0% found this document useful (0 votes)

61 views115 pages

Websitechuyennghiep VN Asx2z7

Uploaded by

Dung Nguyen Hoai

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

61 views115 pages

Websitechuyennghiep VN Asx2z7

Uploaded by

Dung Nguyen Hoai

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 115

s

ial
nt
sse
websitechuyennghiep.vn
sE

Report generated by Nessus™ Sat, 26 Aug 2023 01:54:22 UTC

ssu
Ne
TABLE OF CONTENTS

Vulnerabilities by Host
• 112.213.89.96............................................................................................................................................................. 4

s
ial
nt
sse
sE
ssu
Ne
s
ial
nt
sse
Vulnerabilities by Host
sE
ssu
Ne
112.213.89.96

4 2 4 6 64
CRITICAL HIGH MEDIUM LOW INFO

Host Information

DNS Name: ns8996.dotvndns.vn

IP: 112.213.89.96
OS: Linux Kernel 2.6

s
ial
Vulnerabilities
130276 - PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution Vulnerability.

Synopsis
nt
sse
An application installed on the remote host is affected by a remote code execution vulnerability.

Description
sE

According to its banner, the version of PHP running on the remote web server is prior to 7.1.33, 7.2.x prior
to 7.2.24, or 7.3.x prior to 7.3.11. It is, therefore, affected by a remote code execution vulnerability due to
insufficient validation of user input. An unauthenticated, remote attacker can exploit this, by sending a
specially crafted request, to cause the execution of arbitrary code by breaking the fastcgi_split_path_info
directive.
ssu

See Also

https://www.php.net/ChangeLog-7.php#7.3.11
Ne

https://www.php.net/ChangeLog-7.php#7.2.24
https://www.php.net/ChangeLog-7.php#7.1.33
https://bugs.php.net/bug.php?id=78599

Solution

Upgrade to PHP version 7.3.11 or later.

Risk Factor

High

CVSS v3.0 Base Score

112.213.89.96 4
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v3.0 Temporal Score

9.1 (CVSS:3.0/E:F/RL:O/RC:C)

VPR Score

7.4

CVSS v2.0 Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS v2.0 Temporal Score

6.2 (CVSS2#E:F/RL:OF/RC:C)

STIG Severity

References

CVE CVE-2019-11043
XREF IAVA:2019-A-0399-S
XREF CISA-KNOWN-EXPLOITED:2022/04/15
XREF CEA-ID:CEA-2019-0695

Exploitable With

Metasploit (true)

Plugin Information

Published: 2019/10/25, Modified: 2023/04/25

Plugin Output

tcp/80/www

URL : http://ns8996.dotvndns.vn/ (5.6.40 under X-Powered-By: PHP/5.6.40, http://

ns8996.dotvndns.vn/info.php)
Installed version : 5.6.40
Fixed version : 7.1.33

112.213.89.96 5
130276 - PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution Vulnerability.

Synopsis

An application installed on the remote host is affected by a remote code execution vulnerability.

Description

See Also

https://www.php.net/ChangeLog-7.php#7.3.11
https://www.php.net/ChangeLog-7.php#7.2.24
https://www.php.net/ChangeLog-7.php#7.1.33
https://bugs.php.net/bug.php?id=78599

Solution

Upgrade to PHP version 7.3.11 or later.

Risk Factor

High

CVSS v3.0 Base Score

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v3.0 Temporal Score

9.1 (CVSS:3.0/E:F/RL:O/RC:C)

VPR Score

7.4

CVSS v2.0 Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS v2.0 Temporal Score

6.2 (CVSS2#E:F/RL:OF/RC:C)

112.213.89.96 6
STIG Severity

References

CVE CVE-2019-11043
XREF IAVA:2019-A-0399-S
XREF CISA-KNOWN-EXPLOITED:2022/04/15
XREF CEA-ID:CEA-2019-0695

Exploitable With

Metasploit (true)

Plugin Information

Published: 2019/10/25, Modified: 2023/04/25

Plugin Output

tcp/443/www

URL : https://ns8996.dotvndns.vn/ (5.6.40 under X-Powered-By: PHP/5.6.40, https://

ns8996.dotvndns.vn/info.php)
Installed version : 5.6.40
Fixed version : 7.1.33

112.213.89.96 7
58987 - PHP Unsupported Version Detection

Synopsis

The remote host contains an unsupported version of a web application scripting language.

Description

According to its version, the installation of PHP on the remote host is no longer supported.

Lack of support implies that no new security patches for the product will be released by the vendor. As a
result, it is likely to contain security vulnerabilities.

See Also

http://php.net/eol.php
https://wiki.php.net/rfc/releaseprocess

Solution

Upgrade to a version of PHP that is currently supported.

