victim.

Solution

Remove the sample scripts from the server.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

XREF OSVDB:470
XREF CERT-CC:CA-2000-02

Plugin Information:

Publication date: 2002/05/22, Modification date: 2012/12/10

Hosts

192.168.1.146 (tcp/80)

10573 (1) - Microsoft IIS 5.0 ServerVariables_Jscript.asp Path Disclosure

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

A sample application shipped with IIS 5.0 discloses the physical path of the web root. An attacker can use this information to make more focused attacks.

Solution

Always remove sample applications from productions servers. In this case, remove the entire /iissamples folder.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

XREF OSVDB:471

Plugin Information:

Publication date: 2002/05/22, Modification date: 2013/01/25

Hosts

192.168.1.146 (tcp/80)

10956 (1) - Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure

Synopsis

Some files may be read on the remote host.

Description

Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms99-013

Solution

Apply the patch referenced above.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 167
CVE CVE-1999-0739
XREF OSVDB:782
XREF MSFT:MS99-013

Plugin Information:

Publication date: 2002/05/22, Modification date: 2012/03/06

Hosts

192.168.1.146 (tcp/80)

11213 (1) - HTTP TRACE / TRACK Methods Allowed

Synopsis

Debugging functions are enabled on the remote web server.

Description

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

See Also

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html

Solution

Disable these methods. Refer to the plugin output for more information.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2003/01/23, Modification date: 2013/03/29

Hosts

192.168.1.146 (tcp/80)


Use the URLScan tool to deny HTTP TRACE requests or to permit only the
methods needed to meet site requirements and policy.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1207113733.html HTTP/1.1
Connection: Close
Host: windows2000
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 25 Nov 2013 19:03:00 GMT
Content-Type: message/http
Content-Length: 313


TRACE /Nessus1207113733.html HTTP/1.1
Connection: Keep-Alive
Host: windows2000
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

12229 (1) - Microsoft IIS Cookie information disclosure

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The remote host is running Microsoft IIS with what appears to be a a vulnerable disclosure of cookie usage. That is, when sent a Cookie with the '=' character, Microsoft IIS will either respond with an error (if actually processing the cookie via a specific asp page) or disclose information of the .inc file used. This can be used to map applications which are processing cookies.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0255.html

Solution

Configure IIS to return custom error pages.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

XREF OSVDB:5993

Plugin Information:

Publication date: 2004/05/06, Modification date: 2013/08/14

Hosts

192.168.1.146 (tcp/80)

17703 (1) - OpenSSH < 5.9 Multiple DoS

Synopsis

The SSH server on the remote host has multiple denial of service vulnerabilities.

Description

According to its banner, the version of OpenSSH running on the remote host is prior to version 5.9. Such versions are affected by multiple denial of service vulnerabilities :

- A denial of service vulnerability exists in the gss-serv.c 'ssh_gssapi_parse_ename' function. A remote attacker may be able to trigger this vulnerability if gssapi-with-mic is enabled to create a denial of service condition via a large value in a certain length field.
(CVE-2011-5000)

- On FreeBSD, NetBSD, OpenBSD, and other products, a remote, authenticated attacker could exploit the remote_glob() and process_put() functions to cause a denial of service (CPU and memory consumption).
(CVE-2010-4755)

See Also

http://cxsecurity.com/research/89
http://site.pi3.com.pl/adv/ssh_1.txt

Solution

Upgrade to OpenSSH 5.9 or later.

Risk Factor

Medium

CVSS Base Score

4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Temporal Score

3.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)

References

BID 54114
CVE CVE-2010-4755
CVE CVE-2011-5000
XREF OSVDB:75248
XREF OSVDB:75249
XREF OSVDB:81500

Plugin Information:

Publication date: 2011/11/18, Modification date: 2012/06/26

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 5.9

17704 (1) - OpenSSH S/KEY Authentication Account Enumeration

Synopsis

The remote host is susceptible to an information disclosure attack.

Description

When OpenSSH has S/KEY authentication enabled, it is possible to determine remotely if an account configured for S/KEY authentication exists.

Note that Nessus has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host. As a result, it will not detect if the remote host has implemented a workaround.

See Also

http://www.nessus.org/u?87921f08

Solution

A patch currently does not exist for this issue. As a workaround, either set 'ChallengeResponseAuthentication' in the OpenSSH config to 'no' or use a version of OpenSSH without S/KEY support compiled in.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

4.8 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 23601
CVE CVE-2007-2243
XREF OSVDB:34600
XREF CWE:287

Plugin Information:

Publication date: 2011/11/18, Modification date: 2011/11/18

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1

17705 (1) - OPIE w/ OpenSSH Account Enumeration

Synopsis

The remote host is susceptible to an information disclosure attack.

Description

When using OPIE for PAM and OpenSSH, it is possible for remote attackers to determine the existence of certain user acounts.

Note that Nessus has not tried to exploit the issue, but rather only checked if OpenSSH is running on the remote host. As a result, it does not detect if the remote host actually has OPIE for PAM installed.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html

Solution

A patch currently does not exist for this issue. As a workaround, ensure that OPIE for PAM is not installed.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

CVE CVE-2007-2768
XREF OSVDB:34601

Plugin Information:

Publication date: 2011/11/18, Modification date: 2011/11/18

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1

17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing

Synopsis

The remote SSH server may permit anonymous port bouncing.

Description

According to its banner, the remote host is running OpenSSH, version 2.3.0 or later. Such versions of OpenSSH allow forwarding TCP connections. If the OpenSSH server is configured to allow anonymous connections (e.g. AnonCVS), remote, unauthenticated users could use the host as a proxy.

See Also

http://marc.info/?l=bugtraq&m=109413637313484&w=2
http://www.nessus.org/u?2c86d008

Solution

Disallow anonymous users, set AllowTcpForwarding to 'no', or use the Match directive to restrict anonymous users.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

References

CVE CVE-2004-1653
XREF OSVDB:9562

Plugin Information:

Publication date: 2011/12/01, Modification date: 2011/12/01

Hosts

192.168.1.28 (tcp/22)


Version source : ssh-2.0-openssh_4.1p1 debian-7ubuntu4.2
Installed version : 4.1p1

18585 (1) - Microsoft Windows SMB Service Enumeration via \srvsvc

Synopsis

The remote host allows null session enumeration of running services.

Description

This plugin connects to \srvsvc (instead of \svcctl) to enumerate the list of services running on the remote host on top of a NULL session.

An attacker may use this feature to gain better knowledge of the remote host.

See Also

http://www.hsc.fr/ressources/presentations/null_sessions/

Solution

Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 14093
BID 14177
CVE CVE-2005-2150
XREF OSVDB:17859

Plugin Information:

Publication date: 2005/06/29, Modification date: 2013/01/07

Hosts

192.168.1.146 (tcp/445)


It was possible to enumerate the list of services running on the remote
host thru a NULL session, by connecting to \srvsvc


Here is the list of services running on the remote host :
Computer Browser [ Browser ]
DHCP Client [ Dhcp ]
Logical Disk Manager [ dmserver ]
DNS Client [ Dnscache ]
Event Log [ Eventlog ]
COM+ Event System [ EventSystem ]
IIS Admin Service [ IISADMIN ]
Server [ lanmanserver ]
Workstation [ lanmanworkstation ]
TCP/IP NetBIOS Helper Service [ LmHosts ]
Messenger [ Messenger ]
Distributed Transaction Coordinator [ MSDTC ]
FTP Publishing Service [ MSFTPSVC ]
Network Connections [ Netman ]
Removable Storage [ NtmsSvc ]
Plug and Play [ PlugPlay ]
IPSEC Policy Agent [ PolicyAgent ]
Protected Storage [ ProtectedStorage ]
Remote Access Connection Manager [ RasMan ]
Remote Registry Service [ RemoteRegistry ]
Remote Procedure Call (RPC) [ RpcSs ]
Security Accounts Manager [ SamSs ]
Task Scheduler [ Schedule ]
RunAs Service [ seclogon ]
System Event Notification [ SENS ]
Simple Mail Transport Protocol (SMTP) [ SMTPSVC ]
Print Spooler [ Spooler ]
Telephony [ TapiSrv ]
Distributed Link Tracking Client [ TrkWks ]
World Wide Web Publishing Service [ W3SVC ]
Windows Management Instrumentation [ WinMgmt ]
Windows Management Instrumentation Driver Extensions [ Wmi ]
Automatic Updates [ wuauserv ]

18602 (1) - Microsoft Windows SMB svcctl MSRPC Interface SCM Service Enumeration

Synopsis

The remote host allows null session event log reading.

Description

It is possible to anonymously read the event logs of the remote Windows 2000 host by connecting to the \srvsvc pipe and binding to the event log service, OpenEventLog().

An attacker may use this flaw to anonymously read the system logs of the remote host. As system logs typically include valuable information, an attacker may use them to perform a better attack against the remote host.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0137.html

Solution

Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4 or set the value RestrictGuestAccess on the Applications and System logs.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 14093
BID 14178
CVE CVE-2005-2150
XREF OSVDB:17860

Plugin Information:

Publication date: 2005/07/05, Modification date: 2011/03/04

Hosts

192.168.1.146 (tcp/445)

26920 (1) - Microsoft Windows SMB NULL Session Authentication

Synopsis

It is possible to log into the remote Windows host with a NULL session.

Description

The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or password).

Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the remote host.

See Also

http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx

Solution

Apply the following registry changes per the referenced Technet advisories :

Set :
- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1

Remove BROWSER from :
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes

Reboot once the registry changes are complete.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 494
CVE CVE-1999-0519
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230

Plugin Information:

Publication date: 2007/10/04, Modification date: 2012/02/29

Hosts

192.168.1.146 (tcp/445)

It was possible to bind to the \browser pipe

31737 (1) - OpenSSH X11 Forwarding Session Hijacking

Synopsis

The remote SSH service is prone to an X11 session hijacking vulnerability.

Description

According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
http://www.openssh.org/txt/release-5.0

Solution

Upgrade to OpenSSH version 5.0 or later.

Risk Factor

Medium

CVSS Base Score

6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

5.7 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

References

BID 28444
CVE CVE-2008-1483
CVE CVE-2008-3234
XREF OSVDB:43745
XREF OSVDB:48791
XREF Secunia:29522
XREF CWE:264

Plugin Information:

Publication date: 2008/04/03, Modification date: 2011/11/16

Hosts

192.168.1.28 (tcp/22)


The remote OpenSSH server returned the following banner :

SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2

39466 (1) - CGI Generic Cross-Site Scripting (quick test)

Synopsis

The remote web server is prone to cross-site scripting attacks.

Description

The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.
These XSS are likely to be 'non persistent' or 'reflected'.

See Also

http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent
http://www.nessus.org/u?9717ad85
http://projects.webappsec.org/Cross-Site+Scripting

Solution

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

XREF CWE:79
XREF CWE:80
XREF CWE:81
XREF CWE:83
XREF CWE:20
XREF CWE:74
XREF CWE:442
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:811
XREF CWE:751
XREF CWE:801
XREF CWE:116
XREF CWE:692
XREF CWE:86

Plugin Information:

Publication date: 2009/06/19, Modification date: 2013/02/11

Hosts

192.168.1.146 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross-site scripting (quick test) :

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">&fname=

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<I
MG%20SRC="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">&fname=

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<I
MG%20SRC="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">&fname=

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<I
MG%20SRC="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">&fname=

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<IM
G%20SRC="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">&fname=

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<IM
G%20SRC="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<IMG%20SRC="javascript:aler
t(104);">

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/<IMG SRC="javascript:alert(104);">_VBScript
.asp" target = "SampMain"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=<IMG%20SRC="javascript:alert
(104);">

-------- output --------
<center>
<h4><b>
<A href ="<IMG SRC="javascript:alert(104);">?DontFrame=1" target = "Samp
Main" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<IMG%20SRC="javascript:aler
t(104);">&ovfile=

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/<IMG SRC="javascript:alert(104);">_VBScript
.asp" target = "SampMain"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=&ovfile=<IMG%20SRC="javascr
ipt:alert(104);">

-------- output --------
<center>
<h4><b>
<A href ="<IMG SRC="javascript:alert(104);">?DontFrame=1" target = "Samp
Main" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">&fname=

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<IM
G%20SRC="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=<IMG%20SRC
="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<IMG%20SRC
="javascript:alert(104);">&fname=

-------- output --------

<BR>
<IMG SRC="javascript:alert(104);">

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=&fname=<IM
G%20SRC="javascript:alert(104);">

-------- output --------
<HR>

<IMG SRC="javascript:alert(104);"> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=<IMG%20SR
C="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<IMG%20SR
C="javascript:alert(104);">&fname=

-------- output --------
<HR>
<BR>
<IMG SRC="javascript:alert(104);">
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=&fname=<I
MG%20SRC="javascript:alert(104);">

-------- output --------

<HR>
<IMG SRC="javascript:alert(104);"> <BR>

</BODY>
------------------------


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross-site scripting (quick test) :

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=<script>alert(10
2);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=<script>a
lert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=<script>alert(10
2);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=&fname=<script>a
lert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=<script>alert(10
2);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=<script>a
lert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=<script>alert(1
02);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
alert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<script>alert(1
02);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
alert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=<script>alert(10
2);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>alert(10
2);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=<script>a
lert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<script>alert(1
02);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
alert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=<script>alert(1
02);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=<script>alert(1
02);</script>&fname=]

-------- output --------

<BR>
<script>alert(102);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
alert(102);</script>]

-------- output --------
<HR>

<script>alert(102);</script> <BR>
<BR>
</BODY>
------------------------

44065 (1) - OpenSSH < 5.2 CBC Plaintext Disclosure

Synopsis

The SSH service running on the remote host has an information disclosure vulnerability.

Description

The version of OpenSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.

See Also

http://www.nessus.org/u?4984aeb9
http://www.openssh.com/txt/cbc.adv
http://www.openssh.com/txt/release-5.2

Solution

Upgrade to OpenSSH 5.2 or later.

Risk Factor

Medium

CVSS Base Score

4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVSS Temporal Score

3.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)

References

BID 32319
CVE CVE-2008-5161
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200

Plugin Information:

Publication date: 2011/09/27, Modification date: 2011/09/28

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 5.2

44076 (1) - OpenSSH < 4.3 scp Command Line Filename Processing Command Injection

Synopsis

The version of SSH running on the remote host has a command injection vulnerability.

Description

According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp.

See Also

https://bugzilla.mindrot.org/show_bug.cgi?id=1094
http://www.openssh.com/txt/release-4.3

Solution

Upgrade to OpenSSH 4.3 or later.

Risk Factor

Medium

CVSS Base Score

4.6 (CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

3.8 (CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

References

BID 16369
CVE CVE-2006-0225
XREF OSVDB:22692

Plugin Information:

Publication date: 2011/10/04, Modification date: 2012/12/13

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 4.3

44079 (1) - OpenSSH < 4.9 'ForceCommand' Directive Bypass

Synopsis

The remote SSH service is affected by a security bypass vulnerability.

Description

According to its banner, the version of OpenSSH installed on the remote host is earlier than 4.9. It may allow a remote, authenticated user to bypass the 'sshd_config' 'ForceCommand' directive by modifying the '.ssh/rc' session file.

See Also

http://www.openssh.org/txt/release-4.9

Solution

Upgrade to OpenSSH version 4.9 or later.

Risk Factor

Medium

CVSS Base Score

6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Temporal Score

5.4 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

References

BID 28531
CVE CVE-2008-1657
XREF OSVDB:43911
XREF CWE:264

Plugin Information:

Publication date: 2011/10/04, Modification date: 2011/10/05

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 4.9

44081 (1) - OpenSSH < 5.7 Multiple Vulnerabilities

Synopsis

The remote SSH service may be affected by multiple vulnerabilities.

Description

According to its banner, the version of OpenSSH running on the remote host is earlier than 5.7. Versions before 5.7 may be affected by the following vulnerabilities :

- A security bypass vulnerability because OpenSSH does not properly validate the public parameters in the J-PAKE protocol. This could allow an attacker to authenticate without the shared secret. Note that this issue is only exploitable when OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default, and that Nessus has not checked whether J-PAKE support is indeed enabled. (CVE-2010-4478)

- The auth_parse_options function in auth-options.c in sshd provides debug messages containing authorized_keys command options, which allows remote, authenticated users to obtain potentially sensitive information by reading these messages. (CVE-2012-0814)

See Also

http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5
http://www.nessus.org/u?3f1722f0

Solution

Upgrade to OpenSSH 5.7 or later.

Risk Factor

Medium

CVSS Base Score

6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

References

BID 45304
BID 51702
CVE CVE-2010-4478
CVE CVE-2012-0814
XREF OSVDB:69658

Plugin Information:

Publication date: 2011/10/04, Modification date: 2012/05/04

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 5.7

44136 (1) - CGI Generic Cookie Injection Scripting

Synopsis

The remote web server is prone to cookie injection attacks.

