Nessus Report

Nessus Scan Report

02/Dec/2013:23:04:52

Table Of Contents
Vulnerabilities By Plugin
20384 (1) - ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution
20925 (1) - dotProject Multiple Scripts Remote File Inclusion
40352 (1) - phpMyAdmin Installation Not Password Protected
42479 (1) - CGI Generic SQL Injection (2nd pass)
51973 (1) - CGI Generic SQL Injection (Parameters Names)
10922 (1) - CVS (Web-Based) Entries File Information Disclosure
16138 (1) - phpGroupWare index.php Calendar Date XSS
40578 (1) - WordPress < 2.8.4 wp-login.php key Parameter Remote Administrator Password Reset (uncredentialed check)
44670 (1) - Web Application SQL Backend Identification
51425 (1) - phpMyAdmin error.php BBcode Tag XSS (PMASA-2010-9)
57640 (1) - Web Application Information Disclosure
11219 (1) - Nessus SYN scanner
17219 (1) - phpMyAdmin Detection
18297 (1) - WordPress Detection
19233 (1) - MediaWiki Detection
33817 (1) - CGI Generic Tests Load Estimation (all tests)
39470 (1) - CGI Generic Tests Timeout
40773 (1) - Web Application Potentially Sensitive CGI Parameter Detection
47830 (1) - CGI Generic Injectable Parameter
65766 (1) - Gallery Detection

Vulnerabilities By Plugin

[-] Collapse All
[+] Expand All

20384 (1) - ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution

Synopsis

The remote web server has a PHP script that allows execution of arbitrary code.

Description

The remote host is running ADOdb, a database abstraction library for PHP.

The installed version of ADOdb includes a test script named 'tmssql.php' that fails to sanitize user input to the 'do' parameter before using it execute PHP code. An attacker can exploit this issue to execute arbitrary PHP code on the affected host subject to the permissions of the web server user id.

See Also

http://secunia.com/secunia_research/2005-64/advisory/
http://www.nessus.org/u?540d6007

Solution

Remove the test script or upgrade to ADOdb version 4.70 or higher.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

CVE CVE-2006-0147
XREF OSVDB:22291

Plugin Information:

Publication date: 2006/01/10, Modification date: 2013/01/25

Hosts

192.168.1.226 (tcp/80)

20925 (1) - dotProject Multiple Scripts Remote File Inclusion

Synopsis

The remote web server contains a PHP application that is affected by multiple remote file include vulnerabilities.

Description

The remote host is running dotProject, a web-based, open source, project management application written in PHP.

The installed version of dotProject fails to sanitize input to various parameters and scripts before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.

See Also

http://www.securityfocus.com/archive/1/424957/30/0/threaded
http://www.dotproject.net/vbulletin/showthread.php?t=4462
http://www.securityfocus.com/archive/1/425285/100/0/threaded

Solution

Disable PHP's 'register_globals' setting as per the application's installation instructions.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.8 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 16648
BID 19547
CVE CVE-2006-0754
CVE CVE-2006-0755
CVE CVE-2006-4234
XREF OSVDB:23210
XREF OSVDB:23211
XREF OSVDB:23212
XREF OSVDB:23213
XREF OSVDB:23214
XREF OSVDB:23215
XREF OSVDB:23216
XREF OSVDB:23217
XREF OSVDB:23218
XREF OSVDB:23219
XREF OSVDB:29478
XREF EDB-ID:2191

Plugin Information:

Publication date: 2006/02/15, Modification date: 2013/01/04

Hosts

192.168.1.226 (tcp/80)

40352 (1) - phpMyAdmin Installation Not Password Protected

Synopsis

Access to the remote PHP application is not password protected.

Description

The version of phpMyAdmin installed on the remote web server allows unrestricted, unauthenticated access. This is likely due to setting the 'auth_type' to 'config' and storing login credentials in the configuration file.

A remote attacker could exploit this to execute arbitrary SQL queries, delete databases, or possibly even execute arbitrary code remotely.

See Also

http://www.phpmyadmin.net/documentation/#authentication_modes

Solution

Restrict access to phpMyAdmin using one of the methods referred to in the vendor's documentation.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin Information:

Publication date: 2009/07/23, Modification date: 2011/04/18

Hosts

192.168.1.226 (tcp/80)


URL : http://192.168.1.226/phpmyadmin/

42479 (1) - CGI Generic SQL Injection (2nd pass)

Synopsis

A web application is potentially vulnerable to SQL injection.

