Nessus Report

Report generated by Nessus™

Web App Scan - Vulnerabilities by plugin, detailed findings

Mon, 11 Dec 2017 11:48:01 Eastern Standard Time

TABLE OF CONTENTS
Vulnerabilities by Plugin
77531 (2) - Apache 2.2.x < 2.2.28 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.28. It is, therefore, affected by the following vulnerabilities :

- An flaw exists within the 'mod_headers' module which allows a remote attacker to inject arbitrary headers.
This is done by placing a header in the trailer portion of data being sent using chunked transfer encoding.
(CVE-2013-5704)

- An flaw exists within the 'mod_deflate' module when handling highly compressed bodies. Using a specially crafted request, a remote attacker can exploit this to cause a denial of service by exhausting memory and CPU resources. (CVE-2014-0118)

- The 'mod_status' module contains a race condition that can be triggered when handling the scoreboard. A remote attacker can exploit this to cause a denial of service, execute arbitrary code, or obtain sensitive credential information. (CVE-2014-0226)

- The 'mod_cgid' module lacks a time out mechanism. Using a specially crafted request, a remote attacker can use this flaw to cause a denial of service by causing child processes to linger indefinitely, eventually filling up the scoreboard. (CVE-2014-0231)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
See Also
Solution
Upgrade to Apache version 2.2.29 or later.

Note that version 2.2.28 was never officially released.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#E:POC/RL:OF/RC:C)
References
BID 68745
BID 68742
BID 68678
BID 66550
CVE CVE-2014-0231
CVE CVE-2014-0226
CVE CVE-2014-0118
CVE CVE-2013-5704
XREF EDB-ID:34133
XREF OSVDB:109234
XREF OSVDB:109231
XREF OSVDB:109216
XREF OSVDB:105190
Plugin Information:
Published: 2014/09/04, Modified: 2016/05/19
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.29

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.29
100995 (2) - Apache 2.2.x < 2.2.33-dev / 2.4.x < 2.4.26 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.33-dev or 2.4.x prior to 2.4.26. It is, therefore, affected by the following vulnerabilities :

- An authentication bypass vulnerability exists due to third-party modules using the ap_get_basic_auth_pw() function outside of the authentication phase. An unauthenticated, remote attacker can exploit this to bypass authentication requirements. (CVE-2017-3167)

- A NULL pointer dereference flaw exists due to third-party module calls to the mod_ssl ap_hook_process_connection() function during an HTTP request to an HTTPS port. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-3169)

- A NULL pointer dereference flaw exists in mod_http2 that is triggered when handling a specially crafted HTTP/2 request. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. Note that this vulnerability does not affect 2.2.x.
(CVE-2017-7659)

- An out-of-bounds read error exists in the ap_find_token() function due to improper handling of header sequences. An unauthenticated, remote attacker can exploit this, via a specially crafted header sequence, to cause a denial of service condition.
(CVE-2017-7668)

- An out-of-bounds read error exists in mod_mime due to improper handling of Content-Type response headers. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type response header, to cause a denial of service condition or the disclosure of sensitive information. (CVE-2017-7679)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
See Also
Solution
Upgrade to Apache version 2.2.33-dev / 2.4.26 or later.
Risk Factor
High
CVSS v3.0 Base Score
8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
CVSS v3.0 Temporal Score
7.5 (CVSS:3.0/E:F/RL:O/RC:X)
CVSS Base Score
8.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C)
CVSS Temporal Score
7.0 (CVSS2#E:F/RL:OF/RC:ND)
References
BID 99170
BID 99137
BID 99135
BID 99134
BID 99132
CVE CVE-2017-7679
CVE CVE-2017-7668
CVE CVE-2017-7659
CVE CVE-2017-3169
CVE CVE-2017-3167
XREF OSVDB:159395
XREF OSVDB:159394
XREF OSVDB:159393
XREF OSVDB:159392
XREF OSVDB:159391
Plugin Information:
Published: 2017/06/22, Modified: 2017/11/03
Plugin Output

192.168.1.39 (tcp/80)