Description

The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript.

By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism.

Please note that :

- Nessus did not check if the session fixation attack is feasible.

- This is not the only vector of session fixation.

See Also

http://en.wikipedia.org/wiki/Session_fixation
http://www.owasp.org/index.php/Session_Fixation
http://www.acros.si/papers/session_fixation.pdf
http://projects.webappsec.org/Session-Fixation

Solution

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

XREF CWE:472
XREF CWE:642
XREF CWE:715
XREF CWE:722

Plugin Information:

Publication date: 2010/01/25, Modification date: 2013/01/25

Hosts

192.168.1.146 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to cookie manipulation :

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>&fname=

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<s
cript>document.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>&fname=

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<s
cript>document.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>&fname=

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<s
cript>document.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>&fname=

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<sc
ript>document.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>&fname=

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<sc
ript>document.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<script>document.cookie="te
stnqll=8017;"</script>

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/<script>document.cookie="testnqll=8017;"</s
cript>_VBScript.asp" target = "SampMain"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=<script>document.cookie="tes
tnqll=8017;"</script>

-------- output --------
<center>
<h4><b>
<A href ="<script>document.cookie="testnqll=8017;"</script>?DontFrame=1"
target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<script>document.cookie="te
stnqll=8017;"</script>&ovfile=

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/<script>document.cookie="testnqll=8017;"</s
cript>_VBScript.asp" target = "SampMain"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=&ovfile=<script>document.co
okie="testnqll=8017;"</script>

-------- output --------
<center>
<h4><b>
<A href ="<script>document.cookie="testnqll=8017;"</script>?DontFrame=1"
target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>&fname=

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<sc
ript>document.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=<script>do
cument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<script>do
cument.cookie="testnqll=8017;"</script>&fname=

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=&fname=<sc
ript>document.cookie="testnqll=8017;"</script>

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=<script>d
ocument.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<script>d
ocument.cookie="testnqll=8017;"</script>&fname=

-------- output --------
<HR>
<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=&fname=<s
cript>document.cookie="testnqll=8017;"</script>

-------- output --------

<HR>
<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to cookie manipulation :

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=<script>d
ocument.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=&fname=<script>d
ocument.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=<script>d
ocument.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
document.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
document.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=<script>document
.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=<script>document
.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=<script>d
ocument.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
document.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=<script>documen
t.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=<script>documen
t.cookie="testnqll=8017;"</script>&fname=]

-------- output --------

<BR>
<script>document.cookie="testnqll=8017;"</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=&fname=<script>
document.cookie="testnqll=8017;"</script>]

-------- output --------
<HR>

<script>document.cookie="testnqll=8017;"</script> <BR>
<BR>
</BODY>
------------------------

45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)

Synopsis

The remote mail server may be affected by multiple vulnerabilities.

Description

The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability :

- Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024)

- Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server.
(CVE-2010-0025)

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010 :

http://technet.microsoft.com/en-us/security/bulletin/MS10-024

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

STIG Severity

II

References

BID 39381
CVE CVE-2010-0024
CVE CVE-2010-0025
XREF OSVDB:63738
XREF OSVDB:63739
XREF MSFT:MS10-024
XREF IAVB:2010-B-0029

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2010/04/13, Modification date: 2013/02/01

Hosts

192.168.1.146 (tcp/25)


The remote version of the smtpsvc.dll is 5.0.2195.6713 versus 5.0.2195.7381.

47831 (1) - CGI Generic Cross-Site Scripting (comprehensive test)

Synopsis

The remote web server is prone to cross-site scripting attacks.

Description

The remote web server hosts CGI scripts that fail to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non-persistent' or 'reflected'.

See Also

http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent
http://www.nessus.org/u?9717ad85
http://projects.webappsec.org/Cross-Site+Scripting

Solution

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

XREF CWE:79
XREF CWE:80
XREF CWE:81
XREF CWE:83
XREF CWE:20
XREF CWE:74
XREF CWE:442
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:811
XREF CWE:751
XREF CWE:801
XREF CWE:116
XREF CWE:692
XREF CWE:87
XREF CWE:85
XREF CWE:86
XREF CWE:84

Plugin Information:

Publication date: 2010/07/26, Modification date: 2013/01/25

Hosts

192.168.1.146 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross-site scripting (comprehensive test) :

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<%
20script%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<%
20script%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<%20script%20>%20alert(204)
;%20</%20script%20>

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/< script > alert(204); </ script >_VBScript
.asp" target = "SampMain"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=<%20script%20>%20alert(204);
%20</%20script%20>

-------- output --------
<center>
<h4><b>
<A href ="< script > alert(204); </ script >?DontFrame=1" target = "Samp
Main" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<%20script%20>%20alert(204)
;%20</%20script%20>&ovfile=

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/< script > alert(204); </ script >_VBScript
.asp" target = "SampMain"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=&ovfile=<%20script%20>%20al
ert(204);%20</%20script%20>

-------- output --------
<center>
<h4><b>
<A href ="< script > alert(204); </ script >?DontFrame=1" target = "Samp
Main" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<%2
0script%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<%2
0script%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=&fname=<%2
0script%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=&fname=<%
20script%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<%20script
%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<%20script
%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------

<BR>
< script > alert(204); </ script >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=<%2
0script%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>

< script > alert(204); </ script > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<%20scrip
t%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<%20scrip
t%20>%20alert(204);%20</%20script%20>&fname=

-------- output --------
<HR>
<BR>
< script > alert(204); </ script >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=<%
20script%20>%20alert(204);%20</%20script%20>

-------- output --------

<HR>
< script > alert(204); </ script > <BR>

</BODY>
------------------------


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross-site scripting (comprehensive test) :

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=< script > alert
(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=< script > alert
(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=< script > alert
(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=< script > aler
t(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=< script > alert
(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=< script > alert
(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=< script > aler
t(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=< script > aler
t(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=< script > aler
t(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=< script > aler
t(204); </ script >&fname=]

-------- output --------

<BR>
<script>alert(204);</script> <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=< script
> alert(204); </ script >]

-------- output --------
<HR>

<script>alert(204);</script> <BR>
<BR>
</BODY>
------------------------

49067 (1) - CGI Generic HTML Injections (quick test)

Synopsis

The remote web server may be prone to HTML injections.

Description

The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site.

The remote web server may be vulnerable to IFRAME injections or cross-site scripting attacks :

- IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks.

- XSS are extensively tested by four other scripts.

- Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning.

See Also

http://www.nessus.org/u?f8fdd645

Solution

Either restrict access to the vulnerable application or contact the vendor for an update.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

XREF CWE:80
XREF CWE:86

Plugin Information:

Publication date: 2010/09/01, Modification date: 2013/02/28

Hosts

192.168.1.146 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to HTML injection :

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<"kiulwo%
20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>&lname=

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=&lname=<"
kiulwo%20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<"kiulwo%2
0>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>&lname=

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=&lname=<"k
iulwo%20>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<"kiulwo%2
0>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>&lname=

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=&lname=<"k
iulwo%20>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<"kiulwo%
20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>&lname=

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=&lname=<"
kiulwo%20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=<"kiulwo%
20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>&lname=

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=&lname=<"
kiulwo%20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=<"kiulwo%20>

-------- output --------
<center>
<h4><b>
<A href ="<"kiulwo >?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<"kiulwo%20>

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/<"kiulwo >_VBScript.asp" target = "SampMain
"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=<"kiulwo%20>&srcfile=

-------- output --------
<center>
<h4><b>
<A href ="<"kiulwo >?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=&srcfile=<"kiulwo%20>

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/<"kiulwo >_VBScript.asp" target = "SampMain
"> Run Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=<"kiulwo%2
0>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>&lname=

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=&lname=<"k
iulwo%20>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=<"kiulwo%2
0>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=<"kiulwo%2
0>&lname=

-------- output --------
<HR>

<"kiulwo > <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=&lname=<"k
iulwo%20>

-------- output --------

<BR>
<"kiulwo >

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=<"kiulwo%
20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=<"kiulwo%
20>&lname=

-------- output --------

<HR>
<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=&lname=<"
kiulwo%20>

-------- output --------
<HR>
<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)

http://windows2000/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=<"kiulwo%20>
http://windows2000/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=<"kiulwo%20>


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to HTML injection :

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>&ln
ame=]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=&lname=<"kiulwo
%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>&lna
me=]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=&lname=<"kiulwo%
20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>&ln
ame=]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=&lname=<"kiulwo
%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>&lna
me=]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=&lname=<"kiulwo%
20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>&lna
me=]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=&lname=<"kiulwo%
20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=<"kiulwo%20>&lna
me=]

-------- output --------
<HR>

<"kiulwo > <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=&lname=<"kiulwo%
20>]

-------- output --------

<BR>
<"kiulwo >
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>&ln
ame=]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=&lname=<"kiulwo
%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=<"kiulwo%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=<"kiulwo%20>&ln
ame=]

-------- output --------
<HR>

<"kiulwo > <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=&lname=<"kiulwo
%20>]

-------- output --------

<BR>
<"kiulwo > <BR>
</BODY>
</HTML>
------------------------

55903 (1) - CGI Generic Cross-Site Scripting (extended patterns)

Synopsis

The remote web server is prone to cross-site scripting attacks.

Description

The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS vulnerabilities are likely to be 'non-persistent' or 'reflected'.

See Also

http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent
http://www.nessus.org/u?9717ad85
http://projects.webappsec.org/Cross-Site+Scripting

Solution

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

XREF CWE:79
XREF CWE:80
XREF CWE:81
XREF CWE:83
XREF CWE:20
XREF CWE:74
XREF CWE:442
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:811
XREF CWE:751
XREF CWE:801
XREF CWE:116
XREF CWE:692
XREF CWE:86

Plugin Information:

Publication date: 2011/08/03, Modification date: 2011/10/14

Hosts

192.168.1.146 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to cross-site scripting (extended patterns) :

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=509"%20src="http://www.examp
le.com/exploit509.js

-------- output --------
<center>
<h4><b>
<A href ="509" src="http://www.example.com/exploit509.js?DontFrame=1" ta
rget = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=504%20onerror="alert(504);

-------- output --------
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/504 onerror="alert(504);_VBScript.asp [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/SDK/as
p/504 onerror="alert(504);_VBScript.asp" target = "SampMain"> VBScript S
ource </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
</b></h4>
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=509"%20src="http://www.examp
le.com/exploit509.js&srcfile=

-------- output --------
<center>
<h4><b>
<A href ="509" src="http://www.example.com/exploit509.js?DontFrame=1" ta
rget = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=&srcfile=504%20onerror="aler
t(504);

-------- output --------
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/504 onerror="alert(504);_VBScript.asp [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/SDK/as
p/504 onerror="alert(504);_VBScript.asp" target = "SampMain"> VBScript S
ource </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
</b></h4>
------------------------

56208 (1) - PCI DSS Compliance : Insecure Communication Has Been Detected

Synopsis

An insecure port, protocol or service has been detected.

Description

Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data. If an attacker is able to exploit weak cryptographic processes, he/she may be able to gain control of an application or even gain clear-text access to encrypted data.

Solution

Properly encrypt all authenticated and sensitive communications.

Risk Factor

Medium

Plugin Information:

Publication date: 2011/09/15, Modification date: 2012/08/30

Hosts

192.168.1.146 (tcp/21)


This FTP server does not support 'AUTH TLS'.

56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials

Synopsis

It is possible to obtain the host SID for the remote host, without credentials.

Description

By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier), without credentials.

The host SID can then be used to get the list of local users.

See Also

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution

You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an appropriate value.

Refer to the 'See also' section for guidance.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 959
CVE CVE-2000-1200
XREF OSVDB:715

Plugin Information:

Publication date: 2011/09/15, Modification date: 2011/11/07

Hosts

192.168.1.146 (tcp/445)


The remote host SID value is :

1-5-21-1123561945-1085031214-839522115

56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials

Synopsis

It is possible to enumerate local users, without credentials.

Description

Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system without credentials.

Solution

n/a

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 959
CVE CVE-2000-1200
XREF OSVDB:714

Plugin Information:

Publication date: 2011/09/15, Modification date: 2011/09/16

Hosts

192.168.1.146 (tcp/445)


- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- IUSR_WINDOWS2000 (id 1000)
- IWAM_WINDOWS2000 (id 1001)
- paul (id 1002)
- kevin (id 1003)
- josh (id 1004)
- mike (id 1005)
- nessus (id 1006)
- bgates (id 1007)

56283 (1) - Linux Kernel TCP Sequence Number Generation Security Weakness

Synopsis

It may be possible to predict TCP/IP Initial Sequence Numbers for the remote host.

Description

The Linux kernel is prone to a security weakness related to TCP sequence number generation. Attackers can exploit this issue to inject arbitrary packets into TCP sessions using a brute force attack.

An attacker may use this vulnerability to create a denial of service condition or a man-in-the-middle attack.

Note that this plugin may fire as a result of a network device (such as a load balancer, VPN, IPS, transparent proxy, etc.) that is vulnerable and that re-writes TCP sequence numbers, rather than the host itself being vulnerable.

See Also

http://lwn.net/Articles/455135/
http://www.nessus.org/u?9881d9af

Solution

Contact the OS vendor for a Linux kernel update / patch.

Risk Factor

Medium

CVSS Base Score

6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

References

BID 49289
CVE CVE-2011-3188
XREF OSVDB:75716

Plugin Information:

Publication date: 2011/09/23, Modification date: 2012/01/30

Hosts

192.168.1.28 (tcp/0)

56818 (1) - CGI Generic Cross-Site Request Forgery Detection (potential)

Synopsis

The remote web server might be prone to cross-site request forgery attacks.

Description

The spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by random tokens, a common anti-cross-site request forgery (CSRF) protection. The web application might be vulnerable to CSRF attacks.

Note that :

- Nessus did not exploit the flaw,
- Nessus cannot identify sensitive actions -- for example, on an online bank, consulting an account is less sensitive than transfering money.

You will have to audit the source of the CGI scripts and check if they are actually affected.

See Also

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Solution

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

References

XREF CWE:352
XREF CWE:716
XREF CWE:751
XREF CWE:801
XREF CWE:814

Plugin Information:

Publication date: 2011/11/17, Modification date: 2013/05/03

Hosts

192.168.1.146 (tcp/80)


The following CGIs are not protected by a random token :
/IIsSamples/sdk/asp/interaction/Form_JScript.asp
/IIsSamples/sdk/asp/docs/
/IIsSamples/sdk/asp/database/MultiScrolling_VBScript.asp
/IIsSamples/sdk/asp/database/MultiScrolling_JScript.asp
/IIsSamples/SDK/asp/interaction/Form_JScript.asp
/IIsSamples/SDK/asp/database/MultiScrolling_VBScript.asp
/IIsSamples/SDK/asp/database/MultiScrolling_JScript.asp
/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp
/IISSamples/sdk/asp/docs/
/IISSamples/sdk/asp/database/MultiScrolling_VBScript.asp
/IISSamples/sdk/asp/database/MultiScrolling_JScript.asp
/IIsSamples/SDK/asp/docs/
/iissamples/sdk/asp/interaction/QueryString_VBScript.asp
/iissamples/sdk/asp/docs/
/IIsSamples/SDK/asp/docs/Toolbar.asp
/iissamples/sdk/asp/database/MultiScrolling_JScript.asp
/iissamples/sdk/asp/database/MultiScrolling_VBScript.asp
/iissamples/sdk/asp/interaction/Form_JScript.asp
/iissamples/sdk/asp/interaction/Form_VBScript.asp
/iissamples/sdk/asp/interaction/QueryString_JScript.asp
/IISSamples/sdk/asp/interaction/Form_JScript.asp
/IISSamples/sdk/asp/interaction/Form_VBScript.asp
/IISSamples/sdk/asp/interaction/QueryString_JScript.asp
/IIsSamples/SDK/asp/interaction/Form_VBScript.asp
/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp
/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp
/IIsSamples/sdk/asp/interaction/Form_VBScript.asp
/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp
/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp

57608 (1) - SMB Signing Disabled

Synopsis

Signing is disabled on the remote SMB server.

Description

Signing is disabled on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.

See Also

http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Solution

Enforce message signing in the host's configuration. On Windows, this is found in the Local Security Policy. On Samba, the setting is called 'server signing'. See the 'see also' links for further details.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information:

Publication date: 2012/01/19, Modification date: 2013/10/24

Hosts

192.168.1.146 (tcp/445)

67140 (1) - OpenSSH LoginGraceTime / MaxStartups DoS

Synopsis

The remote SSH service is susceptible to a remote denial of service attack.

Description

According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The default configuration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and MaxStartups thresholds by periodically making a large number of new TCP connections and thereby prevent legitimate users from gaining access to the service.

Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerable configuration. Instead, it has simply checked the version of OpenSSH running on the remote host.