Description

By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

See Also

http://en.wikipedia.org/wiki/SQL_injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.nessus.org/u?e5c79f44
http://www.nessus.org/u?11ab1866

Solution

Modify the relevant CGIs so that they properly escape arguments.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

XREF CWE:89
XREF CWE:20
XREF CWE:77
XREF CWE:810
XREF CWE:713
XREF CWE:722
XREF CWE:727
XREF CWE:751
XREF CWE:801

Plugin Information:

Publication date: 2009/11/12, Modification date: 2013/03/29

Hosts

192.168.1.226 (tcp/80)


During testing for arbitrary command execution (time based, intrusive) vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------


During testing for arbitrary command execution (time based) vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------


During testing for blind SQL injection vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------


During testing for blind SQL injection (time based) vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false'%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------


During testing for injectable parameter vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Referer: http://192.168.1.226/sugarcrm/index.php?action=Login&module=Users?search_form=uziylp&module=Home&action=UnifiedSearch
Cookie: PHPSESSID=1b86dcabb7cc9175830bf60ee10afc60
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Referer: http://192.168.1.226/sugarcrm/index.php?user_password=uziylp
Cookie: PHPSESSID=ead66ebdd0b138b0e267587de3b3df19
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------


During testing for HTML injection vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?action=Login&module=Users HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Referer: http://192.168.1.226/sugarcrm/index.php?login_action=<"ceoyom%20>
Cookie: PHPSESSID=8f212281ae091ff19a1bf0b0709161e1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------


During testing for XML injection vulnerabilities,
SQL errors were noticed, suggesting that the scripts / parameters
listed below may also be vulnerable to SQL Injection (SQLi).

-------- request --------
GET /sugarcrm/index.php?record=&user_name=&return_module=Users&return_action=Login&login_action=&gmto=&cant_login=&action=Login&Login=%20%20Login%20%20&login_language=en_us&login_module=&login_record=&login_theme=Awesome80s&module=Users&user_password= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------

51973 (1) - CGI Generic SQL Injection (Parameters Names)

Synopsis

A web application is potentially vulnerable to SQL injection attacks.

Description

By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability.

An attacker may be able to exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

See Also

http://en.wikipedia.org/wiki/SQL_injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.securitydocs.com/library/2651
http://projects.webappsec.org/SQL-Injection

Solution

Modify the relevant CGIs so that they properly escape arguments.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

XREF CWE:89
XREF CWE:20
XREF CWE:77
XREF CWE:209
XREF CWE:203
XREF CWE:717
XREF CWE:810
XREF CWE:713
XREF CWE:722
XREF CWE:727
XREF CWE:751
XREF CWE:801

Plugin Information:

Publication date: 2011/02/14, Modification date: 2013/01/29

Hosts

192.168.1.226 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to SQL injection (on parameters names) :

/sugarcrm/index.php?'+convert(int,convert(varchar,0x7b5d))+'=1&user_pass
word=&user_name=&return_module=Users&return_action=Login&login_action=&g
mto=&cant_login=&action=Login&Login=%20%20Login%20%20&login_language=en_
us&login_module=&login_record=&login_theme=Awesome80s&module=Users&recor
d=

-------- request --------
GET /sugarcrm/index.php?'+convert(int,convert(varchar,0x7b5d))+'=1&user_password=&user_name=&return_module=Users&return_action=Login&login_action=&gmto=&cant_login=&action=Login&Login=%20%20Login%20%20&login_language=en_us&login_module=&login_record=&login_theme=Awesome80s&module=Users&record= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: ddad2595debee0edf3163112bcaf90e1=cd03a3aa6dcaf9d159707b7c194ba52c; PHPSESSID=006e22ee2409576c7df9561f3141c50c
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]
<br />
<b>Warning</b>: mysql_data_seek(): supplied argument is not a valid MyS
QL result resource in <b>/var/www/sugarcrm/include/database/PearDatabase
.php</b> on line <b>494</b><br />
<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a v [...]
------------------------

10922 (1) - CVS (Web-Based) Entries File Information Disclosure

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The remote web server allows access to a 'CVS/Entries' file and thereby exposes file names in the associated repository.

Solution

Configure permissions for the affected web server to deny access to the reported file as well other related ones, such as 'CVS/Repository'
and 'CVS/Root'.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Information:

Publication date: 2002/03/27, Modification date: 2013/11/04

Hosts

192.168.1.226 (tcp/80)


Nessus was able to retrieve the contents of 'CVS/Entries' using the
following URL :

http://192.168.1.226/egroupware/phpgwapi/templates/idots/css/CVS/Entries

Here are its contents :

------------------------------ snip ------------------------------
/idots.css/1.32/Thu Nov 24 14:25:49 2005//TVersion-1_2_0-branch
D
------------------------------ snip ------------------------------

16138 (1) - phpGroupWare index.php Calendar Date XSS

Synopsis

The remote web server contains a PHP application that is affected by several cross-site scripting vulnerabilities.