Source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.33

192.168.1.39 (tcp/443)


Source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.33
101787 (2) - Apache 2.2.x < 2.2.34 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.34. It is, therefore, affected by the following vulnerabilities :

- An authentication bypass vulnerability exists in httpd due to third-party modules using the ap_get_basic_auth_pw() function outside of the authentication phase. An unauthenticated, remote attacker can exploit this to bypass authentication requirements. (CVE-2017-3167)

- A denial of service vulnerability exists in httpd due to a NULL pointer dereference flaw that is triggered when a third-party module calls the mod_ssl ap_hook_process_connection() function during an HTTP request to an HTTPS port. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-3169)

- A denial of service vulnerability exists in httpd due to an out-of-bounds read error in the ap_find_token() function that is triggered when handling a specially crafted request header sequence. An unauthenticated, remote attacker can exploit this to crash the service or force ap_find_token() to return an incorrect value. (CVE-2017-7668)

- A denial of service vulnerability exists in httpd due to an out-of-bounds read error in the mod_mime that is triggered when handling a specially crafted Content-Type response header. An unauthenticated, remote attacker can exploit this to disclose sensitive information or cause a denial of service condition. (CVE-2017-7679)

- A denial of service vulnerability exists in httpd due to a failure to initialize or reset the value placeholder in [Proxy-]Authorization headers of type 'Digest' before or between successive key=value assignments by mod_auth_digest. An unauthenticated, remote attacker can exploit this, by providing an initial key with no '=' assignment, to disclose sensitive information or cause a denial of service condition. (CVE-2017-9788)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
See Also
Solution
Upgrade to Apache version 2.2.34 or later.
Risk Factor
High
CVSS v3.0 Base Score
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS v3.0 Temporal Score
8.5 (CVSS:3.0/E:U/RL:O/RC:C)
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.5 (CVSS2#E:U/RL:OF/RC:C)
STIG Severity
I
References
BID 99569
BID 99170
BID 99137
BID 99135
BID 99134
CVE CVE-2017-9788
CVE CVE-2017-7679
CVE CVE-2017-7668
CVE CVE-2017-3169
CVE CVE-2017-3167
XREF IAVA:2017-A-0214
XREF OSVDB:160954
XREF OSVDB:159395
XREF OSVDB:159394
XREF OSVDB:159392
XREF OSVDB:159391
Plugin Information:
Published: 2017/07/18, Modified: 2017/10/09
Plugin Output

192.168.1.39 (tcp/80)


Source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.34

192.168.1.39 (tcp/443)


Source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.34
11213 (2) - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
See Also
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#E:H/RL:OF/RC:C)
References
BID 37995
BID 33374
BID 11604
BID 9561
BID 9506
CVE CVE-2010-0386
CVE CVE-2004-2320
CVE CVE-2003-1567
XREF CWE:200
XREF CWE:16
XREF CERT:867593
XREF CERT:288308
XREF OSVDB:50485
XREF OSVDB:11408
XREF OSVDB:5648
XREF OSVDB:3726
XREF OSVDB:877
Plugin Information:
Published: 2003/01/23, Modified: 2016/11/23
Plugin Output

192.168.1.39 (tcp/80)


To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1124289384.html HTTP/1.1
Connection: Close
Host: centos6dvwa.localhost.local
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Mon, 11 Dec 2017 16:15:00 GMT
Server: Apache/2.2.15 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1124289384.html HTTP/1.1
Connection: Close
Host: centos6dvwa.localhost.local
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

192.168.1.39 (tcp/443)


To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1641927252.html HTTP/1.1
Connection: Close
Host: centos6dvwa.localhost.local
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.0 200 OK
Date: Mon, 11 Dec 2017 16:15:00 GMT
Server: Apache/2.2.15 (CentOS)
Connection: close
Content-Type: message/http


TRACE /Nessus1641927252.html HTTP/1.1
Connection: Close
Host: centos6dvwa.localhost.local
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
48205 (2) - Apache 2.2.x < 2.2.16 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.16. It is, therefore, potentially affected by multiple vulnerabilities :

- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)
- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeout conditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)

Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.
See Also
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 41963
BID 40827
CVE CVE-2010-2068
CVE CVE-2010-1452
XREF Secunia:40206
XREF OSVDB:66745
XREF OSVDB:65654
Plugin Information:
Published: 2010/07/30, Modified: 2016/05/04
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.16

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.16
50070 (2) - Apache 2.2.x < 2.2.17 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.17. It is, therefore, affected by the following vulnerabilities :

- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- read when parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)

- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes in requests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.
See Also
Solution
Upgrade to Apache version 2.2.17 or later. Alternatively, ensure that the affected modules are not in use.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 43673
BID 36097
BID 37203
CVE CVE-2010-1623
CVE CVE-2009-3720
CVE CVE-2009-3560
XREF CWE:119
XREF Secunia:41701
XREF OSVDB:68327
XREF OSVDB:60797
XREF OSVDB:59737
Plugin Information:
Published: 2010/10/20, Modified: 2015/10/19
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.17

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.17
53896 (2) - Apache 2.2.x < 2.2.18 APR apr_fnmatch DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.18. It is, therefore, affected by a denial of service vulnerability due to an error in the apr_fnmatch() function of the bundled APR library.

If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can cause high CPU usage with a specially crafted request.

Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself.
See Also
Solution
Upgrade to Apache version 2.2.18 or later. Alternatively, ensure that the 'IndexOptions' configuration option is set to 'IgnoreClient'.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#E:F/RL:OF/RC:ND)
References
BID 47820
CVE CVE-2011-0419
XREF Secunia:44574
XREF OSVDB:73388
Plugin Information:
Published: 2011/05/13, Modified: 2016/05/04
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.18

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.18
56216 (2) - Apache 2.2.x < 2.2.21 mod_proxy_ajp DoS
Synopsis
The remote web server is affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.21. It is, therefore, potentially affected by a denial of service vulnerability. An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backend server to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with 'mod_proxy_balancer'.

Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Published: 2011/09/16, Modified: 2017/01/30
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.21

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.21
57791 (2) - Apache 2.2.x < 2.2.22 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x installed on the remote host is prior to 2.2.22. It is, therefore, potentially affected by the following vulnerabilities :

- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could cause the web server to proxy requests to arbitrary hosts.
This could allow a remote attacker to indirectly send requests to intranet servers.
(CVE-2011-3368, CVE-2011-4317)

- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf' directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)

- A format string handling error can allow the server to be crashed via maliciously crafted cookies.
(CVE-2012-0021)

- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.
(CVE-2012-0031)

- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use of either long or malformed HTTP headers. (CVE-2012-0053)

- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to respond could lead to a temporary denial of service. (CVE-2012-4557)

Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 56753
BID 51706
BID 51705
BID 51407
BID 50802
BID 50494
BID 49957
CVE CVE-2012-4557
CVE CVE-2012-0053
CVE CVE-2012-0031
CVE CVE-2012-0021
CVE CVE-2011-4317
CVE CVE-2011-3607
CVE CVE-2011-3368
XREF OSVDB:89275
XREF OSVDB:78556
XREF OSVDB:78555
XREF OSVDB:78293
XREF OSVDB:77310
XREF OSVDB:76744
XREF OSVDB:76079
Plugin Information:
Published: 2012/02/02, Modified: 2015/10/19
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.22

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.22
62101 (2) - Apache 2.2.x < 2.2.23 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.23. It is, therefore, potentially affected by the following vulnerabilities :

- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution.
(CVE-2012-0883)

- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.
(CVE-2012-2687)

Note that Nessus has not tested for these flaws but has instead relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 55131
BID 53046
CVE CVE-2012-2687
CVE CVE-2012-0883
XREF CWE:990
XREF CWE:931
XREF CWE:928
XREF CWE:900
XREF CWE:864
XREF CWE:811
XREF CWE:809
XREF CWE:801
XREF CWE:800
XREF CWE:751
XREF CWE:750
XREF CWE:725
XREF CWE:722
XREF CWE:712
XREF CWE:711
XREF CWE:629
XREF CWE:442
XREF CWE:79
XREF CWE:74
XREF CWE:20
XREF OSVDB:84818
XREF OSVDB:81359
Plugin Information:
Published: 2012/09/14, Modified: 2015/10/19
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.23