See Also

http://www.openwall.com/lists/oss-security/2013/02/06/5
http://openssh.org/txt/release-6.2
http://tools.cisco.com/security/center/viewAlert.x?alertId=28883

Solution

Upgrade to OpenSSH 6.2 and review the associated server configuration settings.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References

BID 58162
CVE CVE-2010-5107
XREF OSVDB:90007

Plugin Information:

Publication date: 2013/07/03, Modification date: 2013/11/22

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 6.2

19592 (1) - OpenSSH < 4.2 Multiple Vulnerabilities

Synopsis

The remote SSH server has multiple vulnerabilities.

Description

According to its banner, the version of OpenSSH installed on the remote host has the following vulnerabilities :

- X11 forwarding may be enabled unintentionally when multiple forwarding requests are made on the same session, or when an X11 listener is orphaned after a session goes away. (CVE-2005-2797)

- GSSAPI credentials may be delegated to users who log in using something other than GSSAPI authentication if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798)

- Attempting to log in as a nonexistent user causes the authentication process to hang, which could be exploited to enumerate valid user accounts.
Only OpenSSH on Mac OS X 10.4.x is affected.
(CVE-2006-0393)

- Repeatedly attempting to log in as a nonexistent user could result in a denial of service.
Only OpenSSH on Mac OS X 10.4.x is affected.
(CVE-2006-0393)

See Also

http://www.openssh.com/txt/release-4.2
http://lists.apple.com/archives/security-announce/2006/Aug/msg00000.html
http://docs.info.apple.com/article.html?artnum=304063

Solution

Upgrade to OpenSSH 4.2 or later. For OpenSSH on Mac OS X 10.4.x, apply Mac OS X Security Update 2006-004.

Risk Factor

Low

CVSS Base Score

3.5 (CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVSS Temporal Score

2.7 (CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N)

References

BID 14727
BID 14729
BID 19289
CVE CVE-2005-2797
CVE CVE-2005-2798
CVE CVE-2006-0393
XREF OSVDB:19141
XREF OSVDB:19142
XREF OSVDB:27745

Plugin Information:

Publication date: 2005/09/07, Modification date: 2011/11/18

Hosts

192.168.1.28 (tcp/22)

34324 (1) - FTP Supports Clear Text Authentication

Synopsis

Authentication credentials might be intercepted.

Description

The remote FTP server allows the user's name and password to be transmitted in clear text, which could be intercepted by a network sniffer or a man-in-the-middle attack.

Solution

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted.

Risk Factor

Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

References

XREF CWE:522
XREF CWE:523

Plugin Information:

Publication date: 2008/10/01, Modification date: 2013/01/25

Hosts

192.168.1.146 (tcp/21)


This FTP server does not support 'AUTH TLS'.

44080 (1) - OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking

Synopsis

The remote SSH service may be affected by an X11 forwarding port hijacking vulnerability.

Description

According to its banner, the version of SSH installed on the remote host is older than 5.1 and may allow a local user to hijack the X11 forwarding port. The application improperly sets the 'SO_REUSEADDR'
socket option when the 'X11UseLocalhost' configuration option is disabled.

Note that most operating systems, when attempting to bind to a port that has previously been bound with the 'SO_REUSEADDR' option, will check that either the effective user-id matches the previous bind (common BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). This is not the case with other operating systems such as HP-UX.

See Also

http://www.openssh.org/txt/release-5.1

Solution

Upgrade to OpenSSH version 5.1 or later.

Risk Factor

Low

CVSS Base Score

1.2 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

1.0 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)

References

BID 30339
CVE CVE-2008-3259
XREF OSVDB:47227
XREF CWE:200

Plugin Information:

Publication date: 2011/10/04, Modification date: 2013/03/20

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 5.1

53841 (1) - Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure

Synopsis

Local attackers may be able to access sensitive information.

Description

According to its banner, the version of OpenSSH running on the remote host is earlier than 5.8p2. Such versions may be affected by a local information disclosure vulnerability that could allow the contents of the host's private key to be accessible by locally tracing the execution of the ssh-keysign utility. Having the host's private key may allow the impersonation of the host.

Note that installations are only vulnerable if ssh-rand-helper was enabled during the build process, which is not the case for *BSD, OS X, Cygwin and Linux.

See Also

http://www.openssh.com/txt/portable-keysign-rand-helper.adv
http://www.openssh.com/txt/release-5.8p2

Solution

Upgrade to Portable OpenSSH 5.8p2 or later.

Risk Factor

Low

CVSS Base Score

2.1 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

1.6 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

References

BID 47691
XREF OSVDB:72183
XREF Secunia:44347

Plugin Information:

Publication date: 2011/05/09, Modification date: 2011/11/15

Hosts

192.168.1.28 (tcp/22)


Version source : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
Installed version : 4.1p1
Fixed version : 5.8p2

70658 (1) - SSH Server CBC Mode Ciphers Enabled

Synopsis

The SSH server is configured to use Cipher Block Chaining.

Description

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

Solution

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

Risk Factor

Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

1.9 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

References

BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200

Plugin Information:

Publication date: 2013/10/28, Modification date: 2013/10/28

Hosts

192.168.1.28 (tcp/22)


The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

71049 (1) - SSH Weak MAC Algorithms Enabled

Synopsis

SSH is configured to allow MD5 and 96-bit MAC algorithms.

Description

The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

Solution

Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.

Risk Factor

Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Plugin Information:

Publication date: 2013/11/22, Modification date: 2013/11/23

Hosts

192.168.1.28 (tcp/22)


The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

11219 (14) - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information:

Publication date: 2009/02/04, Modification date: 2013/10/15

Hosts

192.168.1.28 (tcp/22)

Port 22/tcp was found to be open

192.168.1.28 (tcp/80)

Port 80/tcp was found to be open

192.168.1.146 (tcp/21)

Port 21/tcp was found to be open

192.168.1.146 (tcp/25)

Port 25/tcp was found to be open

192.168.1.146 (tcp/80)

Port 80/tcp was found to be open

192.168.1.146 (tcp/135)

Port 135/tcp was found to be open

192.168.1.146 (tcp/139)

Port 139/tcp was found to be open

192.168.1.146 (tcp/443)

Port 443/tcp was found to be open

192.168.1.146 (tcp/445)

Port 445/tcp was found to be open

192.168.1.146 (tcp/1025)

Port 1025/tcp was found to be open

192.168.1.146 (tcp/1026)

Port 1026/tcp was found to be open

192.168.1.146 (tcp/1030)

Port 1030/tcp was found to be open

192.168.1.146 (tcp/1086)

Port 1086/tcp was found to be open

192.168.1.146 (tcp/3372)

Port 3372/tcp was found to be open

10736 (7) - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2001/08/26, Modification date: 2012/01/31

Hosts

192.168.1.146 (tcp/135)


The following DCERPC services are available locally :

Object UUID : 91bd414f-5bd4-4f23-9870-718c93344194
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : b095229a-a4f9-4f8c-9399-f77185c1f26d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : b8141b76-4631-4612-9bc7-8b04c0f009b2
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : edc19f44-389c-40df-8e42-c15127914c9d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : 5229507d-ab8a-49e8-931b-afbb1315f109
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : OLEf

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : LRPC00000210.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : LRPC00000210.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE4

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE4

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLE4

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : ntsvcs

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : DNSResolver

192.168.1.146 (tcp/445)


The following DCERPC services are available remotely :

Object UUID : 5229507d-ab8a-49e8-931b-afbb1315f109
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
Named pipe : \pipe\WMIEP_378
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\SMTPSVC
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\SMTPSVC
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\ntsvcs
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\scerpc
Netbios name : \\WINDOWS2000

192.168.1.146 (tcp/1025)


The following DCERPC services are available on TCP port 1025 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.146

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.146

192.168.1.146 (tcp/1026)


The following DCERPC services are available on TCP port 1026 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.1.146

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.1.146

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.1.146

192.168.1.146 (udp/1027)


The following DCERPC services are available on UDP port 1027 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
UDP Port : 1027
IP : 192.168.1.146

192.168.1.146 (udp/1028)


The following DCERPC services are available on UDP port 1028 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
UDP Port : 1028
IP : 192.168.1.146

192.168.1.146 (tcp/1086)


The following DCERPC services are available on TCP port 1086 :

Object UUID : 91bd414f-5bd4-4f23-9870-718c93344194
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.1.146

Object UUID : b095229a-a4f9-4f8c-9399-f77185c1f26d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.1.146

Object UUID : b8141b76-4631-4612-9bc7-8b04c0f009b2
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.1.146

Object UUID : edc19f44-389c-40df-8e42-c15127914c9d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.1.146

22964 (5) - Service Detection

Synopsis

The remote service could be identified.

Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/08/19, Modification date: 2013/11/19

Hosts

192.168.1.28 (tcp/22)

An SSH server is running on this port.

192.168.1.28 (tcp/80)

A web server is running on this port.

192.168.1.146 (tcp/21)

An FTP server is running on this port.

192.168.1.146 (tcp/25)

An SMTP server is running on this port.

192.168.1.146 (tcp/80)

A web server is running on this port.

10114 (2) - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

References

CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200

Plugin Information:

Publication date: 1999/08/01, Modification date: 2012/06/18

Hosts

192.168.1.28 (icmp/0)

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is 30322 seconds.

192.168.1.146 (icmp/0)

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -37989 seconds.

10287 (2) - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/11/27, Modification date: 2013/04/11

Hosts

192.168.1.28 (udp/0)

For your information, here is the traceroute from 192.168.1.232 to 192.168.1.28 :
192.168.1.232
192.168.1.28

192.168.1.146 (udp/0)

For your information, here is the traceroute from 192.168.1.232 to 192.168.1.146 :
192.168.1.232
192.168.1.146

10662 (2) - Web mirroring

Synopsis

Nessus crawled the remote web site.

Description

This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host.

It is suggested that you change the number of pages to mirror in the 'Options' section of the client.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2001/05/04, Modification date: 2013/04/11

Hosts

192.168.1.28 (tcp/80)


Webmirror performed 384 queries in 1201s (0.319 queries per second)

The following CGI have been discovered:


+ CGI: /phpmyadmin/left.php
Methods: GET
Argument: collation_connection
Value: utf8_unicode_ci
Argument: convcharset
Value: iso-8859-1
Argument: lang
Value: en-iso-8859-1
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: dDcJDLq5nFmOva0s9fFOHGENtx7
Argument: target
Value: main.php


+ CGI: /phpmyadmin/main.php
Methods: GET
Argument:
Argument: collation_connection
Value: utf8_unicode_ci
Argument: convcharset
Value: iso-8859-1
Argument: lang
Value: en-iso-8859-1
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: dDcJDLq5nFmOva0s9fFOHGENtx7
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Argument: target
Value: main.php


+ CGI: /phpbb/index.php
Methods: GET
Argument: mark
Value: forums
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f


+ CGI: /phpbb/search.php
Methods: GET
Argument: mode
Value: results
Argument: search_author
Value: phpbb
Argument: search_id
Value: unanswered
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f


+ CGI: /phpbb/faq.php
Methods: GET
Argument: mode
Value: bbcode
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f


+ CGI: /phpbb/memberlist.php
Methods: GET,POST
Argument: mode
Value: posts
Value: joined
Value: username
Value: location
Value: email
Value: website
Value: topten
Argument: order
Value: ASC
Value: DESC
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f
Argument: submit
Value: Sort


+ CGI: /phpbb/login.php
Methods: GET,POST
Argument: autologin
Argument: login
Value: Log in
Argument: password
Argument: redirect
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f
Argument: username


+ CGI: /phpbb/profile.php
Methods: GET,POST
Argument: agreed
Value: true
Argument: aim
Argument: allowbbcode
Value: 1
Value: 0
Argument: allowhtml
Value: 1
Value: 0
Argument: allowsmilies
Value: 1
Value: 0
Argument: attachsig
Value: 1
Value: 0
Argument: confirm_code
Argument: confirm_id
Value: 69558260a54e9fe892638c8e4f3759be
Value: 8823e93f1141ae2bbdb31a667a667fb5
Argument: coppa
Value: 1
Value: 0
Value: true
Argument: dateformat
Value: D M d, Y g:i a
Argument: email
Argument: hideonline
Value: 1
Value: 0
Argument: icq
Argument: interests
Argument: language
Value: english
Argument: location
Argument: mode
Value: register
Value: viewprofile
Value: sendpassword
Argument: msn
Argument: new_password
Argument: notifypm
Value: 1
Value: 0
Argument: notifyreply
Value: 1
Value: 0
Argument: occupation
Argument: password_confirm
Argument: popup_pm
Value: 1
Value: 0
Argument: reset
Value: Reset
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f
Argument: style
Value: 1
Value: 2
Argument: submit
Value: Submit
Argument: timezone
Value: 1
Value: 2
Value: 10
Value: 11
Value: 12
Value: 5
Value: 0
Value: -1
Value: 7
Value: 3
Value: 4
Value: 13
Value: 9
Value: 6
Value: 8
Value: -12
Value: -11
Value: -10
Value: -9
Value: -8
Value: -7
Value: -6
Value: -5
Value: -4
Value: -3.5
Value: -3
Value: -2
Value: 3.5
Value: 4.5
Value: 5.5
Value: 6.5
Value: 9.5
Argument: u
Value: 2
Argument: username
Argument: viewemail
Value: 1
Value: 0
Argument: website
Argument: yim


+ CGI: /phpbb/viewforum.php
Methods: GET
Argument: f
Value: 1
Value: -1
Argument: mark
Value: topics
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091
Value: ee79eca05ec3e6d641fdcbf3f5dc241f
Argument: start
Value: 0


+ CGI: /phpbb/viewtopic.php
Methods: GET
Argument: highlight
Value: #1
Argument: p
Value: 1
Value: 1#1
Argument: postdays
Value: 0
Argument: postorder
Value: asc
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2#1
Value: 8182a71e0e37a39d75041d6e818cc091#1
Argument: start
Value: 0
Argument: t
Value: 1
Argument: view
Value: previous
Value: next


+ CGI: /phpbb/viewonline.php
Methods: GET
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Value: 8182a71e0e37a39d75041d6e818cc091


+ CGI: /phpbb/login.php?sid=3c0785e3b07504ca6304aa1f5a5cc1d2
Methods: POST
Argument: autologin
Argument: login
Value: Log in
Argument: password
Argument: username


+ CGI: /phpwebsite/index.php
Methods: GET,POST
Argument:
Argument: FAQ_op
Value: viewFAQs
Value: suggestFAQ
Argument: FAQ_user
Value: normal
Argument: MMN_position
Value: 1:1
Value: 2:1
Argument: PAGE_id
Value: 1
Argument: PAGE_user_op
Value: view_printable
Argument: calendar[user]
Value: changeBoxMonth
Value: userEvent
Argument: calendar[view]
Value: month
Value: year
Value: week
Value: day
Argument: day
Value: 1
Value: 2
Value: 10
Value: 11
Value: 12
Value: 5
Value: 7
Value: 14
Value: 30
Value: 3
Value: 4
Value: 25
Value: 13
Value: 15
Value: 9
Value: 17
Value: 18
Value: 19
Value: 21
Value: 22
Value: 23
Value: 26
Value: 27
Value: 29
Value: 31
Value: 28
Value: 6
Value: 8
Value: 20
Value: 24
Value: 16
Value: 01
Value: 02
Value: 03
Value: 04
Value: 06
Value: 08
Argument: lay_quiet
Value: 1
Argument: mod
Value: calendar
Value: faq
Argument: module
Value: calendar
Value: pagemaster
Value: search
Value: faq
Argument: month
Value: 1
Value: 2
Value: 10
Value: 11
Value: 12
Value: 5
Value: 7
Value: 3
Value: 4
Value: 9
Value: 6
Value: 8
Value: 01
Value: 02
Argument: newEvent
Value: Submit Event
Argument: query
Argument: search
Value: Search
Argument: search_op
Value: search
Argument: year
Value: 2013
Value: 2012
Value: 2014
Value: 2011
Value: 2015


+ CGI: /drupal/
Methods: GET
Argument: destination
Value: node
Value: blog
Value: contact
Value: forum
Value: tracker
Value: filter%2Ftips
Value: blog%2F1
Value: node%2F1
Value: comment%2Freply%2F1%23comment_form
Argument: q
Value: admin/menu
Value: user/register
Value: user/password
Value: node
Value: blog
Value: filter/tips
Value: contact
Value: forum
Value: tracker
Value: node/1
Value: blog/1
Value: user
Value: blog/feed
Value: user/login
Value: forum/1
Value: blog/1/feed


+ CGI: /drupal/?q=node&destination=
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /joomla/index.php?option=com_search&Itemid=5
Methods: GET
Argument: Itemid
Value: 5
Argument: option
Value: com_search
Argument: searchword
Value: search...