Description

The version of PhpGroupWare on the remote host is reportedly prone to HTML injection vulnerabilities through 'index.php'. These issues present themselves due to a lack of sufficient input validation performed on form fields used by PHPGroupWare modules.

A malicious attacker may exploit these issues to inject arbitrary HTML and script code using these form fields that then may be incorporated into dynamically-generated web content.

See Also

https://savannah.gnu.org/bugs/?func=detailitem&item_id=7478

Solution

Update to version 0.9.16 RC3 or later.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

BID 12082
CVE CVE-2004-2574
XREF OSVDB:7599
XREF OSVDB:7600
XREF OSVDB:7601
XREF OSVDB:7602
XREF OSVDB:7603
XREF OSVDB:7604

Plugin Information:

Publication date: 2005/01/12, Modification date: 2012/09/07

Hosts

192.168.1.226 (tcp/80)

40578 (1) - WordPress < 2.8.4 wp-login.php key Parameter Remote Administrator Password Reset (uncredentialed check)

Synopsis

The remote web server contains a PHP application with a security bypass vulnerability.

Description

According to its version number, the version of WordPress running on the remote server has a flaw in the password reset mechanism.
Validation of the secret user activation key can be bypassed by providing an array instead of a string. This allows anyone to reset the password of the first user in the database, which is usually the administrator. A remote attacker could use this to repeatedly reset the password, leading to a denial of service.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0114.html
http://core.trac.wordpress.org/changeset/11798
http://wordpress.org/development/2009/08/2-8-4-security-release/

Solution

Upgrade to WordPress 2.8.4 or later.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)

CVSS Temporal Score

5.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)

References

BID 36014
CVE CVE-2009-2762
XREF OSVDB:56971
XREF EDB-ID:9410
XREF Secunia:36237
XREF CWE:255

Plugin Information:

Publication date: 2009/08/12, Modification date: 2011/04/13

Hosts

192.168.1.226 (tcp/80)


Installed version : 2.0
Should be at least : 2.8.4

44670 (1) - Web Application SQL Backend Identification

Synopsis

A web application's SQL backend can be identified.

Description

At least one web application hosted on the remote web server is built on a SQL backend that Nessus was able to identify by looking at error messages.

Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend.

See Also

http://projects.webappsec.org/Fingerprinting

Solution

Filter out error messages.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Information:

Publication date: 2010/02/19, Modification date: 2013/09/26

Hosts

192.168.1.226 (tcp/80)


The web application appears to be based on MySQL

This information was leaked by these URLs :
http://192.168.1.226/








51425 (1) - phpMyAdmin error.php BBcode Tag XSS (PMASA-2010-9)

Synopsis

The remote web server hosts a PHP script that is prone to a cross- site scripting attack.

Description

The version of phpMyAdmin fails to validate BBcode tags in user input to the 'error' parameter of the 'error.php' script before using it to generate dynamic HTML.

An attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site. For example, this could be used to cause a page with arbitrary text and a link to an external site to be displayed.

See Also

http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php

Solution

Upgrade to phpMyAdmin 3.4.0-beta1 or later.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

BID 45633
CVE CVE-2010-4480
XREF OSVDB:69684
XREF EDB-ID:15699

Plugin Information:

Publication date: 2011/01/06, Modification date: 2011/10/24

Hosts

192.168.1.226 (tcp/80)


Nessus was able to exploit the issue using the following URL :

http://192.168.1.226/phpmyadmin/error.php?type=phpmyadmin_pmasa_2010_9.nasl&error=%5ba%40http%3a%2f%2fwww.phpmyadmin.net%2fhome_page%2fsecurity%2fPMASA-2010-9.php%40_self]Click%20here%5b%2fa]

It produced the following response :

<link rel="icon" href="./favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
<title>phpMyAdmin</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css">

57640 (1) - Web Application Information Disclosure

Synopsis

The remote web application discloses path information.

Description

At least one web application hosted on the remote web server discloses the physical path to its directories when a malformed request is sent to it.

Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend.