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.23
64912 (2) - Apache 2.2.x < 2.2.24 Multiple XSS Vulnerabilities
Synopsis
The remote web server is affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.24. It is, therefore, potentially affected by the following cross-site scripting vulnerabilities :

- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)

- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting attacks. (CVE-2012-4558)

Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.24 or later. Alternatively, ensure that the affected modules are not in use.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 58165
CVE CVE-2012-4558
CVE CVE-2012-3499
XREF CWE:990
XREF CWE:931
XREF CWE:928
XREF CWE:900
XREF CWE:864
XREF CWE:811
XREF CWE:809
XREF CWE:801
XREF CWE:800
XREF CWE:751
XREF CWE:750
XREF CWE:725
XREF CWE:722
XREF CWE:712
XREF CWE:711
XREF CWE:629
XREF CWE:442
XREF CWE:79
XREF CWE:74
XREF CWE:20
XREF OSVDB:90557
XREF OSVDB:90556
Plugin Information:
Published: 2013/02/27, Modified: 2015/10/19
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.24

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.24
68915 (2) - Apache 2.2.x < 2.2.25 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.25. It is, therefore, potentially affected by the following vulnerabilities :

- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files, making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)

- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.
(CVE-2013-1896)

Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.25 or later. Alternatively, ensure that the affected modules are not in use.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
3.6 (CVSS2#E:U/RL:OF/RC:UR)
References
BID 61129
BID 59826
CVE CVE-2013-1896
CVE CVE-2013-1862
XREF OSVDB:95498
XREF OSVDB:93366
Plugin Information:
Published: 2013/07/16, Modified: 2016/05/04
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.25

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.25
73405 (2) - Apache 2.2.x < 2.2.27 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2.x running on the remote host is a version prior to 2.2.27. It is, therefore, potentially affected by the following vulnerabilities :

- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.
(CVE-2013-6438)

- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. A remote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)

Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.27 or later. Alternatively, ensure that the affected modules are not in use.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 66303
CVE CVE-2014-0098
CVE CVE-2013-6438
XREF OSVDB:104580
XREF OSVDB:104579
Plugin Information:
Published: 2014/04/08, Modified: 2015/10/19
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.27

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.27
88099 (2) - Web Server HTTP Header Information Disclosure
Synopsis
The remote web server discloses information via HTTP headers.
Description
The HTTP headers sent by the remote web server disclose information that can aid an attacker, such as the server version and languages used by the web server.
Solution
Modify the HTTP headers of the web server to not disclose detailed information about the underlying web server.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin Information:
Published: 2016/01/22, Modified: 2016/02/02
Plugin Output

192.168.1.39 (tcp/80)


Server type : Apache
Server version : 2.2.15
Source : 2.2.15

192.168.1.39 (tcp/443)


Server type : Apache
Server version : 2.2.15
Source : 2.2.15
96450 (2) - Apache 2.2.x < 2.2.32 Multiple Vulnerabilities (httpoxy)
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.32. It is, therefore, affected by the following vulnerabilities :

- The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated.
(CVE-2016-5387)

- A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
See Also
Solution
Upgrade to Apache version 2.2.32 or later.