+ CGI: /joomla/index.php
Methods: GET
Argument: Itemid
Value: 5
Argument: option
Value: com_search
Argument: ordering
Value: newest
Value: oldest
Value: popular
Value: alpha
Value: category
Argument: searchphrase
Value: any
Value: all
Value: exact
Argument: searchword
Argument: submit
Value: Search


+ CGI: /dotproject/index.php
Methods: POST
Argument: login
Value: 1385489397
Value: login
Value: 1385489411
Argument: lostpass
Value: 0
Argument: password
Argument: redirect
Argument: username


+ CGI: /owl/index.php
Methods: GET,POST
Argument: login
Value: 1
Argument: loginname
Argument: password


+ CGI: /moodle/index.php
Methods: GET
Argument: cal_m
Value: 1
Value: 10
Value: 11
Value: 12
Value: 9
Argument: cal_y
Value: 2013
Value: 2014


+ CGI: /serendipity/index.php
Methods: GET
Argument:
Value: /archives/2013/11.html
Value: /archives/2013/10.html
Value: /archives/2013/09.html
Value: /feeds/index.rss
Value: /feeds/index.rss1
Value: /feeds/index.rss2
Value: /feeds/atom03.xml
Value: /feeds/atom10.xml
Value: /feeds/comments.rss2
Value: /admin
Argument: serendipity[action]
Value: search
Argument: serendipity[searchTerm]


+ CGI: /sugarcrm/index.php
Methods: GET,POST
Argument: Login
Value: Login
Argument: action
Value: Login
Value: DetailView
Value: ListView
Value: Logout
Value: About
Value: Authenticate
Argument: cant_login
Argument: gmto
Argument: login_action
Argument: login_language
Value: en_us
Argument: login_module
Argument: login_record
Argument: login_theme
Value: Awesome80s
Value: FinalFrontier
Value: GoldenGate
Value: Links
Value: Love
Value: Paradise
Value: Pipeline
Value: Retro
Value: RipCurl
Value: Shred
Value: Sugar
Value: SugarClassic
Value: SugarLite
Value: Sunset
Value: WhiteSands
Argument: module
Value: Users
Value: Employees
Value: Home
Argument: record
Argument: return_action
Value: Login
Argument: return_module
Value: Users
Argument: user_name
Argument: user_password


+ CGI: /webcalendar/login.php
Methods: GET,POST
Argument:
Argument: login
Argument: password
Argument: remember
Value: yes


+ CGI: /phpmyadmin/css/phpmyadmin.css.php
Methods: GET
Argument:
Argument: collation_connection
Value: utf8_unicode_ci
Argument: convcharset
Value: iso-8859-1
Argument: js_frame
Value: left
Value: right
Argument: lang
Value: en-iso-8859-1


+ CGI: /phpmyadmin/querywindow.php
Methods: GET
Argument: collation_connection
Value: utf8_unicode_ci
Argument: convcharset
Value: iso-8859-1
Argument: lang
Value: en-iso-8859-1
Argument: no_js
Value: true
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf


+ CGI: /phpmyadmin/Documentation.html
Methods: GET
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf


+ CGI: /phpmyadmin/index.php
Methods: GET,POST
Argument:
Argument: Go
Value: Go
Argument: collation_connection
Value: utf8_unicode_ci
Argument: convcharset
Value: iso-8859-1
Argument: db
Value: bugzilla
Value: dotproject
Value: drupal
Value: egroupware
Value: gallery
Value: joomla
Value: mediawiki
Value: moodle
Value: mysql
Value: oscommerce
Value: owl
Value: phpadsnew
Value: phpbb
Value: phpwebsite
Value: serendipity
Value: smarty
Value: sugarcrm
Value: textpattern
Value: tikiwiki
Value: webcalendar
Value: wordpress
Value: zencart
Argument: lang
Value: en-iso-8859-1
Value: af-iso-8859-1
Value: af-utf-8
Value: sq-iso-8859-1
Value: sq-utf-8
Value: ar-utf-8
Value: ar-win1256
Value: az-iso-8859-9
Value: az-utf-8
Value: eu-iso-8859-1
Value: eu-utf-8
Value: becyr-utf-8
Value: becyr-win1251
Value: belat-utf-8
Value: bs-utf-8
Value: bs-win1250
Value: ptbr-iso-8859-1
Value: ptbr-utf-8
Value: bg-koi8-r
Value: bg-utf-8
Value: bg-win1251
Value: ca-iso-8859-1
Value: ca-utf-8
Value: zh-gb2312
Value: zh-utf-8
Value: zhtw-big5
Value: zhtw-utf-8
Value: hr-iso-8859-2
Value: hr-utf-8
Value: hr-win1250
Value: cs-iso-8859-2
Value: cs-utf-8
Value: cs-win1250
Value: da-iso-8859-1
Value: da-utf-8
Value: nl-iso-8859-1
Value: nl-iso-8859-15
Value: nl-utf-8
Value: en-iso-8859-15
Value: en-utf-8
Value: et-iso-8859-1
Value: et-utf-8
Value: fi-iso-8859-1
Value: fi-iso-8859-15
Value: fi-utf-8
Value: fr-iso-8859-1
Value: fr-iso-8859-15
Value: fr-utf-8
Value: gl-iso-8859-1
Value: gl-utf-8
Value: ka-utf-8
Value: de-iso-8859-1
Value: de-iso-8859-15
Value: de-utf-8
Value: el-iso-8859-7
Value: el-utf-8
Value: he-iso-8859-8-i
Value: he-utf-8
Value: hi-utf-8
Value: hu-iso-8859-2
Value: hu-utf-8
Value: id-iso-8859-1
Value: id-utf-8
Value: it-iso-8859-1
Value: it-iso-8859-15
Value: it-utf-8
Value: ja-euc
Value: ja-sjis
Value: ja-utf-8
Value: ko-euc-kr
Value: ko-utf-8
Value: lv-utf-8
Value: lv-win1257
Value: lt-utf-8
Value: lt-win1257
Value: ms-iso-8859-1
Value: ms-utf-8
Value: mn-utf-8
Value: no-iso-8859-1
Value: no-utf-8
Value: fa-utf-8
Value: fa-win1256
Value: pl-iso-8859-2
Value: pl-utf-8
Value: pl-win1250
Value: pt-iso-8859-1
Value: pt-iso-8859-15
Value: pt-utf-8
Value: ro-iso-8859-1
Value: ro-utf-8
Value: ru-cp-866
Value: ru-koi8-r
Value: ru-utf-8
Value: ru-win1251
Value: srcyr-utf-8
Value: srcyr-win1251
Value: srlat-utf-8
Value: srlat-win1250
Value: sk-iso-8859-2
Value: sk-utf-8
Value: sk-win1250
Value: sl-iso-8859-2
Value: sl-utf-8
Value: sl-win1250
Value: es-iso-8859-1
Value: es-iso-8859-15
Value: es-utf-8
Value: sv-iso-8859-1
Value: sv-utf-8
Value: tt-iso-8859-9
Value: tt-utf-8
Value: th-tis-620
Value: th-utf-8
Value: tr-iso-8859-9
Value: tr-utf-8
Value: uk-utf-8
Value: uk-win1251
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Value: 2GtqjMfzcBy-ubeBJAkchO081Wd
Argument: server
Value: 1
Argument: set_theme
Value: darkblue_orange
Value: original
Argument: target
Value: main.php
Value: querywindow.php
Value: db_create.php
Value: server_variables.php
Value: server_status.php
Value: server_engines.php
Value: server_processlist.php
Value: server_databases.php
Value: server_export.php
Value: server_import.php


+ CGI: /phpmyadmin/css/print.css
Methods: GET
Argument:
Argument: collation_connection
Value: utf8_unicode_ci
Argument: convcharset
Value: iso-8859-1
Argument: lang
Value: en-iso-8859-1


+ CGI: /phpmyadmin/db_create.php
Methods: POST
Argument: db
Argument: reload
Value: 1


+ CGI: /phpmyadmin/server_status.php
Methods: GET
Argument:
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpmyadmin/server_variables.php
Methods: GET
Argument:
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpmyadmin/server_processlist.php
Methods: GET
Argument:
Argument: full
Value: 1
Argument: kill
Value: 212354
Value: 212371
Value: 212376
Value: 212393
Value: 212415
Value: 212417
Value: 212438
Value: 212439
Value: 212440
Value: 212445
Value: 212447
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpmyadmin/server_engines.php
Methods: GET
Argument:
Argument: engine
Value: myisam
Value: merge
Value: heap
Value: memory
Value: bdb
Value: innodb
Value: isam
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpmyadmin/server_privileges.php
Methods: GET
Argument:
Argument: checkprivs
Value: bugzilla
Value: dotproject
Value: drupal
Value: egroupware
Value: gallery
Value: joomla
Value: mediawiki
Value: moodle
Value: mysql
Value: oscommerce
Value: owl
Value: phpadsnew
Value: phpbb
Value: phpwebsite
Value: serendipity
Value: smarty
Value: sugarcrm
Value: textpattern
Value: tikiwiki
Value: webcalendar
Value: wordpress
Value: zencart
Argument: flush_privileges
Value: 1
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpmyadmin/server_binlog.php
Methods: GET
Argument:
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpmyadmin/server_databases.php
Methods: GET,POST
Argument:
Argument: checkall
Value: 1
Argument: dbstats
Value: 1
Value: 0
Argument: drop_selected_dbs
Value: Drop
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Argument: selected_db[]
Value: bugzilla
Value: dotproject
Value: drupal
Value: egroupware
Value: gallery
Value: joomla
Value: mediawiki
Value: moodle
Value: mysql
Value: oscommerce
Value: owl
Value: phpadsnew
Value: phpbb
Value: phpwebsite
Value: serendipity
Value: smarty
Value: sugarcrm
Value: textpattern
Value: tikiwiki
Value: webcalendar
Value: wordpress
Value: zencart
Argument: sort_by
Value: SCHEMA_NAME
Argument: sort_order
Value: asc
Value: desc


+ CGI: /phpmyadmin/server_export.php
Methods: GET
Argument:
Argument: goto
Value: db_details_export.php
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Argument: selectall
Value: 1


+ CGI: /phpmyadmin/server_import.php
Methods: GET
Argument:
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf


+ CGI: /phpbb/search.php?mode=results
Methods: POST
Argument: return_chars
Value: 0
Value: -1
Value: 25
Value: 50
Value: 100
Value: 200
Value: 300
Value: 400
Value: 500
Value: 600
Value: 700
Value: 800
Value: 900
Value: 1000
Argument: search_author
Argument: search_cat
Value: 1
Value: -1
Argument: search_fields
Value: all
Value: msgonly
Argument: search_forum
Value: 1
Value: -1
Argument: search_keywords
Argument: search_terms
Value: any
Value: all
Argument: search_time
Value: 1
Value: 0
Value: 7
Value: 14
Value: 30
Value: 90
Value: 180
Value: 364
Argument: show_results
Value: posts
Value: topics
Argument: sort_by
Value: 1
Value: 2
Value: 0
Value: 3
Value: 4
Argument: sort_dir
Value: ASC
Value: DESC


+ CGI: /phpbb/privmsg.php
Methods: GET
Argument: mode
Value: post
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2
Argument: u
Value: 2


+ CGI: /phpbb/viewforum.php?sid=3c0785e3b07504ca6304aa1f5a5cc1d2
Methods: GET
Argument: f
Value: 1
Value: -1
Argument: sid
Value: 3c0785e3b07504ca6304aa1f5a5cc1d2


+ CGI: /phpbb/posting.php
Methods: GET
Argument: f
Value: 1
Argument: mode
Value: newtopic
Value: reply
Value: quote
Argument: p
Value: 1
Argument: t
Value: 1


+ CGI: /phpbb/viewforum.php?f=1&start=0
Methods: POST
Argument: submit
Value: Go
Argument: topicdays
Value: 1
Value: 0
Value: 7
Value: 14
Value: 30
Value: 90
Value: 180
Value: 364


+ CGI: /phpbb/viewtopic.php?t=1&start=0
Methods: POST
Argument: postdays
Value: 1
Value: 0
Value: 7
Value: 14
Value: 30
Value: 90
Value: 180
Value: 364
Argument: postorder
Value: asc
Value: desc
Argument: submit
Value: Go


+ CGI: /drupal/?q=user/register
Methods: POST
Argument: edit[form_id]
Value: user_register
Argument: edit[mail]
Argument: edit[name]
Argument: op
Value: Create new account


+ CGI: /drupal/?q=user
Methods: POST
Argument: edit[form_id]
Value: user_login
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=user/password
Methods: POST
Argument: edit[form_id]
Value: user_pass
Argument: edit[mail]
Argument: edit[name]
Argument: op
Value: E-mail new password


+ CGI: /drupal/?q=blog&destination=blog
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=filter/tips&destination=filter%2Ftips
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=contact&destination=contact
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=forum&destination=forum
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=node&destination=node
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=tracker&destination=tracker
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=blog/1&destination=blog%2F1
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /drupal/?q=node/1&destination=node%2F1
Methods: POST
Argument: edit[form_id]
Value: user_login_block
Argument: edit[name]
Argument: edit[pass]
Argument: op
Value: Log in


+ CGI: /mediawiki/index.php
Methods: GET
Argument: action
Value: edit
Value: history
Argument: oldid
Value: 1523
Argument: printable
Value: yes
Argument: returnto
Value: Main_Page
Argument: section
Value: 1
Value: 2
Value: 5
Value: 3
Value: 4
Value: 6
Argument: title
Value: Main_Page
Value: Bugzilla
Value: Zen_Cart
Value: Tikiwiki
Value: Web_Calendar
Value: Ubuntu
Value: Apache_HTTPD_Server
Value: MySQL
Value: PHP
Value: Perl
Value: Python
Value: Talk:Main_Page
Value: Special:Userlogin


+ CGI: /mediawiki/index.php/Special:Search
Methods: GET
Argument: fulltext
Value: Search
Argument: go
Value: Go
Argument: search


+ CGI: /owl/locale/English/help/help_browse.php
Methods: GET
Argument: curview
Value: 0
Argument: expand
Value: 1
Argument: order
Value: name
Argument: parent
Value: 1
Argument: sess
Value: 0
Argument: sortname


+ CGI: /owl/showrecords.php
Methods: GET
Argument: curview
Value: 0
Argument: expand
Value: 1
Argument: sess
Value: 0
Argument: type
Value: n
Value: u
Value: m
Value: g
Value: br


+ CGI: /owl/dbmodify.php
Methods: GET,POST
Argument: action
Value: go_fav
Value: set_intial
Argument: add_favorite_0
Value: Add Current
Argument: bcheckout_x
Value: Bulk Checkout
Argument: bdeleteaction_x
Value: Bulk Delete
Argument: bdlaction_x
Value: Bulk Download
Argument: bemailaction_x
Value: Bulk E-Mail
Argument: bmoveaction_x
Value: Bulk Move
Argument: curview
Value: 0
Argument: del_favorite_0
Value: Delete
Argument: expand
Value: 1
Argument: favorite_id_0
Value: 1
Argument: go_favorite_0
Value: Go
Argument: order
Value: name
Argument: parent
Value: 1
Argument: sess
Value: 0
Argument: sort
Value: ASC
Argument: sortname
Value: ASC


+ CGI: /owl/modify.php
Methods: GET
Argument:
Value: ASC
Argument: action
Value: folder_create
Value: zip_upload
Value: file_upload
Argument: curview
Value: 0
Argument: expand
Value: 1
Argument: order
Value: name
Argument: parent
Value: 1
Argument: sess
Value: 0
Argument: type
Value: url
Value: note


+ CGI: /owl/browse.php
Methods: GET
Argument:
Value: ASC
Argument: curview
Value: 1
Value: 0
Argument: expand
Value: 1
Value: 0
Argument: order
Value: name
Value: major_minor_revision
Value: filename
Value: f_size
Value: creatorid
Value: smodified
Value: checked_out
Argument: parent
Value: 1
Argument: sess
Value: 0
Argument: sortcheckedout
Value: DESC
Argument: sortfilename
Value: ASC
Argument: sortmod
Value: ASC
Argument: sortname
Value: ASC
Value: DESC
Argument: sortposted
Value: ASC
Argument: sortsize
Value: ASC
Argument: sortver
Value: ASC


+ CGI: /owl/sitemap.php
Methods: GET
Argument: curview
Value: 0
Argument: expand
Value: 1
Argument: order
Value: name
Argument: sess
Value: 0
Argument: sortname
Value: ASC


+ CGI: /owl/search.php
Methods: POST
Argument: boolean
Value: any
Value: all
Value: phrase
Argument: currentfolder
Value: 1
Argument: curview
Value: 0
Argument: expand
Value: 1
Argument: order
Value: name
Argument: parent
Value: 1
Argument: query
Argument: search_1
Value: Search
Argument: sess
Value: 0
Argument: sort
Value: ASC
Argument: withindocs
Value: 1