Solution

Filter error messages containing path information.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Information:

Publication date: 2012/01/25, Modification date: 2013/10/22

Hosts

192.168.1.226 (tcp/80)


The request GET /dotproject/index.php?username=&lostpass=0&password=&redirect=&login=1386254364'%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/dotproject/l
ib/adodb/drivers/adodb-mysql.inc.php</b> on line <b>354</b><br />
FATAL ERROR: Connection to database server failed

The request GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /dotproject/index.php?login=index.php%00.html HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/dotproject/l
ib/adodb/drivers/adodb-mysql.inc.php</b> on line <b>354</b><br />
FATAL ERROR: Connection to database server failed

The request GET /gallery/main.php?g2_returnName=album&g2_subView=core.UserLogin&g2_formUrl=main.php&g2_form%5BuseDefaultSettings%5D=1&g2_controller=cart.AddToCart&g2_GALLERYSID=TMP_SESSION_ID_DI_NOISSES_PMT&=&g2_form[formName]=search_SearchBlock&g2_form[searchCriteria]=Search%20the%20Gallery&g2_form[useDefaultSettings]=1&g2_itemId=7&g2_return=main.php%253F&g2_view=core.UserAdmin%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/gallery/lib/
adodb/drivers/adodb-mysql.inc.php</b> on line <b>348</b><br />
<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]

The request GET /serendipity/index.php?serendipity[searchTerm]=index.php%00.html HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/serendipity/
include/db/mysql.inc.php</b> on line <b>156</b><br />
<br />
<b>Warning</b>: mysql_select_db() [<a href='function.mysql-select [...]

The request GET /gallery/main.php?g2_returnName=album&g2_subView=core.UserLogin&g2_formUrl=main.php&g2_form%5BuseDefaultSettings%5D=1&g2_controller=cart.AddToCart&g2_GALLERYSID=TMP_SESSION_ID_DI_NOISSES_PMT&=&g2_form[formName]=search_SearchBlock&g2_form[searchCriteria]=Search%20the%20Gallery&g2_form[useDefaultSettings]=1&g2_itemId=7&g2_return=main.php%253F&g2_view=core.UserAdmin HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/gallery/lib/
adodb/drivers/adodb-mysql.inc.php</b> on line <b>348</b><br />
<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]

The request GET /sugarcrm/index.php?action=Login&module=Users HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Referer: http://192.168.1.226/sugarcrm/index.php?login_action=<"ceoyom%20>
Cookie: PHPSESSID=8f212281ae091ff19a1bf0b0709161e1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /webcalendar/login.php?remember=login.php%00.html HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/webcalend
ar/includes/php-dbi.php</b> on line <b>97</b><br />
<html><head><title>WebCalendar: Fatal Error</title></head>
<body><h2>WebCalendar Error</h2>

The request GET /egroupware/login.php?account_type=login.php%00.html HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/egroupwar
e/phpgwapi/inc/adodb/drivers/adodb-mysql.inc.php</b> on line <b>366</b><
br />
<center><b>Fatal Error:</b> It appears that you have not created t [...]

The request GET /gallery/main.php?g2_returnName=album&g2_subView=core.UserLogin&g2_formUrl=main.php&g2_form%5BuseDefaultSettings%5D=1&g2_controller=cart.AddToCart&g2_GALLERYSID=TMP_SESSION_ID_DI_NOISSES_PMT&=&g2_form[formName]=search_SearchBlock&g2_form[searchCriteria]=Search%20the%20Gallery&g2_form[useDefaultSettings]=1&g2_itemId=7&g2_return=main.php%253F&g2_view=core.UserAdmin HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/gallery/lib/
adodb/drivers/adodb-mysql.inc.php</b> on line <b>348</b><br />
<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]

The request GET /gallery/main.php?g2_returnName=album&g2_subView=core.UserLogin&g2_formUrl=main.php&g2_form%5BuseDefaultSettings%5D=1&g2_controller=cart.AddToCart&g2_GALLERYSID=TMP_SESSION_ID_DI_NOISSES_PMT&=&g2_form[formName]=search_SearchBlock&g2_form[searchCriteria]=Search%20the%20Gallery&g2_form[useDefaultSettings]=1&g2_itemId=7&g2_return=main.php%253F&g2_view=core.UserAdmin'%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/gallery/lib/
adodb/drivers/adodb-mysql.inc.php</b> on line <b>348</b><br />
<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]

The request GET /dotproject/index.php?username=&lostpass=0&password=&redirect=&login=1386254364%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/dotproject/l
ib/adodb/drivers/adodb-mysql.inc.php</b> on line <b>354</b><br />
FATAL ERROR: Connection to database server failed