Risk Factor

Critical

CVSS v3.0 Base Score

10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

XREF IAVA:0001-A-0581

Plugin Information

Published: 2012/05/04, Modified: 2022/12/07

Plugin Output

tcp/80/www

Source : X-Powered-By: PHP/5.6.40, http://ns8996.dotvndns.vn/info.php

Installed version : 5.6.40

112.213.89.96 8
End of support date : 2018/12/31
Announcement : http://php.net/supported-versions.php
Supported versions : 8.0.x / 8.1.x

112.213.89.96 9
58987 - PHP Unsupported Version Detection

Synopsis

The remote host contains an unsupported version of a web application scripting language.

Description

According to its version, the installation of PHP on the remote host is no longer supported.

Lack of support implies that no new security patches for the product will be released by the vendor. As a
result, it is likely to contain security vulnerabilities.

See Also

http://php.net/eol.php
https://wiki.php.net/rfc/releaseprocess

Solution

Upgrade to a version of PHP that is currently supported.

Risk Factor

Critical

CVSS v3.0 Base Score

10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

XREF IAVA:0001-A-0581

Plugin Information

Published: 2012/05/04, Modified: 2022/12/07

Plugin Output

tcp/443/www

Source : X-Powered-By: PHP/5.6.40, https://ns8996.dotvndns.vn/info.php

Installed version : 5.6.40

112.213.89.96 10
End of support date : 2018/12/31
Announcement : http://php.net/supported-versions.php
Supported versions : 8.0.x / 8.1.x

112.213.89.96 11
142591 - PHP < 7.3.24 Multiple Vulnerabilities

Synopsis

The version of PHP running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the version of PHP running on the remote web server is
prior to 7.3.24. It is, therefore affected by multiple vulnerabilities

See Also

https://www.php.net/ChangeLog-7.php#7.3.24

Solution

Upgrade to PHP version 7.3.24 or later.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

STIG Severity

References

XREF IAVA:2020-A-0510-S

Plugin Information

Published: 2020/11/06, Modified: 2022/04/11

Plugin Output

tcp/80/www

112.213.89.96 12
URL : http://ns8996.dotvndns.vn/ (5.6.40 under X-Powered-By: PHP/5.6.40, http://
ns8996.dotvndns.vn/info.php)
Installed version : 5.6.40
Fixed version : 7.3.24

112.213.89.96 13
142591 - PHP < 7.3.24 Multiple Vulnerabilities

Synopsis

The version of PHP running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the version of PHP running on the remote web server is
prior to 7.3.24. It is, therefore affected by multiple vulnerabilities

See Also

https://www.php.net/ChangeLog-7.php#7.3.24

Solution

Upgrade to PHP version 7.3.24 or later.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

STIG Severity

References

XREF IAVA:2020-A-0510-S

Plugin Information

Published: 2020/11/06, Modified: 2022/04/11

Plugin Output

tcp/443/www

112.213.89.96 14
URL : https://ns8996.dotvndns.vn/ (5.6.40 under X-Powered-By: PHP/5.6.40, https://
ns8996.dotvndns.vn/info.php)
Installed version : 5.6.40
Fixed version : 7.3.24

112.213.89.96 15
152853 - PHP < 7.3.28 Email Header Injection

Synopsis

The version of PHP running on the remote web server is affected by an email header injection vulnerability.

Description

According to its self-reported version number, the version of PHP running on the remote web server is
prior to 7.3.28.
It is, therefore affected by an email header injection vulnerability, due to a failure to properly handle CR-
LF sequences in header fields. An unauthenticated, remote attacker can exploit this, by inserting line feed
characters into email headers, to gain full control of email header content.

See Also

https://www.php.net/ChangeLog-7.php#7.3.28

Solution

Upgrade to PHP version 7.3.28 or later.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2021/08/26, Modified: 2022/04/11

Plugin Output

tcp/80/www

URL : http://ns8996.dotvndns.vn/ (5.6.40 under X-Powered-By: PHP/5.6.40, http://

ns8996.dotvndns.vn/info.php)
Installed version : 5.6.40
Fixed version : 7.3.28

112.213.89.96 16
152853 - PHP < 7.3.28 Email Header Injection

Synopsis

The version of PHP running on the remote web server is affected by an email header injection vulnerability.

Description

See Also

https://www.php.net/ChangeLog-7.php#7.3.28

Solution

Upgrade to PHP version 7.3.28 or later.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2021/08/26, Modified: 2022/04/11

Plugin Output

tcp/443/www

URL : https://ns8996.dotvndns.vn/ (5.6.40 under X-Powered-By: PHP/5.6.40, https://

ns8996.dotvndns.vn/info.php)
Installed version : 5.6.40
Fixed version : 7.3.28

112.213.89.96 17
11229 - Web Server info.php / phpinfo.php Detection

Synopsis

The remote web server contains a PHP script that is prone to an information disclosure attack.

Description

Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()'
for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a
remote attacker can discover a large amount of information about the remote web server, including :

- The username of the user who installed PHP and if they are a SUDO user.

- The IP address of the host.

- The version of the operating system.

- The web server version.

- The root directory of the web server.

- Configuration information about the remote PHP installation.