Note that the 'httpoxy' vulnerability can be mitigated by applying the workarounds or patches as referenced in the vendor advisory asf-httpoxy-response.txt.
Risk Factor
Medium
CVSS v3.0 Base Score
8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS v3.0 Temporal Score
7.4 (CVSS:3.0/E:F/RL:O/RC:X)
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.2 (CVSS2#E:F/RL:OF/RC:ND)
References
BID 95077
BID 91816
CVE CVE-2016-8743
CVE CVE-2016-5387
XREF CERT:797896
XREF OSVDB:149054
XREF OSVDB:141669
Plugin Information:
Published: 2017/01/12, Modified: 2017/06/29
Plugin Output

192.168.1.39 (tcp/80)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.32

192.168.1.39 (tcp/443)


Version source : Server: Apache/2.2.15
Installed version : 2.2.15
Fixed version : 2.2.32
11219 (5) - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Published: 2009/02/04, Modified: 2017/05/22
Plugin Output

192.168.1.39 (tcp/22)

Port 22/tcp was found to be open

192.168.1.39 (tcp/80)

Port 80/tcp was found to be open

192.168.1.39 (tcp/443)

Port 443/tcp was found to be open

192.168.1.39 (tcp/3128)

Port 3128/tcp was found to be open

192.168.1.39 (tcp/3306)

Port 3306/tcp was found to be open
10107 (3) - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Published: 2000/01/04, Modified: 2016/02/19
Plugin Output

192.168.1.39 (tcp/80)

The remote web server type is :

Apache/2.2.15 (CentOS)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.

192.168.1.39 (tcp/443)

The remote web server type is :

Apache/2.2.15 (CentOS)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.

192.168.1.39 (tcp/3128)

The remote web server type is :

squid/3.1.23
24260 (3) - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Published: 2007/01/30, Modified: 2017/11/13
Plugin Output

192.168.1.39 (tcp/80)


Response Code : HTTP/1.1 403 Forbidden

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Mon, 11 Dec 2017 16:14:50 GMT
Server: Apache/2.2.15 (CentOS)
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html; charset=UTF-8

Response Body :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<head>
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #0000FF;
}
:visited {
color: #0000FF;
}
a:hover {
color: #3399FF;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #3399FF;
color: #ffffff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
}
h2 {
font-size: 1.1em;
font-weight: bold;
}
.content {
padding: 1em 5em;
}
.content-columns {
/* Setting relative positioning allows for
absolute positioning for sub-classes */
position: relative;
padding-top: 1em;
}
.content-column-left {
/* Value for IE/Win; will be overwritten for other browsers */
width: 47%;
padding-right: 3%;
float: left;
padding-bottom: 2em;
}
.content-column-right {
/* Values for IE/Win; will be overwritten for other browsers */
width: 47%;
padding-left: 3%;
float: left;
padding-bottom: 2em;
}
.content-columns>.content-column-left, .content-columns>.content-column-right {
/* Non-IE/Win */
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #3399FF;
}
</style>
</head>

<body>
<h1>Apache 2 Test Page<br><font size="-1"><strong>powered by</font> CentOS</strong></h1>

<div class="content">
<div class="content-middle">
<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly.</p>
</div>
<hr />
<div class="content-columns">
<div class="content-column-left">
<h2>If you are a member of the general public:</h2>

<p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance.</p>

<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>

<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p>
</div>

<div class="content-column-right">
<h2>If you are the website administrator:</h2>

<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>

<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p>

<p><a href="http://httpd.apache.org/"><img src="/icons/apache_pb.gif" alt="[ Powered by Apache ]"/></a> <a href="http://www.centos.org/"><img src="/icons/poweredby.png" alt="[ Powered by CentOS Linux ]" width="88" height="31" /></a></p>
</div>
</div>
</div>
<div class="content">
<div class="content-middle"><h2>About CentOS:</h2><b>The Community ENTerprise Operating System</b> (CentOS) Linux is a community-supported enterprise distribution derived from sources freely provided to the public by Red Hat. As such, CentOS Linux aims to be functionally compatible with Red Hat Enterprise Linux. The CentOS Project is the organization that builds CentOS. We mainly change packages to remove upstream vendor branding and artwork.</p> <p>For information on CentOS please visit the <a href="http://www.centos.org/">CentOS website</a>.</p>
<p><h2>Note:</h2><p>CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. <b>If you have issues with the content of this site, contact the owner of the domain, not the CentOS Project.</b> <p>Unless this server is on the <b>centos.org</b> domain, the CentOS Project doesn't have anything to do with the content on this webserver or any e-mails that directed you to this site.</p> <p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p> <p><a href="http://www.internic.net/whois.html">http://www.internic.net/whois.html</a></p>
</div>
</div>
</body>
</html>