The request GET /sugarcrm/index.php?record=&user_name=&return_module=Users&return_action=Login&login_action=&gmto=&cant_login=&action=Login&Login=%20%20Login%20%20&login_language=en_us&login_module=&login_record=&login_theme=Awesome80s&module=Users&user_password= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /gallery/main.php?g2_returnName=album&g2_subView=core.UserLogin&g2_formUrl=main.php&g2_form%5BuseDefaultSettings%5D=1&g2_controller=cart.AddToCart&g2_GALLERYSID=TMP_SESSION_ID_DI_NOISSES_PMT&=&g2_form[formName]=search_SearchBlock&g2_form[searchCriteria]=Search%20the%20Gallery&g2_form[useDefaultSettings]=1&g2_itemId=7&g2_return=main.php%253F&g2_view=core.UserAdmin%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/gallery/lib/
adodb/drivers/adodb-mysql.inc.php</b> on line <b>348</b><br />
<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]

The request GET /webcalendar/login.php?=&remember=yes&login=&password= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/webcalend
ar/includes/php-dbi.php</b> on line <b>97</b><br />
<html><head><title>WebCalendar: Fatal Error</title></head>
<body><h2>WebCalendar Error</h2>

The request GET /sugarcrm/index.php?action=Login&module=Users HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Referer: http://192.168.1.226/sugarcrm/index.php?user_password=uziylp
Cookie: PHPSESSID=ead66ebdd0b138b0e267587de3b3df19
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /webcalendar/login.php?=&password=&login=&remember=yes%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/webcalend
ar/includes/php-dbi.php</b> on line <b>97</b><br />
<html><head><title>WebCalendar: Fatal Error</title></head>
<body><h2>WebCalendar Error</h2>

The request GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /dotproject/index.php?username=&lostpass=0&password=&redirect=&login=1386254364%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/dotproject/l
ib/adodb/drivers/adodb-mysql.inc.php</b> on line <b>354</b><br />
FATAL ERROR: Connection to database server failed

The request GET /gallery/main.php?g2_view=main.php%00.html HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/gallery/lib/
adodb/drivers/adodb-mysql.inc.php</b> on line <b>348</b><br />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://w [...]
<html>

The request GET /webcalendar/login.php?=&password=&login=&remember=yes'%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/webcalend
ar/includes/php-dbi.php</b> on line <b>97</b><br />
<html><head><title>WebCalendar: Fatal Error</title></head>
<body><h2>WebCalendar Error</h2>

The request GET /serendipity/index.php?=%2farchives%2f2013%2f12.html&serendipity[action]=search&serendipity[searchTerm]= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/serendipity/
include/db/mysql.inc.php</b> on line <b>156</b><br />
<br />
<b>Warning</b>: mysql_select_db() [<a href='function.mysql-select [...]

The request GET /serendipity/index.php?=%2farchives%2f2013%2f12.html&serendipity[action]=search&serendipity[searchTerm]=%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/serendipity/
include/db/mysql.inc.php</b> on line <b>156</b><br />
<br />
<b>Warning</b>: mysql_select_db() [<a href='function.mysql-select [...]

The request GET /serendipity/index.php?=%2farchives%2f2013%2f12.html&serendipity[action]=search&serendipity[searchTerm]=%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/serendipity/
include/db/mysql.inc.php</b> on line <b>156</b><br />
<br />
<b>Warning</b>: mysql_select_db() [<a href='function.mysql-select [...]

The request GET /webcalendar/login.php?=&password=&login=&remember=yes HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/webcalend
ar/includes/php-dbi.php</b> on line <b>97</b><br />
<html><head><title>WebCalendar: Fatal Error</title></head>
<body><h2>WebCalendar Error</h2>

The request GET /serendipity/index.php?serendipity[searchTerm]= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/serendipity/
include/db/mysql.inc.php</b> on line <b>156</b><br />
<br />
<b>Warning</b>: mysql_select_db() [<a href='function.mysql-select [...]

The request GET /egroupware/login.php?submitit=Login&login=&passwd=&passwd_type=text&account_type=u%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/egroupwar
e/phpgwapi/inc/adodb/drivers/adodb-mysql.inc.php</b> on line <b>366</b><
br />
<center><b>Fatal Error:</b> It appears that you have not created t [...]

The request GET /dotproject/index.php?username=&lostpass=0&password=&redirect=&login=1386254364 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/dotproject/l
ib/adodb/drivers/adodb-mysql.inc.php</b> on line <b>354</b><br />
FATAL ERROR: Connection to database server failed