+ CGI: /tikiwiki/tiki-wiki_rss.php
Methods: GET
Argument: ver
Value: 2


+ CGI: /tikiwiki/tiki-editpage.php
Methods: GET
Argument: page
Value: sandbox


+ CGI: /tikiwiki/tiki-index.php
Methods: GET
Argument: page
Value: HomePage


+ CGI: /tikiwiki/tiki-print.php
Methods: GET
Argument: page
Value: HomePage


+ CGI: /tikiwiki/tiki-user_information.php
Methods: GET
Argument: view_user
Value: admin


+ CGI: /tikiwiki/tiki-pagehistory.php
Methods: GET
Argument: page
Value: HomePage
Argument: source
Value: 0


+ CGI: /tikiwiki/tiki-likepages.php
Methods: GET
Argument: page
Value: HomePage


+ CGI: /egroupware/login.php
Methods: POST
Argument: account_type
Value: u
Argument: login
Argument: passwd
Argument: passwd_type
Value: text
Argument: submitit
Value: Login


+ CGI: /tikiwiki/tiki-login.php
Methods: POST
Argument: login
Value: login
Argument: pass
Argument: stay_in_ssl_mode
Argument: user


+ CGI: /gallery/main.php
Methods: GET,POST
Argument:
Argument: g2_controller
Value: cart.AddToCart
Argument: g2_form%5BuseDefaultSettings%5D
Value: 1
Argument: g2_formUrl
Value: main.php
Argument: g2_form[formName]
Value: search_SearchBlock
Argument: g2_form[searchCriteria]
Value: Search the Gallery
Argument: g2_form[useDefaultSettings]
Value: 1
Argument: g2_itemId
Value: 7
Argument: g2_return
Value: main.php
Value: main.php%3F
Argument: g2_returnName
Value: album
Argument: g2_subView
Value: core.UserLogin
Value: register.UserSelfRegistration
Argument: g2_view
Value: core.UserAdmin
Value: search.SearchScan
Value: rss.SimpleRender
Value: slideshow.Slideshow
Value: slideshowapplet.SlideshowApplet


+ CGI: /sugarcrm/themes/Sugar/calendar-win2k-cold-1.css
Methods: GET
Argument: c
Argument: s
Value: 4.2.0a


+ CGI: /sugarcrm/themes/Sugar/navigation.css
Methods: GET
Argument: c
Argument: s
Value: 4.2.0a


+ CGI: /sugarcrm/index.php?action=Login&module=Users
Methods: GET
Argument: action
Value: UnifiedSearch
Argument: module
Value: Home
Argument: search_form
Value: false


+ CGI: /phpmyadmin/server_sql.php
Methods: GET
Argument:
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Argument: show_query
Value: 1#querybox
Argument: sql_query
Value: SHOW+PROCESSLIST


+ CGI: /phpmyadmin/import.php
Methods: GET,POST
Argument:
Argument: MAX_FILE_SIZE
Value: 10485760
Argument: SQL
Value: Go
Argument: allow_interrupt
Value: yes
Argument: format
Value: sql
Argument: goto
Value: server_sql.php
Argument: import_file
Argument: import_type
Value: server
Argument: is_js_confirmed
Value: 0
Argument: phpMyAdmin
Value: tm-O-TwSyDDifLofdRN-c32GPJf
Argument: pos
Value: 0
Argument: prev_sql_query
Argument: show_as_php
Value: 1
Argument: show_query
Value: 1
Argument: skip_queries
Value: 0
Argument: sql_query
Value: SHOW+PROCESSLIST
Argument: zero_rows
Value: Your SQL query has been executed successfully


+ CGI: /phpmyadmin/tbl_properties.php
Methods: GET
Argument:
Argument: show_query
Value: 1
Argument: sql_query
Value: CREATE+DATABASE+%3B


+ CGI: /phpmyadmin/
Methods: GET
Argument:
Argument: flush
Value: STATUS
Value: QUERY+CACHE
Value: TABLES
Argument: phpMyAdmin
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#handler
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#qcache
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#threads
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#created_tmp
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#delayed
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#key
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#select
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#repl
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#sort
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#table
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf#_top


+ CGI: /phpmyadmin/sql.php
Methods: GET
Argument:
Argument: goto
Value: server_status.php
Argument: phpMyAdmin
Value: 3YfXIaq9ELeLZKX3xJnKGsMRctf
Argument: sql_query
Value: SHOW+SLAVE+HOSTS
Value: SHOW+SLAVE+STATUS
Value: SHOW+OPEN+TABLES


+ CGI: /phpmyadmin/export.php
Methods: POST
Argument: add_character
Value: \r\n
Argument: asfile
Value: sendit
Argument: compression
Value: none
Value: zip
Value: gzip
Value: bzip
Argument: csv_data
Value: csv_data
Argument: csv_replace_null
Value: NULL
Argument: db_select[]
Value: bugzilla
Value: dotproject
Value: drupal
Value: egroupware
Value: gallery
Value: joomla
Value: mediawiki
Value: moodle
Value: mysql
Value: oscommerce
Value: owl
Value: phpadsnew
Value: phpbb
Value: phpwebsite
Value: serendipity
Value: smarty
Value: sugarcrm
Value: textpattern
Value: tikiwiki
Value: webcalendar
Value: wordpress
Value: zencart
Argument: delayed
Value: yes
Argument: disable_fk
Value: yes
Argument: drop
Value: 1
Argument: drop_database
Value: yes
Argument: enclosed
Value: "
Argument: escaped
Value: \
Argument: excel_data
Value: excel_data
Argument: excel_edition
Value: win
Value: mac
Argument: excel_replace_null
Value: NULL
Argument: export_separator
Value: ;
Argument: export_type
Value: server
Argument: extended_ins
Value: yes
Argument: filename_template
Value: __SERVER__
Argument: header_comment
Argument: hexforbinary
Value: yes
Argument: htmlexcel_data
Value: htmlexcel_data
Argument: htmlexcel_replace_null
Value: NULL
Argument: htmlexcel_shownames
Value: yes
Argument: htmlword_data
Value: data
Argument: htmlword_replace_null
Value: NULL
Argument: htmlword_shownames
Value: yes
Argument: htmlword_structure
Value: structure
Argument: if_not_exists
Value: 1
Argument: latex_caption
Value: yes
Argument: latex_data
Value: data
Argument: latex_data_caption
Value: Content of table __TABLE__
Argument: latex_data_continued_caption
Value: Content of table __TABLE__ (continued)
Argument: latex_data_label
Value: tab:__TABLE__-data
Argument: latex_replace_null
Value: \textit{NULL}
Argument: latex_showcolumns
Value: yes
Argument: latex_structure
Value: structure
Argument: latex_structure_caption
Value: Structure of table __TABLE__
Argument: latex_structure_continued_caption
Value: Structure of table __TABLE__ (continued)
Argument: latex_structure_label
Value: tab:__TABLE__-structure
Argument: max_query_size
Value: 50000
Argument: pdf_data
Value: pdf_data
Argument: pdf_report_title
Argument: remember_template
Argument: showcolumns
Value: yes
Argument: showcsvnames
Value: yes
Argument: showexcelnames
Value: yes
Argument: sql_auto_increment
Value: 1
Argument: sql_data
Value: data
Argument: sql_dates
Value: yes
Argument: sql_ignore
Value: yes
Argument: sql_structure
Value: structure
Argument: sql_type
Value: insert
Value: update
Value: replace
Argument: use_backquotes
Value: 1
Argument: use_transaction
Value: yes
Argument: what
Value: sql
Value: latex
Value: pdf
Value: htmlexcel
Value: htmlword
Value: excel
Value: csv
Value: xml
Argument: xml_data
Value: xml_data


+ CGI: /phpbb/login.php?sid=8182a71e0e37a39d75041d6e818cc091
Methods: POST
Argument: autologin
Argument: login
Value: Log in
Argument: password
Argument: username


+ CGI: /phpbb/login.php?sid=ee79eca05ec3e6d641fdcbf3f5dc241f
Methods: POST
Argument: autologin
Argument: login
Value: Log in
Argument: password
Argument: redirect
Argument: username


+ CGI: /phpbb/profile.php?mode=sendpassword
Methods: POST
Argument: email
Argument: reset
Value: Reset
Argument: submit
Value: Submit
Argument: username

Directory index found at /images/
Directory index found at /tmp/
Directory index found at /images/80x15/
Directory index found at /images/88x31/
Directory index found at /images/logo/
Directory index found at /phpbb/templates/Aeolus/
Directory index found at /phpbb/templates/
Directory index found at /phpwebsite/themes/clean/
Directory index found at /phpwebsite/themes/

192.168.1.146 (tcp/80)


Webmirror performed 426 queries in 69s (6.173 queries per second)

The following CGI have been discovered:


+ CGI: /iissamples/sdk/asp/database/MultiScrolling_VBScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /iissamples/sdk/asp/database/MultiScrolling_JScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /iissamples/sdk/asp/docs/colorpicker.asp
Methods: POST
Argument: ColorChoice
Value: #FF8080
Value: FFFF80
Value: 80FF80
Value: 00FF80
Value: 80FFFF
Value: 0080FF
Value: FF80C0
Value: FF80FF
Value: FF0000
Value: FFFF00
Value: 80FF00
Value: 00FF40
Value: 00FFFF
Value: 0080C0
Value: 8080C0
Value: FF00FF
Value: 804040
Value: FF8040
Value: 00FF00
Value: 008080
Value: 004080
Value: 8080FF
Value: 800040
Value: FF0080
Value: 800000
Value: FF8000
Value: 008000
Value: 008040
Value: 0000FF
Value: 0000A0
Value: 800080
Value: 8000FF
Value: 400000
Value: 804000
Value: 004000
Value: 004040
Value: 000080
Value: 000040
Value: 400040
Value: 400080
Value: 000000
Value: 808000
Value: 808040
Value: 808080
Value: 408080
Value: C0C0C0
Value: FFFFFF
Argument: HTTPReferer
Value: http://windows2000/iissamples/sdk/asp/docs/
Argument: RequestMode
Value: Update
Argument: Submit
Value: Update Preferences
Argument: TextChoice
Value: HTML
Value: ClientSide
Value: ServerSide
Value: Comments


+ CGI: /IIsSamples/SDK/asp/docs/Toolbar.asp
Methods: GET
Argument: ovfile
Argument: srcfile


+ CGI: /iissamples/sdk/asp/docs/
Methods: GET
Argument: DontFrame
Value: 1


+ CGI: /IIsSamples/SDK/asp/docs/CodeBrws.asp
Methods: GET
Argument: source
Value: /IIsSamples/SDK/asp/_VBScript.asp
Value: /IIsSamples/SDK/asp/_JScript.asp


+ CGI: /iissamples/sdk/asp/interaction/Form_JScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /iissamples/sdk/asp/interaction/Form_VBScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /iissamples/sdk/asp/interaction/PopulateForm_JScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /iissamples/sdk/asp/interaction/PopulateForm_VBScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /iissamples/sdk/asp/interaction/QueryString_JScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /iissamples/sdk/asp/interaction/QueryString_VBScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /IIsSamples/SDK/asp/docs/
Methods: GET
Argument: DontFrame
Value: 1


+ CGI: /IISSamples/sdk/asp/database/MultiScrolling_JScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /IISSamples/sdk/asp/database/MultiScrolling_VBScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /IISSamples/sdk/asp/docs/colorpicker.asp
Methods: POST
Argument: ColorChoice
Value: #FF8080
Value: FFFF80
Value: 80FF80
Value: 00FF80
Value: 80FFFF
Value: 0080FF
Value: FF80C0
Value: FF80FF
Value: FF0000
Value: FFFF00
Value: 80FF00
Value: 00FF40
Value: 00FFFF
Value: 0080C0
Value: 8080C0
Value: FF00FF
Value: 804040
Value: FF8040
Value: 00FF00
Value: 008080
Value: 004080
Value: 8080FF
Value: 800040
Value: FF0080
Value: 800000
Value: FF8000
Value: 008000
Value: 008040
Value: 0000FF
Value: 0000A0
Value: 800080
Value: 8000FF
Value: 400000
Value: 804000
Value: 004000
Value: 004040
Value: 000080
Value: 000040
Value: 400040
Value: 400080
Value: 000000
Value: 808000
Value: 808040
Value: 808080
Value: 408080
Value: C0C0C0
Value: FFFFFF
Argument: HTTPReferer
Value: http://windows2000/IISSamples/sdk/asp/docs/
Argument: RequestMode
Value: Update
Argument: Submit
Value: Update Preferences
Argument: TextChoice
Value: HTML
Value: ClientSide
Value: ServerSide
Value: Comments


+ CGI: /IISSamples/sdk/asp/docs/
Methods: GET
Argument: DontFrame
Value: 1


+ CGI: /IISSamples/sdk/asp/interaction/Form_JScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /IISSamples/sdk/asp/interaction/Form_VBScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /IISSamples/sdk/asp/interaction/PopulateForm_JScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /IISSamples/sdk/asp/interaction/PopulateForm_VBScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /IISSamples/sdk/asp/interaction/QueryString_JScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /IIsSamples/SDK/asp/docs/colorpicker.asp
Methods: POST
Argument: ColorChoice
Value: #FF8080
Value: FFFF80
Value: 80FF80
Value: 00FF80
Value: 80FFFF
Value: 0080FF
Value: FF80C0
Value: FF80FF
Value: FF0000
Value: FFFF00
Value: 80FF00
Value: 00FF40
Value: 00FFFF
Value: 0080C0
Value: 8080C0
Value: FF00FF
Value: 804040
Value: FF8040
Value: 00FF00
Value: 008080
Value: 004080
Value: 8080FF
Value: 800040
Value: FF0080
Value: 800000
Value: FF8000
Value: 008000
Value: 008040
Value: 0000FF
Value: 0000A0
Value: 800080
Value: 8000FF
Value: 400000
Value: 804000
Value: 004000
Value: 004040
Value: 000080
Value: 000040
Value: 400040
Value: 400080
Value: 000000
Value: 808000
Value: 808040
Value: 808080
Value: 408080
Value: C0C0C0
Value: FFFFFF
Argument: HTTPReferer
Value: http://windows2000/IIsSamples/SDK/asp/docs/
Argument: RequestMode
Value: Update
Argument: Submit
Value: Update Preferences
Argument: TextChoice
Value: HTML
Value: ClientSide
Value: ServerSide
Value: Comments


+ CGI: /IIsSamples/SDK/asp/database/MultiScrolling_JScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /IIsSamples/SDK/asp/database/MultiScrolling_VBScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /IIsSamples/SDK/asp/interaction/Form_JScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /IIsSamples/SDK/asp/interaction/Form_VBScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /IIsSamples/SDK/asp/interaction/PopulateForm_JScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /IIsSamples/SDK/asp/interaction/PopulateForm_VBScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /IIsSamples/sdk/asp/database/MultiScrolling_JScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /IIsSamples/sdk/asp/database/MultiScrolling_VBScript.asp
Methods: POST
Argument: Mv
Value: Page Down
Argument: PageNo
Value: 1


+ CGI: /IIsSamples/sdk/asp/docs/colorpicker.asp
Methods: POST
Argument: ColorChoice
Value: #FF8080
Value: FFFF80
Value: 80FF80
Value: 00FF80
Value: 80FFFF
Value: 0080FF
Value: FF80C0
Value: FF80FF
Value: FF0000
Value: FFFF00
Value: 80FF00
Value: 00FF40
Value: 00FFFF
Value: 0080C0
Value: 8080C0
Value: FF00FF
Value: 804040
Value: FF8040
Value: 00FF00
Value: 008080
Value: 004080
Value: 8080FF
Value: 800040
Value: FF0080
Value: 800000
Value: FF8000
Value: 008000
Value: 008040
Value: 0000FF
Value: 0000A0
Value: 800080
Value: 8000FF
Value: 400000
Value: 804000
Value: 004000
Value: 004040
Value: 000080
Value: 000040
Value: 400040
Value: 400080
Value: 000000
Value: 808000
Value: 808040
Value: 808080
Value: 408080
Value: C0C0C0
Value: FFFFFF
Argument: HTTPReferer
Value: http://windows2000/IIsSamples/sdk/asp/docs/
Argument: RequestMode
Value: Update
Argument: Submit
Value: Update Preferences
Argument: TextChoice
Value: HTML
Value: ClientSide
Value: ServerSide
Value: Comments


+ CGI: /IIsSamples/sdk/asp/docs/
Methods: GET
Argument: DontFrame
Value: 1


+ CGI: /IIsSamples/sdk/asp/interaction/Form_JScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /IIsSamples/sdk/asp/interaction/Form_VBScript.asp
Methods: POST
Argument: fname
Argument: lname


+ CGI: /IIsSamples/sdk/asp/interaction/PopulateForm_JScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /IIsSamples/sdk/asp/interaction/PopulateForm_VBScript.asp
Methods: GET
Argument: FNAME
Value: John
Value: Nowhere ZA, 12345
Argument: LNAME
Value: Doe
Argument: STREET
Value: 1 Main Street