192.168.1.39 (tcp/443)


Response Code : HTTP/1.0 403 Forbidden

Protocol version : HTTP/1.0
SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Mon, 11 Dec 2017 16:14:50 GMT
Server: Apache/2.2.15 (CentOS)
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html; charset=UTF-8

Response Body :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<head>
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #0000FF;
}
:visited {
color: #0000FF;
}
a:hover {
color: #3399FF;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #3399FF;
color: #ffffff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
}
h2 {
font-size: 1.1em;
font-weight: bold;
}
.content {
padding: 1em 5em;
}
.content-columns {
/* Setting relative positioning allows for
absolute positioning for sub-classes */
position: relative;
padding-top: 1em;
}
.content-column-left {
/* Value for IE/Win; will be overwritten for other browsers */
width: 47%;
padding-right: 3%;
float: left;
padding-bottom: 2em;
}
.content-column-right {
/* Values for IE/Win; will be overwritten for other browsers */
width: 47%;
padding-left: 3%;
float: left;
padding-bottom: 2em;
}
.content-columns>.content-column-left, .content-columns>.content-column-right {
/* Non-IE/Win */
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #3399FF;
}
</style>
</head>

<body>
<h1>Apache 2 Test Page<br><font size="-1"><strong>powered by</font> CentOS</strong></h1>

<div class="content">
<div class="content-middle">
<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly.</p>
</div>
<hr />
<div class="content-columns">
<div class="content-column-left">
<h2>If you are a member of the general public:</h2>

<p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance.</p>

<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>

<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p>
</div>

<div class="content-column-right">
<h2>If you are the website administrator:</h2>

<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>

<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p>

<p><a href="http://httpd.apache.org/"><img src="/icons/apache_pb.gif" alt="[ Powered by Apache ]"/></a> <a href="http://www.centos.org/"><img src="/icons/poweredby.png" alt="[ Powered by CentOS Linux ]" width="88" height="31" /></a></p>
</div>
</div>
</div>
<div class="content">
<div class="content-middle"><h2>About CentOS:</h2><b>The Community ENTerprise Operating System</b> (CentOS) Linux is a community-supported enterprise distribution derived from sources freely provided to the public by Red Hat. As such, CentOS Linux aims to be functionally compatible with Red Hat Enterprise Linux. The CentOS Project is the organization that builds CentOS. We mainly change packages to remove upstream vendor branding and artwork.</p> <p>For information on CentOS please visit the <a href="http://www.centos.org/">CentOS website</a>.</p>
<p><h2>Note:</h2><p>CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. <b>If you have issues with the content of this site, contact the owner of the domain, not the CentOS Project.</b> <p>Unless this server is on the <b>centos.org</b> domain, the CentOS Project doesn't have anything to do with the content on this webserver or any e-mails that directed you to this site.</p> <p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p> <p><a href="http://www.internic.net/whois.html">http://www.internic.net/whois.html</a></p>
</div>
</div>
</body>
</html>

192.168.1.39 (tcp/3128)


Response Code : HTTP/1.0 400 Bad Request

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Server: squid/3.1.23
Mime-Version: 1.0
Date: Mon, 11 Dec 2017 16:14:50 GMT
Content-Type: text/html
Content-Length: 3145
X-Squid-Error: ERR_INVALID_URL 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from centos6dvwa
X-Cache-Lookup: NONE from centos6dvwa:3128
Via: 1.0 centos6dvwa (squid/3.1.23)
Connection: close

Response Body :

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/

/* Page basics */
* {
font-family: verdana, sans-serif;
}

html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}

/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left;
}

/* initial title */
#titles h1 {
color: #000000;
}
#titles h2 {
color: #000000;
}

/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}

/* Page displayed body content area */
#content {
padding: 10px;
background: #ffffff;
}