The request GET /sugarcrm/index.php?'+convert(int,convert(varchar,0x7b5d))+'=1&user_password=&user_name=&return_module=Users&return_action=Login&login_action=&gmto=&cant_login=&action=Login&Login=%20%20Login%20%20&login_language=en_us&login_module=&login_record=&login_theme=Awesome80s&module=Users&record= HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: ddad2595debee0edf3163112bcaf90e1=cd03a3aa6dcaf9d159707b7c194ba52c; PHPSESSID=006e22ee2409576c7df9561f3141c50c
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /sugarcrm/index.php?action=Login&module=Users HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Referer: http://192.168.1.226/sugarcrm/index.php?action=Login&module=Users?search_form=uziylp&module=Home&action=UnifiedSearch
Cookie: PHPSESSID=1b86dcabb7cc9175830bf60ee10afc60
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /serendipity/index.php?=%2farchives%2f2013%2f12.html&serendipity[action]=search&serendipity[searchTerm]='%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>funct
ion.mysql-connect</a>]: Too many connections in <b>/var/www/serendipity/
include/db/mysql.inc.php</b> on line <b>156</b><br />
<br />
<b>Warning</b>: mysql_select_db() [<a href='function.mysql-select [...]

The request GET /sugarcrm/index.php?action=Login&module=Users?action=UnifiedSearch&module=Home&search_form=false'%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>function.
mysql-query</a>]: Too many connections in <b>/var/www/sugarcrm/include/d
atabase/PearDatabase.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>: mysql_query() [<a href='function.mysql-query'>fun [...]

The request GET /egroupware/login.php?submitit=Login&login=&passwd=&passwd_type=text&account_type=u'%20AND%20SLEEP(3)=' HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/egroupwar
e/phpgwapi/inc/adodb/drivers/adodb-mysql.inc.php</b> on line <b>366</b><
br />
<center><b>Fatal Error:</b> It appears that you have not created t [...]

The request GET /egroupware/login.php?submitit=Login&login=&passwd=&passwd_type=text&account_type=u%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/egroupwar
e/phpgwapi/inc/adodb/drivers/adodb-mysql.inc.php</b> on line <b>366</b><
br />
<center><b>Fatal Error:</b> It appears that you have not created t [...]

The request GET /webcalendar/login.php?=&password=&login=&remember=yes%20;%20x%20%7C%7C%20sleep%203%20%26 HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/webcalend
ar/includes/php-dbi.php</b> on line <b>97</b><br />
<html><head><title>WebCalendar: Fatal Error</title></head>
<body><h2>WebCalendar Error</h2>

The request GET /egroupware/login.php?submitit=Login&login=&passwd=&passwd_type=text&account_type=u HTTP/1.1
Host: 192.168.1.226
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



produces the following path information :

<br />
<b>Warning</b>: mysql_pconnect() [<a href='function.mysql-pconnect'>fun
ction.mysql-pconnect</a>]: Too many connections in <b>/var/www/egroupwar
e/phpgwapi/inc/adodb/drivers/adodb-mysql.inc.php</b> on line <b>366</b><
br />
<center><b>Fatal Error:</b> It appears that you have not created t [...]

11219 (1) - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information:

Publication date: 2009/02/04, Modification date: 2013/10/15

Hosts

192.168.1.226 (tcp/80)

Port 80/tcp was found to be open

17219 (1) - phpMyAdmin Detection

Synopsis

The remote web server hosts a database management application written in PHP.

Description

The remote host is running phpMyAdmin, a web-based MySQL administration tool written in PHP.

See Also

http://www.phpmyadmin.net/home_page/index.php

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/02/25, Modification date: 2013/09/18

Hosts

192.168.1.226 (tcp/80)


The following instance of phpMyAdmin was detected on the remote host :

Version : 2.8.0.3
URL : http://192.168.1.226/phpmyadmin/

18297 (1) - WordPress Detection

Synopsis

The remote web server contains a blog application written in PHP.

Description

The remote host is running WordPress, a free blog application written in PHP with a MySQL back-end.

See Also

http://www.wordpress.org/

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/05/18, Modification date: 2012/11/27

Hosts

192.168.1.226 (tcp/80)


The following instance of WordPress was detected on the remote host :

Version : 2.0
URL : http://192.168.1.226/wordpress/

19233 (1) - MediaWiki Detection

Synopsis

The remote web server contains a wiki application written in PHP.

Description

The remote host is running MediaWiki, an open source wiki application written in PHP.

See Also

http://wikipedia.sourceforge.net/

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/07/20, Modification date: 2012/05/02

Hosts

192.168.1.226 (tcp/80)


The following instance of MediaWiki was detected on the remote host :

Version : 1.6.5
URL : http://192.168.1.226/mediawiki/

33817 (1) - CGI Generic Tests Load Estimation (all tests)

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.

Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/10/26, Modification date: 2013/01/29

Hosts

192.168.1.226 (tcp/80)

Here are the estimated number of requests in miscellaneous modes
for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

on site request forgery : S=3 SP=3 AP=3 SC=3 AC=3
SQL injection : S=9996 SP=34328 AP=34328 SC=6410124 AC=6410124
unseen parameters : S=12495 SP=42910 AP=42910 SC=8012655 AC=8012655
local file inclusion : S=1428 SP=4904 AP=4904 SC=915732 AC=915732
web code injection : S=357 SP=1226 AP=1226 SC=228933 AC=228933
XML injection : S=357 SP=1226 AP=1226 SC=228933 AC=228933
format string : S=714 SP=2452 AP=2452 SC=457866 AC=457866
script injection : S=3 SP=3 AP=3 SC=3 AC=3
cross-site scripting (comprehensive test): S=6069 SP=20842 AP=20842 SC=3891861 AC=3891861
injectable parameter : S=714 SP=2452 AP=2452 SC=457866 AC=457866
cross-site scripting (extended patterns) : S=18 SP=18 AP=18 SC=18 AC=18
directory traversal (write access) : S=714 SP=2452 AP=2452 SC=457866 AC=457866
SSI injection : S=1071 SP=3678 AP=3678 SC=686799 AC=686799
header injection : S=6 SP=6 AP=6 SC=6 AC=6
directory traversal : S=10353 SP=35554 AP=35554 SC=6639057 AC=6639057
HTML injection : S=15 SP=15 AP=15 SC=15 AC=15
arbitrary command execution (time based) : S=2142 SP=7356 AP=7356 SC=1373598 AC=1373598
persistent XSS : S=1428 SP=4904 AP=4904 SC=915732 AC=915732
SQL injection (2nd order) : S=357 SP=1226 AP=1226 SC=228933 AC=228933
directory traversal (extended test) : S=18207 SP=62526 AP=62526 SC=11675583 AC=11675583
arbitrary command execution : S=7854 SP=26972 AP=26972 SC=5036526 AC=5036526
blind SQL injection (4 requests) : S=1428 SP=4904 AP=4904 SC=915732 AC=915732
HTTP response splitting : S=27 SP=27 AP=27 SC=27 AC=27
blind SQL injection : S=4284 SP=14712 AP=14712 SC=2747196 AC=2747196

All tests : S=80040 SP=274696 AP=274696 SC=51281064 AC=51281064

Here are the estimated number of requests in miscellaneous modes
for both methods (GET and POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

on site request forgery : S=6 SP=6 AP=6 SC=6 AC=6
SQL injection : S=19992 SP=68656 AP=68656 SC=12820248 AC=12820248
unseen parameters : S=24990 SP=85820 AP=85820 SC=16025310 AC=16025310
local file inclusion : S=2856 SP=9808 AP=9808 SC=1831464 AC=1831464
web code injection : S=714 SP=2452 AP=2452 SC=457866 AC=457866
XML injection : S=714 SP=2452 AP=2452 SC=457866 AC=457866
format string : S=1428 SP=4904 AP=4904 SC=915732 AC=915732
script injection : S=6 SP=6 AP=6 SC=6 AC=6
cross-site scripting (comprehensive test): S=12138 SP=41684 AP=41684 SC=7783722 AC=7783722
injectable parameter : S=1428 SP=4904 AP=4904 SC=915732 AC=915732
cross-site scripting (extended patterns) : S=36 SP=36 AP=36 SC=36 AC=36
directory traversal (write access) : S=1428 SP=4904 AP=4904 SC=915732 AC=915732
SSI injection : S=2142 SP=7356 AP=7356 SC=1373598 AC=1373598
header injection : S=12 SP=12 AP=12 SC=12 AC=12
directory traversal : S=20706 SP=71108 AP=71108 SC=13278114 AC=13278114
HTML injection : S=30 SP=30 AP=30 SC=30 AC=30
arbitrary command execution (time based) : S=4284 SP=14712 AP=14712 SC=2747196 AC=2747196
persistent XSS : S=2856 SP=9808 AP=9808 SC=1831464 AC=1831464
SQL injection (2nd order) : S=714 SP=2452 AP=2452 SC=457866 AC=457866
directory traversal (extended test) : S=36414 SP=125052 AP=125052 SC=23351166 AC=23351166
arbitrary command execution : S=15708 SP=53944 AP=53944 SC=10073052 AC=10073052
blind SQL injection (4 requests) : S=2856 SP=9808 AP=9808 SC=1831464 AC=1831464
HTTP response splitting : S=54 SP=54 AP=54 SC=54 AC=54
blind SQL injection : S=8568 SP=29424 AP=29424 SC=5494392 AC=5494392

All tests : S=160080 SP=549392 AP=549392 SC=102562128 AC=102562128

Your mode : single, GET or POST, thorough tests.
Maximum number of requests : 80040

39470 (1) - CGI Generic Tests Timeout

Synopsis

Some generic CGI attacks ran out of time.