+ CGI: /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp
Methods: GET
Argument: fname
Argument: lname


+ CGI: /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp
Methods: GET
Argument: fname
Argument: lname

Directory index found at /iissamples/
Directory index found at /iissamples/sdk/
Directory index found at /IISSamples/
Directory index found at /iissamples/sdk/admin/
Directory index found at /iissamples/sdk/asp/
Directory index found at /iissamples/sdk/asp/applications/
Directory index found at /iissamples/sdk/asp/components/
Directory index found at /iissamples/sdk/asp/database/
Directory index found at /iissamples/sdk/asp/docs/
Directory index found at /iissamples/sdk/asp/interaction/
Directory index found at /iissamples/sdk/asp/simple/
Directory index found at /iissamples/sdk/asp/transactional/
Directory index found at /IISSamples/sdk/
Directory index found at /IISSamples/sdk/admin/
Directory index found at /IISSamples/sdk/asp/
Directory index found at /IISSamples/sdk/asp/applications/
Directory index found at /IISSamples/sdk/asp/components/
Directory index found at /IISSamples/sdk/asp/database/
Directory index found at /IISSamples/sdk/asp/docs/
Directory index found at /IISSamples/sdk/asp/interaction/
Directory index found at /IISSamples/sdk/asp/simple/
Directory index found at /IISSamples/sdk/asp/transactional/
Directory index found at /IIsSamples/SDK/asp/docs/
Directory index found at /IIsSamples/SDK/asp/
Directory index found at /IIsSamples/SDK/
Directory index found at /IIsSamples/
Directory index found at /IIsSamples/SDK/asp/applications/
Directory index found at /IIsSamples/SDK/asp/components/
Directory index found at /IIsSamples/SDK/asp/database/
Directory index found at /IIsSamples/SDK/asp/interaction/
Directory index found at /IIsSamples/SDK/asp/simple/
Directory index found at /IIsSamples/SDK/asp/transactional/
Directory index found at /IIsSamples/SDK/admin/
Directory index found at /IIsSamples/sdk/
Directory index found at /IIsSamples/sdk/admin/
Directory index found at /IIsSamples/sdk/asp/
Directory index found at /IIsSamples/sdk/asp/applications/
Directory index found at /IIsSamples/sdk/asp/components/
Directory index found at /IIsSamples/sdk/asp/database/
Directory index found at /IIsSamples/sdk/asp/docs/
Directory index found at /IIsSamples/sdk/asp/interaction/
Directory index found at /IIsSamples/sdk/asp/simple/
Directory index found at /IIsSamples/sdk/asp/transactional/

11011 (2) - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2002/06/05, Modification date: 2012/01/31

Hosts

192.168.1.146 (tcp/139)


An SMB server is running on this port.

192.168.1.146 (tcp/445)


A CIFS server is running on this port.

11032 (2) - Web Server Directory Enumeration

Synopsis

It is possible to enumerate directories on the web server.

Description

This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.

See Also

http://projects.webappsec.org/Predictable-Resource-Location

Solution

n/a

Risk Factor

None

References

XREF OWASP:OWASP-CM-006

Plugin Information:

Publication date: 2002/06/26, Modification date: 2013/04/02

Hosts

192.168.1.28 (tcp/80)


The following directories were discovered:
/cgi-bin, /tmp, /bugzilla, /icons, /images, /dotproject, /drupal, /joomla, /moodle, /oscommerce, /owl, /phpbb, /phpmyadmin, /phpwebsite, /wordpress, /zencart

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

192.168.1.146 (tcp/80)


The following directories were discovered:
/_vti_bin, /iissamples, /images, /webpub

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

The following directories require authentication:
/printers

11936 (2) - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2003/12/09, Modification date: 2013/09/03

Hosts

192.168.1.28 (tcp/0)


Remote operating system : Linux Kernel 2.6 on Ubuntu 5.10 (breezy)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.6 on Ubuntu 5.10 (breezy)

192.168.1.146 (tcp/0)


Remote operating system : Microsoft Windows 2000 Service Pack 4
Confidence Level : 99
Method : MSRPC


The remote host is running Microsoft Windows 2000 Service Pack 4

19506 (2) - Nessus Scan Information

Synopsis

Information about the Nessus scan.

Description

This script displays, for each tested host, information about the scan itself :

- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/08/26, Modification date: 2013/11/21

Hosts

192.168.1.28 (tcp/0)

Information about this scan :

Nessus version : 5.2.4
Plugin feed version : 201311250916
Scanner edition used : Nessus
Scan policy used : PCI Scan
Scanner IP : 192.168.1.232
Port scanner(s) : nessus_syn_scanner
Port range : 1-65535
Thorough tests : no
Experimental tests : no
Paranoia level : 2
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests - Test mode : single
Web app tests - Try all HTTP methods : yes
Web app tests - Maximum run time : 10 minutes.
Web app tests - Stop at first flaw : param
Max hosts : 20
Max checks : 4
Recv timeout : 15
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2013/6/27 4:24
Scan duration : 1636 sec

192.168.1.146 (tcp/0)

Information about this scan :

Nessus version : 5.2.4
Plugin feed version : 201311250916
Scanner edition used : Nessus
Scan policy used : PCI Scan
Scanner IP : 192.168.1.232
Port scanner(s) : nessus_syn_scanner
Port range : 1-65535
Thorough tests : no
Experimental tests : no
Paranoia level : 2
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests - Test mode : single
Web app tests - Try all HTTP methods : yes
Web app tests - Maximum run time : 10 minutes.
Web app tests - Stop at first flaw : param
Max hosts : 20
Max checks : 4
Recv timeout : 15
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2013/6/27 4:24
Scan duration : 2025 sec

20094 (2) - VMware Virtual Machine Detection

Synopsis

The remote host seems to be a VMware virtual machine.

Description

According to the MAC address of its network adapter, the remote host is a VMware virtual machine.

Since it is physically accessible through the network, ensure that its configuration matches your organization's security policy.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/10/27, Modification date: 2011/03/27

Hosts

192.168.1.28 (tcp/0)

192.168.1.146 (tcp/0)

25220 (2) - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/05/16, Modification date: 2011/03/20

Hosts

192.168.1.28 (tcp/0)

192.168.1.146 (tcp/0)

35716 (2) - Ethernet Card Manufacturer Detection

Synopsis

The manufacturer can be deduced from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.

See Also

http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/02/19, Modification date: 2011/03/27

Hosts

192.168.1.28 (tcp/0)


The following card manufacturers were identified :

00:0c:29:ea:3a:d0 : VMware, Inc.

192.168.1.146 (tcp/0)


The following card manufacturers were identified :

00:0c:29:f7:55:ea : VMware, Inc.

45590 (2) - Common Platform Enumeration (CPE)

Synopsis

It is possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.

See Also

http://cpe.mitre.org/

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2010/04/21, Modification date: 2013/11/19

Hosts

192.168.1.28 (tcp/0)


The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:5.10 -> Canonical Ubuntu Linux 5.10

Following application CPE's matched on the remote system :

cpe:/a:openbsd:openssh:4.1 -> OpenBSD OpenSSH 4.1
cpe:/a:apache:http_server:2.0.54 -> Apache Software Foundation Apache HTTP Server 2.0.54
cpe:/a:php:php:5.0.5 -> PHP PHP 5.0.5

192.168.1.146 (tcp/0)


The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_2000::sp4 -> Microsoft Windows 2000 Service Pack 4

Following application CPE matched on the remote system :

cpe:/a:microsoft:iis:5.0 -> Microsoft IIS 5.0

54615 (2) - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/05/23, Modification date: 2011/05/23

Hosts

192.168.1.28 (tcp/0)

Remote device type : general-purpose
Confidence level : 95

192.168.1.146 (tcp/0)

Remote device type : general-purpose
Confidence level : 99

56209 (2) - PCI DSS Compliance : Remote Access Software Has Been Detected

Synopsis

A remote access software has been detected.

Description

Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix D in the ASV Program Guide, or disabled / removed. Please consult your ASV if you have questions about this Special Note.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/09/15, Modification date: 2013/07/25

Hosts

192.168.1.28 (tcp/0)


An SSH server (remote terminal) is running on the remote host.

192.168.1.146 (tcp/0)


An SMB server is running on the remote host.

A CIFS server is running on the remote host.

60020 (2) - PCI DSS Compliance : Handling False Positives

Synopsis

Notes the proper handling of false positives in PCI DSS scans.

Description

Note that per PCI Security Standards Council (PCI SSC) standards, if the version of the remote software is known to contain flaws, a vulnerability scanner must report it as vulnerable. The scanner must still flag it as vulnerable, even in cases where a workaround or mitigating configuration option is in place. This will result in the scanner issuing false positives by PCI SSC design.

It is recommended that any workarounds and mitigating configurations that are in place be documented including technical details, to be presented to a third-party PCI auditor during an audit.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2012/07/18, Modification date: 2012/07/05

Hosts

192.168.1.28 (tcp/0)

192.168.1.146 (tcp/0)

66334 (2) - Patch Report

Synopsis

The remote host is missing several patches

Description

The remote host is missing one or several security patches.
This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.

Solution

Install the patches listed below

Risk Factor

None

Plugin Information:

Publication date: 2013/05/07, Modification date: 2013/11/12

Hosts

192.168.1.28 (tcp/0)



. You need to take the following action:
[ OpenSSH LoginGraceTime / MaxStartups DoS (67140) ]

+ Action to take: Upgrade to OpenSSH 6.2 and review the associated server configuration settings.

+ Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).


192.168.1.146 (tcp/0)



. You need to take the following 4 actions:

[ Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure (10956) ]

+ Action to take: Apply the patch referenced above.


[ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) (18502) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.


[ MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) (19408) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.


[ MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check) (20008) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.

+ Impact: Taking this action will resolve 4 different vulnerabilities (CVEs).


10077 (1) - Microsoft FrontPage Extensions Check

Synopsis

FrontPage extensions are enabled.

Description

The remote web server appears to be running with the FrontPage extensions.

FrontPage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical scenario on an internal local area network, the FrontPage extensions should not be available to anonymous users via the Internet (or any other untrusted 3rd party network).

Solution

n/a

Risk Factor

None

References

CVE CVE-2000-0114
XREF OSVDB:67

Plugin Information:

Publication date: 1999/08/22, Modification date: 2011/08/04

Hosts

192.168.1.146 (tcp/80)


The remote frontpage server leaks information regarding the name of the anonymous user.
By knowing the name of the anonymous user, more sophisticated attacks may be launched.
We could gather that the name of the anonymous user is : IUSR_WINDOWS2000

10092 (1) - FTP Server Detection

Synopsis

An FTP server is listening on this port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Solution

N/A

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2013/03/08

Hosts

192.168.1.146 (tcp/21)


The remote FTP banner is :

220 windows2000 Microsoft FTP Service (Version 5.0).

10107 (1) - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2000/01/04, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/80)

The remote web server type is :

Microsoft-IIS/5.0

10150 (1) - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It is possible to obtain the network name of the remote host.

Description

The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2013/01/16

Hosts

192.168.1.146 (udp/137)

The following 8 NetBIOS names have been gathered :

INet~Services = Domain Controllers (IIS)
IS~WINDOWS2000 = Computer name (IIS)
WINDOWS2000 = File Server Service
WINDOWS2000 = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

00:0c:29:f7:55:ea

10263 (1) - SMTP Server Detection

Synopsis

An SMTP server is listening on the remote port.

Description

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.

Solution

Disable this service if you do not use it, or filter incoming traffic to this port.

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2011/03/11

Hosts

192.168.1.146 (tcp/25)


Remote SMTP server banner :

220 windows2000 Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Mon, 25 Nov 2013 13:58:49 -0500

10267 (1) - SSH Server Type and Version Information

Synopsis

An SSH server is listening on this port.

Description

It is possible to obtain information about the remote SSH server by sending an empty authentication request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2011/10/24

Hosts

192.168.1.28 (tcp/22)


SSH version : SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.2
SSH supported authentication : publickey,password

10394 (1) - Microsoft Windows SMB Log In Possible

Synopsis

It is possible to log into the remote host.

Description

The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following accounts :

- NULL session
- Guest account
- Given Credentials

See Also

http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261

Solution

n/a

Risk Factor

None

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2000/05/09, Modification date: 2013/04/23

Hosts

192.168.1.146 (tcp/445)

- NULL sessions are enabled on the remote host

10395 (1) - Microsoft Windows SMB Shares Enumeration

Synopsis

It is possible to enumerate remote network shares.

Description

By connecting to the remote host, Nessus was able to enumerate the network share names.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2000/05/09, Modification date: 2012/11/29

Hosts

192.168.1.146 (tcp/445)


Here are the SMB shares available on the remote host when logged as a NULL session:

- IPC$
- ADMIN$
- C$

10397 (1) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

Synopsis

It is possible to obtain network information.

Description

It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:

Publication date: 2000/05/09, Modification date: 2011/09/14

Hosts

192.168.1.146 (tcp/445)


Here is the browse list of the remote host :

WINDOWS2000 ( os : 5.0 )

10661 (1) - Microsoft IIS 5 .printer ISAPI Filter Enabled

Synopsis

Remote Web server supports Internet Printing Protocol.

Description

IIS 5 has support for the Internet Printing Protocol(IPP), which is enabled in a default install. The protocol is implemented in IIS5 as an ISAPI extension. At least one security problem (a buffer overflow) has been found with that extension in the past, so we recommend you disable it if you do not use this functionality.

Solution

To unmap the .printer extension:
1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .printer from the list.

Risk Factor

None

References

XREF CERT-CC:CA-2001-10

Plugin Information:

Publication date: 2001/05/03, Modification date: 2012/12/10

Hosts

192.168.1.146 (tcp/80)

10785 (1) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It is possible to obtain information about the remote operating system.

Description

It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2001/10/17, Modification date: 2013/06/25

Hosts

192.168.1.146 (tcp/445)

The remote Operating System is : Windows 5.0
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : WINDOWS2000

10859 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration

Synopsis

It is possible to obtain the host SID for the remote host.

Description

By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).

The host SID can then be used to get the list of local users.

See Also

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution

You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an appropriate value.

Refer to the 'See also' section for guidance.

Risk Factor

None

Plugin Information:

Publication date: 2002/02/13, Modification date: 2012/08/10

Hosts

192.168.1.146 (tcp/445)


The remote host SID value is :

1-5-21-1123561945-1085031214-839522115

The value of 'RestrictAnonymous' setting is : unknown

10860 (1) - SMB Use Host SID to Enumerate Local Users

Synopsis

It is possible to enumerate local users.

Description

Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2002/02/13, Modification date: 2012/08/10

Hosts

192.168.1.146 (tcp/445)


- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- IUSR_WINDOWS2000 (id 1000)
- IWAM_WINDOWS2000 (id 1001)
- paul (id 1002)
- kevin (id 1003)
- josh (id 1004)
- mike (id 1005)
- nessus (id 1006)
- bgates (id 1007)

Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.

10881 (1) - SSH Protocol Versions Supported

Synopsis

A SSH server is running on the remote host.

Description

This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2002/03/06, Modification date: 2013/10/21

Hosts

192.168.1.28 (tcp/22)

The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 78:e2:2b:d2:58:03:2a:03:65:71:e5:ea:58:01:ac:71

10902 (1) - Microsoft Windows 'Administrators' Group User List

Synopsis

There is at least one user in the 'Administrators' group.

Description

Using the supplied credentials, it is possible to extract the member list of the 'Administrators' group. Members of this group have complete access to the remote system.

Solution

Verify that each member of the group should have this type of access.

Risk Factor

None

Plugin Information:

Publication date: 2002/03/15, Modification date: 2011/03/04

Hosts

192.168.1.146 (tcp/0)


The following users are members of the 'Administrators' group :

- WINDOWS2000\Administrator (User)
- WINDOWS2000\paul (User)
- WINDOWS2000\kevin (User)
- WINDOWS2000\mike (User)
- WINDOWS2000\nessus (User)

10904 (1) - Microsoft Windows 'Backup Operators' Group User List

Synopsis

There is at least one user in the 'Backup Operators' group.

Description

Using the supplied credentials, it is possible to extract the member list of the 'Backup Operators' group. Members of this group can logon to the remote host and perform backup operations (read/write files) but have no administrative rights.

Solution

Verify that each member of the group should have this type of access.

Risk Factor

None

Plugin Information:

Publication date: 2002/03/15, Modification date: 2011/03/04

Hosts

192.168.1.146 (tcp/0)


The following user is a member of the 'Backup Operators' group :

- WINDOWS2000\nessus (User)

10913 (1) - Microsoft Windows - Local Users Information : Disabled accounts

Synopsis

At least one local user account has been disabled.

Description

Using the supplied credentials, it is possible to list local user accounts that have been disabled.

Solution

Delete accounts that are no longer needed.