/* General text */
p {
}

/* error brief description */
#error p {
}

/* some data which may have caused the problem */
#data {
}

/* the error message received from the system or other software */
#sysmsg {
}

pre {
font-family:sans-serif;
}

/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}

/* horizontal lines */
hr {
margin: 0;
}

/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}


body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=ERR_INVALID_URL>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="/">/</a></p>

<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>

<p>Some aspect of the requested URL is incorrect.</p>

<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or similar)</p></li>
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
</ul>

<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_INVALID_URL&amp;body=CacheHost%3A%20centos6dvwa%0D%0AErrPage%3A%20ERR_INVALID_URL%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Mon,%2011%20Dec%202017%2016%3A14%3A50%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.1.108%0D%0A%0D%0AHTTP%20Request%3A%0D%0A%0D%0A%0D%0A">root</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Mon, 11 Dec 2017 16:14:50 GMT by centos6dvwa (squid/3.1.23)</p>
<!-- ERR_INVALID_URL -->
</div>
</body></html>
43111 (3) - HTTP Methods Allowed (per directory)
Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Published: 2009/12/10, Modified: 2013/05/09
Plugin Output

192.168.1.39 (tcp/80)

Based on the response to an OPTIONS request :

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/
/error
/icons


Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND
BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX
LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS
ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

/cgi-bin

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/
/error
/icons

- Invalid/unknown HTTP methods are allowed on :

/cgi-bin

192.168.1.39 (tcp/443)

Based on the response to an OPTIONS request :

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/
/error
/icons


Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND
BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX
LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS
ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

/cgi-bin

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/
/error
/icons

- Invalid/unknown HTTP methods are allowed on :

/cgi-bin

192.168.1.39 (tcp/3128)


Based on tests of each method :

- HTTP method CONNECT is allowed on :

/
11032 (2) - Web Server Directory Enumeration
Synopsis
It is possible to enumerate directories on the web server.
Description
This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.
See Also
Solution
n/a
Risk Factor
None
References
XREF OWASP:OWASP-CM-006
Plugin Information:
Published: 2002/06/26, Modified: 2015/10/13
Plugin Output

192.168.1.39 (tcp/80)


The following directories were discovered:
/cgi-bin, /error, /icons

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

192.168.1.39 (tcp/443)


The following directories were discovered:
/cgi-bin, /error, /icons

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
11040 (1) - HTTP Reverse Proxy Detection
Synopsis
A transparent or reverse HTTP proxy is running on this port.
Description
This web server is reachable through a reverse HTTP proxy.
Solution
n/a
Risk Factor
None
References
CVE CVE-2007-3008
CVE CVE-2005-3498
CVE CVE-2005-3398
CVE CVE-2004-2320
XREF CWE:79
XREF CWE:200
XREF OSVDB:50485
XREF OSVDB:35511
XREF OSVDB:3726
XREF OSVDB:877
Plugin Information:
Published: 2002/07/02, Modified: 2016/01/07
Plugin Output

192.168.1.39 (tcp/3128)

The GET method revealed those proxies on the way to this web server :
HTTP/1.0 centos6dvwa (squid/3.1.23)
18261 (1) - Apache Banner Linux Distribution Disclosure
Synopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
Nessus was able to extract the banner of the Apache web server and determine which Linux distribution the remote host is running.
Solution
If you do not wish to display this information, edit 'httpd.conf' and set the directive 'ServerTokens Prod' and restart Apache.
n/a
Risk Factor
None
Plugin Information:
Published: 2005/05/15, Modified: 2017/03/13
Plugin Output

192.168.1.39 (tcp/0)


The Linux distribution detected was :
- CentOS 6
84502 (1) - HSTS Missing From HTTPS Server
Synopsis
The remote web server is not enforcing HSTS.
Description
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
See Also
Solution
Configure the remote web server to use HSTS.
Risk Factor
None
Plugin Information:
Published: 2015/07/02, Modified: 2015/07/02
Plugin Output

192.168.1.39 (tcp/443)


The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.
© 2017 Tenable™, Inc. All rights reserved.