Description

Some generic CGI tests ran out of time during the scan. The results may be incomplete.

Solution

Run your run scan again with a longer timeout or less ambitious options :

- Combinations of arguments values = 'all combinations' is much slower than 'two pairs' or 'single'.

- Stop at first flaw = 'per port' is quicker.

- In 'some pairs' or 'some combinations' mode, try reducing web_app_tests.tested_values_for_each_parameter in nessusd.conf

Risk Factor

None

Plugin Information:

Publication date: 2009/06/19, Modification date: 2011/03/06

Hosts

192.168.1.226 (tcp/80)

The following tests timed out without finding any flaw :
- XSS (on HTTP headers)
- arbitrary command execution
- directory traversal
- cross-site scripting (comprehensive test)
- SQL injection
- SQL injection (on HTTP headers)

40773 (1) - Web Application Potentially Sensitive CGI Parameter Detection

Synopsis

An application was found that may use CGI parameters to control sensitive information.

Description

According to their names, some CGI parameters may control sensitive data (e.g., ID, privileges, commands, prices, credit card data, etc.). In the course of using an application, these variables may disclose sensitive data or be prone to tampering that could result in privilege escalation. These parameters should be examined to determine what type of data is controlled and if it poses a security risk.

** This plugin only reports information that may be useful for auditors
** or pen-testers, not a real flaw.

Solution

Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access to resources or privileges.

Risk Factor

None

Plugin Information:

Publication date: 2009/08/25, Modification date: 2012/08/17

Hosts

192.168.1.226 (tcp/80)


Potentially sensitive parameters for CGI /phpbb/login.php?sid=378d12fb652f2ddfdbb07fd47f77f5fa :

password : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Potentially sensitive parameters for CGI /phpbb/login.php :

password : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Potentially sensitive parameters for CGI /dotproject/index.php :

password : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Potentially sensitive parameters for CGI /owl/index.php :

password : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Potentially sensitive parameters for CGI /webcalendar/login.php :

password : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Potentially sensitive parameters for CGI /tikiwiki/tiki-login.php :

user : Potential horizontal privilege escalation - try another user ID
pass : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

Potentially sensitive parameters for CGI /egroupware/login.php :

passwd : Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack

47830 (1) - CGI Generic Injectable Parameter

Synopsis

Some CGIs are candidate for extended injection tests.

Description

Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

Solution

n/a

Risk Factor

None

References

XREF CWE:86

Plugin Information:

Publication date: 2010/07/26, Modification date: 2013/02/17

Hosts

192.168.1.226 (tcp/80)


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to injectable parameter :

+ The 'page' parameter of the /tikiwiki/tiki-print.php CGI :

/tikiwiki/tiki-print.php?page=uziylp

-------- output --------
<title>

: uziylp
</title>
------------------------

+ The 'page' parameter of the /tikiwiki/tiki-index.php CGI :

/tikiwiki/tiki-index.php?page=uziylp

-------- output --------
<div class="cbox-data">
<br />
There are no wiki pages similar to 'uziylp' <br /><br />
<form class="forms" method="get" action="tiki-searchindex.php">
Find <input id="fuser" name="highlight" size="14" type="text" acce [...]
------------------------

+ The 'login_action' parameter of the /sugarcrm/index.php CGI :

/sugarcrm/index.php?user_password=&user_name=&return_module=Users&return
_action=Login&login_action=uziylp&gmto=&cant_login=&action=Login&Login=%
20%20Login%20%20&login_language=en_us&login_module=&login_record=&login_
theme=Awesome80s&module=Users&record=

-------- output --------
<input type="hidden" id="cant_login" name="cant_login" value="">
<input type="hidden" name="login_module" value="">
<input type="hidden" name="login_action" value="uziylp">
<input type="hidden" name="login_record" value="">
<script type="text/javascript" language="JavaScript">
------------------------

Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)

http://192.168.1.226/tikiwiki/tiki-print.php?page=uziylp
http://192.168.1.226/tikiwiki/tiki-index.php?page=uziylp

65766 (1) - Gallery Detection

Synopsis

The remote web server contains a photo album application written in PHP.

Description

The remote host is running Gallery, an open-source photo album application written in PHP.

See Also

http://galleryproject.org/

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2013/04/02, Modification date: 2013/04/02

Hosts

192.168.1.226 (tcp/80)


The following instance of Gallery was detected on the remote host :

Version : 2.1.1
URL : http://192.168.1.226/gallery/