Risk Factor

None

References

XREF OSVDB:752

Plugin Information:

Publication date: 2002/03/17, Modification date: 2011/03/21

Hosts

192.168.1.146 (tcp/0)


The following local user account has been disabled :

- Guest


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate
local users' setting, and then re-run the scan.

10914 (1) - Microsoft Windows - Local Users Information : Never changed passwords

Synopsis

At least one local user has never changed his / her password.

Description

Using the supplied credentials, it is possible to list local users who have never changed their passwords.

Solution

Allow / require users to change their passwords regularly.

Risk Factor

None

References

XREF OSVDB:755

Plugin Information:

Publication date: 2002/03/17, Modification date: 2013/02/22

Hosts

192.168.1.146 (tcp/0)


The following local users have never changed their passwords :

- Guest
- josh
- mike


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate
local users' setting, and then re-run the scan.

10915 (1) - Microsoft Windows - Local Users Information : User has never logged on

Synopsis

At least one local user has never logged in to his / her account.

Description

Using the supplied credentials, it is possible to list local users who have never logged into their accounts.

Solution

Delete accounts that are not needed.

Risk Factor

None

References

XREF OSVDB:754

Plugin Information:

Publication date: 2002/03/17, Modification date: 2011/03/21

Hosts

192.168.1.146 (tcp/0)


The following local users have never logged in :

- Guest
- paul
- josh
- mike


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate
local users' setting, and then re-run the scan.

10916 (1) - Microsoft Windows - Local Users Information : Passwords never expire

Synopsis

At least one local user has a password that never expires.

Description

Using the supplied credentials, it is possible to list local users that are enabled and whose passwords never expire.

Solution

Allow / require users to change their passwords regularly.

Risk Factor

None

References

XREF OSVDB:755

Plugin Information:

Publication date: 2002/03/17, Modification date: 2012/10/19

Hosts

192.168.1.146 (tcp/0)


The following local users have passwords that never expire :

- Administrator
- IUSR_WINDOWS2000
- IWAM_WINDOWS2000
- nessus
- bgates


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.

11422 (1) - Web Server Unconfigured - Default Install Page Present

Synopsis

The remote web server is not configured or is not properly configured.

Description

The remote web server uses its default welcome page. It probably means that this server is not used at all or is serving content that is meant to be hidden.

Solution

Disable this service if you do not use it.

Risk Factor

None

References

XREF OSVDB:3233

Plugin Information:

Publication date: 2003/03/20, Modification date: 2013/11/18

Hosts

192.168.1.146 (tcp/80)


The default welcome page is from IIS.

11424 (1) - WebDAV Detection

Synopsis

The remote server is running with WebDAV enabled.

Description

WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage the content of a web server.

If you do not use this extension, you should disable it.

Solution

http://support.microsoft.com/default.aspx?kbid=241520

Risk Factor

None

Plugin Information:

Publication date: 2003/03/20, Modification date: 2011/03/14

Hosts

192.168.1.146 (tcp/80)

11874 (1) - Microsoft IIS 404 Response Service Pack Signature

Synopsis

The remote web server is running Microsoft IIS.

Description

The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service pack level. As each service pack typically contains many security patches, the server may be at risk.

Note that this test makes assumptions of the remote patch level based on static return values (Content-Length) within a IIS Server's 404 error message. As such, the test can not be totally reliable and should be manually confirmed.

Note also that, to determine IIS6 patch levels, a simple test is done based on strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line marker instead of both CR and LF.

Solution

Ensure that the server is running the latest stable Service Pack.

Risk Factor

None

Plugin Information:

Publication date: 2003/10/09, Modification date: 2011/06/01

Hosts

192.168.1.146 (tcp/80)

The remote IIS server *seems* to be Microsoft IIS 5 - SP3 or SP4

12053 (1) - Host Fully Qualified Domain Name (FQDN) Resolution

Synopsis

It was possible to resolve the name of the remote host.

Description

Nessus was able to resolve the FQDN of the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2004/02/11, Modification date: 2012/09/28

Hosts

192.168.1.146 (tcp/0)


192.168.1.146 resolves as windows2000.

17651 (1) - Microsoft Windows SMB : Obtains the Password Policy

Synopsis

It is possible to retrieve the remote host's password policy using the supplied credentials.

Description

Using the supplied credentials it was possible to extract the password policy for the remote Windows host. The password policy must conform to the Informational System Policy.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/03/30, Modification date: 2011/03/04

Hosts

192.168.1.146 (tcp/445)

The following password policy is defined on the remote host:

Minimum password len: 0
Password history len: 0
Maximum password age (d): 42
Password must meet complexity requirements: Disabled
Minimum password age (d): 0
Forced logoff time (s): Not set
Locked account time (s): 1800
Time between failed logon (s): 1800
Number of invalid logon before locked out (s): 0

17975 (1) - Service Detection (GET request)

Synopsis

The remote service could be identified.

Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/04/06, Modification date: 2013/11/19

Hosts

192.168.1.146 (tcp/3372)

An MSDTC server seems to be running on this port

18261 (1) - Apache Banner Linux Distribution Disclosure

Synopsis

The name of the Linux distribution running on the remote host was found in the banner of the web server.

Description

This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the remote host is running.

Solution

If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart Apache.

Risk Factor

None

Plugin Information:

Publication date: 2005/05/15, Modification date: 2013/10/31

Hosts

192.168.1.28 (tcp/0)


The linux distribution detected was :
- Ubuntu 5.10 (breezy)

22319 (1) - MSRPC Service Detection

Synopsis

A DCE/RPC server is listening on the remote host.

Description

The remote host is running a Windows RPC service. This service replies to the RPC Bind Request with a Bind Ack response.

However it is not possible to determine the uuid of this service.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2006/09/11, Modification date: 2011/03/11

Hosts

192.168.1.146 (tcp/1030)

24260 (1) - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/01/30, Modification date: 2011/05/31

Hosts

192.168.1.146 (tcp/80)


Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers :

Server: Microsoft-IIS/5.0
Date: Mon, 25 Nov 2013 19:03:18 GMT
Content-Length: 1270
Content-Type: text/html
Cache-control: private

24269 (1) - Windows Management Instrumentation (WMI) Available

Synopsis

WMI queries can be made against the remote host.

Description

The supplied credentials can be used to make WMI (Windows Management Instrumentation) requests against the remote host over DCOM.

These requests can be used to gather information about the remote host such as its current state, network interface configuration, etc.

See Also

http://www.microsoft.com/whdc/system/pnppwr/wmi/default.mspx

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/02/03, Modification date: 2012/01/31

Hosts

192.168.1.146 (tcp/0)

24786 (1) - Nessus Windows Scan Not Performed with Admin Privileges

Synopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to perform a patch audit through the registry which may lead to false positives (especially when using third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor

None

Plugin Information:

Publication date: 2007/03/12, Modification date: 2013/01/07

Hosts

192.168.1.146 (tcp/0)


It was not possible to connect to '\\WINDOWS2000\ADMIN$' with the supplied credentials.

26917 (1) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/10/04, Modification date: 2011/03/27

Hosts

192.168.1.146 (tcp/445)

Could not connect to the registry because:
Could not connect to \winreg

33817 (1) - CGI Generic Tests Load Estimation (all tests)

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.

Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/10/26, Modification date: 2013/01/29

Hosts

192.168.1.146 (tcp/80)

Here are the estimated number of requests in miscellaneous modes
for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

on site request forgery : S=51 SP=94 AP=94 SC=94 AC=94
SQL injection : S=2475 SP=3625 AP=3625 SC=3625 AC=3625
unseen parameters : S=3465 SP=5075 AP=5075 SC=5075 AC=5075
local file inclusion : S=99 SP=145 AP=145 SC=145 AC=145
web code injection : S=99 SP=145 AP=145 SC=145 AC=145
cookie manipulation : S=68 SP=136 AP=136 SC=136 AC=136
XML injection : S=99 SP=145 AP=145 SC=145 AC=145
format string : S=198 SP=290 AP=290 SC=290 AC=290
script injection : S=51 SP=94 AP=94 SC=94 AC=94
cross-site scripting (comprehensive test): S=792 SP=1160 AP=1160 SC=1160 AC=1160
injectable parameter : S=198 SP=290 AP=290 SC=290 AC=290
cross-site scripting (extended patterns) : S=357 SP=658 AP=658 SC=658 AC=658
directory traversal (write access) : S=198 SP=290 AP=290 SC=290 AC=290
SSI injection : S=297 SP=435 AP=435 SC=435 AC=435
header injection : S=102 SP=188 AP=188 SC=188 AC=188
directory traversal : S=2475 SP=3625 AP=3625 SC=3625 AC=3625
HTML injection : S=255 SP=470 AP=470 SC=470 AC=470
cross-site scripting (quick test) : S=374 SP=748 AP=748 SC=748 AC=748
arbitrary command execution (time based) : S=594 SP=870 AP=870 SC=870 AC=870
SQL injection (2nd order) : S=99 SP=145 AP=145 SC=145 AC=145
persistent XSS : S=396 SP=580 AP=580 SC=580 AC=580
directory traversal (extended test) : S=5049 SP=7395 AP=7395 SC=7395 AC=7395
arbitrary command execution : S=1584 SP=2320 AP=2320 SC=2320 AC=2320
blind SQL injection (4 requests) : S=396 SP=580 AP=580 SC=580 AC=580
HTTP response splitting : S=459 SP=846 AP=846 SC=846 AC=846
blind SQL injection : S=1188 SP=1740 AP=1740 SC=1740 AC=1740

All tests : S=21418 SP=32089 AP=32089 SC=32089 AC=32089

Here are the estimated number of requests in miscellaneous modes
for both methods (GET and POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

on site request forgery : S=102 SP=188 AP=188 SC=188 AC=188
SQL injection : S=4950 SP=7250 AP=7250 SC=7250 AC=7250
unseen parameters : S=6930 SP=10150 AP=10150 SC=10150 AC=10150
local file inclusion : S=198 SP=290 AP=290 SC=290 AC=290
web code injection : S=198 SP=290 AP=290 SC=290 AC=290
cookie manipulation : S=136 SP=272 AP=272 SC=272 AC=272
XML injection : S=198 SP=290 AP=290 SC=290 AC=290
format string : S=396 SP=580 AP=580 SC=580 AC=580
script injection : S=102 SP=188 AP=188 SC=188 AC=188
cross-site scripting (comprehensive test): S=1584 SP=2320 AP=2320 SC=2320 AC=2320
injectable parameter : S=396 SP=580 AP=580 SC=580 AC=580
cross-site scripting (extended patterns) : S=714 SP=1316 AP=1316 SC=1316 AC=1316
directory traversal (write access) : S=396 SP=580 AP=580 SC=580 AC=580
SSI injection : S=594 SP=870 AP=870 SC=870 AC=870
header injection : S=204 SP=376 AP=376 SC=376 AC=376
directory traversal : S=4950 SP=7250 AP=7250 SC=7250 AC=7250
HTML injection : S=510 SP=940 AP=940 SC=940 AC=940
cross-site scripting (quick test) : S=748 SP=1496 AP=1496 SC=1496 AC=1496
arbitrary command execution (time based) : S=1188 SP=1740 AP=1740 SC=1740 AC=1740
SQL injection (2nd order) : S=198 SP=290 AP=290 SC=290 AC=290
persistent XSS : S=792 SP=1160 AP=1160 SC=1160 AC=1160
directory traversal (extended test) : S=10098 SP=14790 AP=14790 SC=14790 AC=14790
arbitrary command execution : S=3168 SP=4640 AP=4640 SC=4640 AC=4640
blind SQL injection (4 requests) : S=792 SP=1160 AP=1160 SC=1160 AC=1160
HTTP response splitting : S=918 SP=1692 AP=1692 SC=1692 AC=1692
blind SQL injection : S=2376 SP=3480 AP=3480 SC=3480 AC=3480

All tests : S=42836 SP=64178 AP=64178 SC=64178 AC=64178

Your mode : single, GET and POST, Paranoid.
Maximum number of requests : 42836

39470 (1) - CGI Generic Tests Timeout

Synopsis

Some generic CGI attacks ran out of time.

Description

Some generic CGI tests ran out of time during the scan. The results may be incomplete.

Solution

Run your run scan again with a longer timeout or less ambitious options :

- Combinations of arguments values = 'all combinations' is much slower than 'two pairs' or 'single'.

- Stop at first flaw = 'per port' is quicker.

- In 'some pairs' or 'some combinations' mode, try reducing web_app_tests.tested_values_for_each_parameter in nessusd.conf

Risk Factor

None

Plugin Information:

Publication date: 2009/06/19, Modification date: 2011/03/06

Hosts

192.168.1.146 (tcp/80)

The following tests timed out without finding any flaw :
- SQL injection (on HTTP headers)
- XSS (on HTTP headers)

40984 (1) - Browsable Web Directories

Synopsis

Some directories on the remote web server are browsable.

Description

Miscellaneous Nessus plugins identified directories on this web server that are browsable.

See Also

http://projects.webappsec.org/Directory-Indexing

Solution

Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. And use access restrictions or disable directory indexing for any that do.

Risk Factor

None

Plugin Information:

Publication date: 2009/09/15, Modification date: 2013/03/21

Hosts

192.168.1.146 (tcp/80)


The following directories are browsable :

http://windows2000/IIsSamples/sdk/asp/transactional/
http://windows2000/IIsSamples/sdk/asp/applications/
http://windows2000/IIsSamples/sdk/asp/
http://windows2000/IIsSamples/sdk/admin/
http://windows2000/IIsSamples/sdk/
http://windows2000/IIsSamples/SDK/admin/
http://windows2000/IIsSamples/SDK/asp/applications/
http://windows2000/IIsSamples/
http://windows2000/IIsSamples/SDK/
http://windows2000/IIsSamples/SDK/asp/
http://windows2000/IIsSamples/SDK/asp/docs/
http://windows2000/IISSamples/sdk/asp/components/
http://windows2000/IISSamples/sdk/asp/applications/
http://windows2000/IISSamples/sdk/asp/
http://windows2000/IISSamples/sdk/admin/
http://windows2000/IISSamples/sdk/
http://windows2000/iissamples/sdk/asp/transactional/
http://windows2000/iissamples/sdk/asp/
http://windows2000/iissamples/sdk/admin/
http://windows2000/IISSamples/
http://windows2000/iissamples/sdk/
http://windows2000/iissamples/
http://windows2000/iissamples/sdk/asp/applications/
http://windows2000/iissamples/sdk/asp/components/
http://windows2000/iissamples/sdk/asp/database/
http://windows2000/iissamples/sdk/asp/docs/
http://windows2000/iissamples/sdk/asp/interaction/
http://windows2000/iissamples/sdk/asp/simple/
http://windows2000/IISSamples/sdk/asp/database/
http://windows2000/IISSamples/sdk/asp/docs/
http://windows2000/IISSamples/sdk/asp/interaction/
http://windows2000/IISSamples/sdk/asp/simple/
http://windows2000/IISSamples/sdk/asp/transactional/
http://windows2000/IIsSamples/SDK/asp/components/
http://windows2000/IIsSamples/SDK/asp/database/
http://windows2000/IIsSamples/SDK/asp/interaction/
http://windows2000/IIsSamples/SDK/asp/simple/
http://windows2000/IIsSamples/SDK/asp/transactional/
http://windows2000/IIsSamples/sdk/asp/components/
http://windows2000/IIsSamples/sdk/asp/database/
http://windows2000/IIsSamples/sdk/asp/docs/
http://windows2000/IIsSamples/sdk/asp/interaction/
http://windows2000/IIsSamples/sdk/asp/simple/

43111 (1) - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/12/10, Modification date: 2013/05/09

Hosts

192.168.1.146 (tcp/80)

Based on the response to an OPTIONS request :

- HTTP methods COPY GET HEAD LOCK PROPFIND SEARCH TRACE
UNLOCK OPTIONS are allowed on :

/
/IISSamples
/IISSamples/homepage
/IISSamples/sdk
/IISSamples/sdk/admin
/IISSamples/sdk/asp
/IISSamples/sdk/asp/applications
/IISSamples/sdk/asp/components
/IISSamples/sdk/asp/database
/IISSamples/sdk/asp/docs
/IISSamples/sdk/asp/interaction
/IISSamples/sdk/asp/simple
/IISSamples/sdk/asp/transactional
/IIsSamples
/IIsSamples/SDK
/IIsSamples/SDK/admin
/IIsSamples/SDK/asp
/IIsSamples/SDK/asp/applications
/IIsSamples/SDK/asp/components
/IIsSamples/SDK/asp/database
/IIsSamples/SDK/asp/docs
/IIsSamples/SDK/asp/interaction
/IIsSamples/SDK/asp/simple
/IIsSamples/SDK/asp/transactional
/IIsSamples/homepage
/IIsSamples/sdk
/IIsSamples/sdk/admin
/IIsSamples/sdk/asp
/IIsSamples/sdk/asp/applications
/IIsSamples/sdk/asp/components
/IIsSamples/sdk/asp/database
/IIsSamples/sdk/asp/docs
/IIsSamples/sdk/asp/interaction
/IIsSamples/sdk/asp/simple
/IIsSamples/sdk/asp/transactional
/_vti_bin
/iissamples
/iissamples/homepage
/iissamples/sdk
/iissamples/sdk/admin
/iissamples/sdk/asp
/iissamples/sdk/asp/applications
/iissamples/sdk/asp/components
/iissamples/sdk/asp/database
/iissamples/sdk/asp/docs
/iissamples/sdk/asp/interaction
/iissamples/sdk/asp/simple
/iissamples/sdk/asp/transactional
/images
/webpub

- HTTP methods GET HEAD LOCK TRACE UNLOCK OPTIONS
are allowed on :

/IISSamples/Default
/manager
/recipe


Based on tests of each method :

- HTTP methods GET HEAD OPTIONS PROPFIND TRACE are allowed on :

/
/IISSamples
/IISSamples/Default
/IISSamples/homepage
/IISSamples/sdk
/IISSamples/sdk/admin
/IISSamples/sdk/asp
/IISSamples/sdk/asp/applications
/IISSamples/sdk/asp/components
/IISSamples/sdk/asp/database
/IISSamples/sdk/asp/docs
/IISSamples/sdk/asp/interaction
/IISSamples/sdk/asp/simple
/IISSamples/sdk/asp/transactional
/IIsSamples
/IIsSamples/SDK
/IIsSamples/SDK/admin
/IIsSamples/SDK/asp
/IIsSamples/SDK/asp/applications
/IIsSamples/SDK/asp/components
/IIsSamples/SDK/asp/database
/IIsSamples/SDK/asp/docs
/IIsSamples/SDK/asp/interaction
/IIsSamples/SDK/asp/simple
/IIsSamples/SDK/asp/transactional
/IIsSamples/homepage
/IIsSamples/sdk
/IIsSamples/sdk/admin
/IIsSamples/sdk/asp
/IIsSamples/sdk/asp/applications
/IIsSamples/sdk/asp/components
/IIsSamples/sdk/asp/database
/IIsSamples/sdk/asp/docs
/IIsSamples/sdk/asp/interaction
/IIsSamples/sdk/asp/simple
/IIsSamples/sdk/asp/transactional
/_vti_bin
/iissamples
/iissamples/homepage
/iissamples/sdk
/iissamples/sdk/admin
/iissamples/sdk/asp
/iissamples/sdk/asp/applications
/iissamples/sdk/asp/components
/iissamples/sdk/asp/database
/iissamples/sdk/asp/docs
/iissamples/sdk/asp/interaction
/iissamples/sdk/asp/simple
/iissamples/sdk/asp/transactional
/images
/manager
/recipe
/webpub

47830 (1) - CGI Generic Injectable Parameter

Synopsis

Some CGIs are candidate for extended injection tests.

Description

Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

Solution

n/a

Risk Factor

None

References

XREF CWE:86

Plugin Information:

Publication date: 2010/07/26, Modification date: 2013/02/17

Hosts

192.168.1.146 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to injectable parameter :

+ The 'PageNo' parameter of the /IIsSamples/sdk/asp/database/MultiScrolling_VBScript.asp CGI :

/IIsSamples/sdk/asp/database/MultiScrolling_VBScript.asp?PageNo=voupai&M
v=Page%20Down

-------- output --------
<ul>
<li>Error Type:<br>
Microsoft VBScript runtime (0x800A000D)<br>Type mismatch: '[string: &qu
ot;voupai&quot;]'<br><b>/IIsSamples/sdk/asp/database/MultiScrolling_VBSc
ript.asp, line 79</b><br>
</li>
<p>
------------------------

+ The 'PageNo' parameter of the /IIsSamples/SDK/asp/database/MultiScrolling_VBScript.asp CGI :

/IIsSamples/SDK/asp/database/MultiScrolling_VBScript.asp?PageNo=voupai&M
v=Page%20Down

-------- output --------
<ul>
<li>Error Type:<br>
Microsoft VBScript runtime (0x800A000D)<br>Type mismatch: '[string: &qu
ot;voupai&quot;]'<br><b>/IIsSamples/SDK/asp/database/MultiScrolling_VBSc
ript.asp, line 79</b><br>
</li>
<p>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=voupai

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=voupai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=voupai&fn
ame=

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=vo
upai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'PageNo' parameter of the /IISSamples/sdk/asp/database/MultiScrolling_VBScript.asp CGI :

/IISSamples/sdk/asp/database/MultiScrolling_VBScript.asp?PageNo=voupai&M
v=Page%20Down

-------- output --------
<ul>
<li>Error Type:<br>
Microsoft VBScript runtime (0x800A000D)<br>Type mismatch: '[string: &qu
ot;voupai&quot;]'<br><b>/IISSamples/sdk/asp/database/MultiScrolling_VBSc
ript.asp, line 79</b><br>
</li>
<p>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=voupai

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=voupai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=voupai&fn
ame=

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=vo
upai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=voupai

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/voupai_VBScript.asp" target = "SampMain"> R
un Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=voupai

-------- output --------
<center>
<h4><b>
<A href ="voupai?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'srcfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=voupai&ovfile=

-------- output --------
<h4><b>
<A href ="?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/voupai_VBScript.asp" target = "SampMain"> R
un Example </A> |
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'ovfile' parameter of the /IIsSamples/SDK/asp/docs/Toolbar.asp CGI :

/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=&ovfile=voupai

-------- output --------
<center>
<h4><b>
<A href ="voupai?DontFrame=1" target = "SampMain" >Overview </A> |
<A href="/IIsSamples/SDK/asp/_VBScript.asp" target = "SampMain"> R [...]
<A href="/IIsSamples/SDK/asp/docs/CodeBrws.asp?source=/IIsSamples/ [...]
------------------------

+ The 'PageNo' parameter of the /iissamples/sdk/asp/database/MultiScrolling_VBScript.asp CGI :

/iissamples/sdk/asp/database/MultiScrolling_VBScript.asp?PageNo=voupai&M
v=Page%20Down

-------- output --------
<ul>
<li>Error Type:<br>
Microsoft VBScript runtime (0x800A000D)<br>Type mismatch: '[string: &qu
ot;voupai&quot;]'<br><b>/iissamples/sdk/asp/database/MultiScrolling_VBSc
ript.asp, line 79</b><br>
</li>
<p>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=voupai

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?fname=voupai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=voupai&fna
me=

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/iissamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=vou
pai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=voupai

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=voupai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=voupai&fna
me=

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=vou
pai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=voupai

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?fname=voupai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=voupai&fna
me=

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_JScript.asp?lname=&fname=vou
pai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=voupai

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?fname=voupai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=voupai&fn
ame=

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/QueryString_VBScript.asp?lname=&fname=vo
upai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=voupai

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?fname=voupai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=voupai&fna
me=

-------- output --------

<BR>
voupai

</BODY>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_JScript.asp?lname=&fname=vou
pai

-------- output --------
<HR>

voupai <BR>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=voupai

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?fname=voupai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=voupai&fn
ame=

-------- output --------
<HR>
<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/QueryString_VBScript.asp?lname=&fname=vo
upai

-------- output --------

<HR>
voupai <BR>

</BODY>
------------------------

Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)

http://windows2000/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=voupai
http://windows2000/IIsSamples/SDK/asp/docs/Toolbar.asp?ovfile=voupai
http://windows2000/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=voupai&ovfile=
http://windows2000/IIsSamples/SDK/asp/docs/Toolbar.asp?srcfile=&ovfile=voupai


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to injectable parameter :

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=voupai]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'ColorChoice' parameter of the /IIsSamples/sdk/asp/docs/colorpicker.asp CGI :

/IIsSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=voupai&HTTPReferer
=&RequestMode=Update&Submit=Update%20Preferences&TextChoice=HTML]

-------- output --------
<p>
<li>Page:<br>
POST 94 bytes to /IIsSamples/sdk/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=voupai&amp;HTTPReferer=&amp;RequestMode=Update&am
p;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'HTTPReferer' parameter of the /IIsSamples/sdk/asp/docs/colorpicker.asp CGI :

/IIsSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=%00voupai&RequestMode=Update&Submit=Update%20Preferences&TextChoice=
HTML]

-------- output --------
<p>
<li>Page:<br>
POST 106 bytes to /IIsSamples/sdk/asp/docs/colorpicker.asp</li><p><li>PO
ST Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=%00voupai&amp;RequestM
ode=Update&amp;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'Submit' parameter of the /IIsSamples/sdk/asp/docs/colorpicker.asp CGI :

/IIsSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=&RequestMode=Update&Submit=voupai&TextChoice=HTML]

-------- output --------
<p>
<li>Page:<br>
POST 83 bytes to /IIsSamples/sdk/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=&amp;RequestMode=Update
&amp;Submit=voupai&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'TextChoice' parameter of the /IIsSamples/sdk/asp/docs/colorpicker.asp CGI :

/IIsSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=&RequestMode=Update&Submit=Update%20Preferences&TextChoice=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 99 bytes to /IIsSamples/sdk/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=&amp;RequestMode=Update
&amp;Submit=Update%20Preferences&amp;TextChoice=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'PageNo' parameter of the /IIsSamples/sdk/asp/database/MultiScrolling_VBScript.asp CGI :

/IIsSamples/sdk/asp/database/MultiScrolling_VBScript.asp [PageNo=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 13 bytes to /IIsSamples/sdk/asp/database/MultiScrolling_VBScript.as
p</li><p><li>POST Data:<br>PageNo=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=voupai]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_JScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_JScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'PageNo' parameter of the /IIsSamples/SDK/asp/database/MultiScrolling_VBScript.asp CGI :

/IIsSamples/SDK/asp/database/MultiScrolling_VBScript.asp [PageNo=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 13 bytes to /IIsSamples/SDK/asp/database/MultiScrolling_VBScript.as
p</li><p><li>POST Data:<br>PageNo=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'ColorChoice' parameter of the /IIsSamples/SDK/asp/docs/colorpicker.asp CGI :

/IIsSamples/SDK/asp/docs/colorpicker.asp [ColorChoice=voupai&HTTPReferer
=&RequestMode=Update&Submit=Update%20Preferences&TextChoice=HTML]

-------- output --------
<p>
<li>Page:<br>
POST 94 bytes to /IIsSamples/SDK/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=voupai&amp;HTTPReferer=&amp;RequestMode=Update&am
p;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'HTTPReferer' parameter of the /IIsSamples/SDK/asp/docs/colorpicker.asp CGI :

/IIsSamples/SDK/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=%00voupai&RequestMode=Update&Submit=Update%20Preferences&TextChoice=
HTML]

-------- output --------
<p>
<li>Page:<br>
POST 106 bytes to /IIsSamples/SDK/asp/docs/colorpicker.asp</li><p><li>PO
ST Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=%00voupai&amp;RequestM
ode=Update&amp;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'Submit' parameter of the /IIsSamples/SDK/asp/docs/colorpicker.asp CGI :

/IIsSamples/SDK/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=&RequestMode=Update&Submit=voupai&TextChoice=HTML]

-------- output --------
<p>
<li>Page:<br>
POST 83 bytes to /IIsSamples/SDK/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=&amp;RequestMode=Update
&amp;Submit=voupai&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'TextChoice' parameter of the /IIsSamples/SDK/asp/docs/colorpicker.asp CGI :

/IIsSamples/SDK/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=&RequestMode=Update&Submit=Update%20Preferences&TextChoice=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 99 bytes to /IIsSamples/SDK/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=&amp;RequestMode=Update
&amp;Submit=Update%20Preferences&amp;TextChoice=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'ColorChoice' parameter of the /IISSamples/sdk/asp/docs/colorpicker.asp CGI :

/IISSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=voupai&HTTPReferer
=&RequestMode=Update&Submit=Update%20Preferences&TextChoice=HTML]

-------- output --------
<p>
<li>Page:<br>
POST 94 bytes to /IISSamples/sdk/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=voupai&amp;HTTPReferer=&amp;RequestMode=Update&am
p;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'HTTPReferer' parameter of the /IISSamples/sdk/asp/docs/colorpicker.asp CGI :

/IISSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=%00voupai&RequestMode=Update&Submit=Update%20Preferences&TextChoice=
HTML]

-------- output --------
<p>
<li>Page:<br>
POST 106 bytes to /IISSamples/sdk/asp/docs/colorpicker.asp</li><p><li>PO
ST Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=%00voupai&amp;RequestM
ode=Update&amp;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'Submit' parameter of the /IISSamples/sdk/asp/docs/colorpicker.asp CGI :

/IISSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=&RequestMode=Update&Submit=voupai&TextChoice=HTML]

-------- output --------
<p>
<li>Page:<br>
POST 83 bytes to /IISSamples/sdk/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=&amp;RequestMode=Update
&amp;Submit=voupai&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'TextChoice' parameter of the /IISSamples/sdk/asp/docs/colorpicker.asp CGI :

/IISSamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=&RequestMode=Update&Submit=Update%20Preferences&TextChoice=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 99 bytes to /IISSamples/sdk/asp/docs/colorpicker.asp</li><p><li>POS
T Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=&amp;RequestMode=Update
&amp;Submit=Update%20Preferences&amp;TextChoice=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'PageNo' parameter of the /IISSamples/sdk/asp/database/MultiScrolling_VBScript.asp CGI :

/IISSamples/sdk/asp/database/MultiScrolling_VBScript.asp [PageNo=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 13 bytes to /IISSamples/sdk/asp/database/MultiScrolling_VBScript.as
p</li><p><li>POST Data:<br>PageNo=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'HTTPReferer' parameter of the /iissamples/sdk/asp/docs/colorpicker.asp CGI :

/iissamples/sdk/asp/docs/colorpicker.asp [ColorChoice=%23FF8080&HTTPRefe
rer=%00voupai&RequestMode=Update&Submit=Update%20Preferences&TextChoice=
HTML]

-------- output --------
<p>
<li>Page:<br>
POST 106 bytes to /iissamples/sdk/asp/docs/colorpicker.asp</li><p><li>PO
ST Data:<br>ColorChoice=%23FF8080&amp;HTTPReferer=%00voupai&amp;RequestM
ode=Update&amp;Submit=Update%20Preferences&amp;TextChoice=HTML</li>
<p>
<li>Time:<br>
------------------------

+ The 'PageNo' parameter of the /iissamples/sdk/asp/database/MultiScrolling_VBScript.asp CGI :

/iissamples/sdk/asp/database/MultiScrolling_VBScript.asp [PageNo=voupai]

-------- output --------
<p>
<li>Page:<br>
POST 13 bytes to /iissamples/sdk/asp/database/MultiScrolling_VBScript.as
p</li><p><li>POST Data:<br>PageNo=voupai</li>
<p>
<li>Time:<br>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=voupai]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_JScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=voupai]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /iissamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/iissamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=voupai]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_JScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_JScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>

</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=voupai]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IISSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IISSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=voupai]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/SDK/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/SDK/asp/interaction/Form_VBScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=voupai]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

+ The 'lname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=voupai&fname=]

-------- output --------

<BR>
voupai <BR>
</BODY>
</HTML>
------------------------

+ The 'fname' parameter of the /IIsSamples/sdk/asp/interaction/Form_VBScript.asp CGI :

/IIsSamples/sdk/asp/interaction/Form_VBScript.asp [lname=&fname=voupai]

-------- output --------
<HR>

voupai <BR>
<BR>
</BODY>
------------------------

49704 (1) - External URLs

Synopsis

Links to external sites were gathered.

Description

Nessus gathered HREF links to external sites by crawling the remote web server.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2010/10/04, Modification date: 2011/08/19

Hosts

192.168.1.146 (tcp/80)


1 external URL was gathered on this web server :
URL... - Seen on...


http://localhost/IISSamples/sdk/asp/components/redirect.asp?url=http://www.microsoft.com/ntserver/web/default.asp&image=nts_iis.gif - /iissamples/sdk/asp/components/AdRotator_JScript.asp

59861 (1) - Remote web server screenshot

Synopsis

It was possible to take a 'screenshot' of the remote web server.

Description

This test renders the view of the remote web site's main page, as seen from within a web browser.

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2013/03/29, Modification date: 2013/07/11

Hosts

192.168.1.146 (tcp/80)

It was possible to gather the following screenshot of the remote web site.

70657 (1) - SSH Algorithms and Languages Supported

Synopsis

An SSH server is listening on this port.

Description

This script detects which algorithms and languages are supported by the remote service for encrypting communications.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2013/10/28, Modification date: 2013/10/28

Hosts

192.168.1.28 (tcp/22)


Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96

The server supports the following options for compression_algorithms_client_to_server :

none
zlib

The server supports the following options for compression_algorithms_server_to_client :

none
zlib