Solution

Remove the affected file(s).

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Information

Published: 2003/02/12, Modified: 2022/06/01

Plugin Output

tcp/80/www

Nessus discovered the following URL that calls phpinfo() :

112.213.89.96 18
- http://ns8996.dotvndns.vn/info.php

112.213.89.96 19
11229 - Web Server info.php / phpinfo.php Detection

Synopsis

The remote web server contains a PHP script that is prone to an information disclosure attack.

Description

- The username of the user who installed PHP and if they are a SUDO user.

- The IP address of the host.

- The version of the operating system.

- The web server version.

- The root directory of the web server.

- Configuration information about the remote PHP installation.

Solution

Remove the affected file(s).

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Information

Published: 2003/02/12, Modified: 2022/06/01

Plugin Output

tcp/443/www

Nessus discovered the following URL that calls phpinfo() :

112.213.89.96 20
- https://ns8996.dotvndns.vn/info.php

112.213.89.96 21
42057 - Web Server Allows Password Auto-Completion

Synopsis

The 'autocomplete' attribute is not disabled on password fields.

Description

The remote web server contains at least one HTML form field that has an input of type 'password' where
'autocomplete' is not set to 'off'.

While this does not represent a risk to this web server per se, it does mean that users who use the
affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of
confidentiality if any of them use a shared host or if their machine is compromised at some point.

Solution

Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Risk Factor

Low

Plugin Information

Published: 2009/10/07, Modified: 2023/07/17

Plugin Output

tcp/80/www

Page : /webmail/
Destination Page: /webmail/?_task=login

Page : /roundcube/
Destination Page: /roundcube/?_task=login

112.213.89.96 22
42057 - Web Server Allows Password Auto-Completion

Synopsis

The 'autocomplete' attribute is not disabled on password fields.

Description

The remote web server contains at least one HTML form field that has an input of type 'password' where
'autocomplete' is not set to 'off'.

Solution

Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Risk Factor

Low

Plugin Information

Published: 2009/10/07, Modified: 2023/07/17

Plugin Output

tcp/443/www

Page : /webmail/
Destination Page: /webmail/?_task=login

Page : /roundcube/
Destination Page: /roundcube/?_task=login

112.213.89.96 23
42057 - Web Server Allows Password Auto-Completion

Synopsis

The 'autocomplete' attribute is not disabled on password fields.

Description

The remote web server contains at least one HTML form field that has an input of type 'password' where
'autocomplete' is not set to 'off'.

Solution

Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Risk Factor

Low

Plugin Information

Published: 2009/10/07, Modified: 2023/07/17

Plugin Output

tcp/2222/www

Page : /
Destination Page: /CMD_LOGIN

Page : /CMD_LOGIN
Destination Page: /CMD_LOGIN

112.213.89.96 24
26194 - Web Server Transmits Cleartext Credentials

Synopsis

The remote web server might transmit credentials in cleartext.

Description

The remote web server contains several HTML form fields containing an input of type 'password' which
transmit their information to a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords
of valid users.

Solution

Make sure that every sensitive form transmits content over HTTPS.

Risk Factor

Low

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

References

XREF CWE:522
XREF CWE:523
XREF CWE:718
XREF CWE:724
XREF CWE:928
XREF CWE:930

Plugin Information

Published: 2007/09/28, Modified: 2016/11/29

Plugin Output

tcp/80/www

Page : /webmail/
Destination Page: /webmail/?_task=login

Page : /roundcube/
Destination Page: /roundcube/?_task=login

112.213.89.96 25
112.213.89.96 26
26194 - Web Server Transmits Cleartext Credentials

Synopsis

The remote web server might transmit credentials in cleartext.

Description

The remote web server contains several HTML form fields containing an input of type 'password' which
transmit their information to a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords
of valid users.

Solution

Make sure that every sensitive form transmits content over HTTPS.

Risk Factor

Low

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

References

XREF CWE:522
XREF CWE:523
XREF CWE:718
XREF CWE:724
XREF CWE:928
XREF CWE:930

Plugin Information

Published: 2007/09/28, Modified: 2016/11/29

Plugin Output

tcp/2222/www

Page : /
Destination Page: /CMD_LOGIN

Page : /CMD_LOGIN
Destination Page: /CMD_LOGIN

112.213.89.96 27
112.213.89.96 28
34850 - Web Server Uses Basic Authentication Without HTTPS

Synopsis

The remote web server seems to transmit credentials in cleartext.

Description

The remote web server contains web pages that are protected by 'Basic'
authentication over cleartext.

An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

Solution

Make sure that HTTP authentication is transmitted over HTTPS.

Risk Factor

Low

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

References

XREF CWE:319
XREF CWE:928
XREF CWE:930
XREF CWE:934

Plugin Information

Published: 2008/11/21, Modified: 2016/11/29

Plugin Output

tcp/80/www

The following web pages use Basic Authentication over an unencrypted

channel :

/phpMyAdmin/:/ realm="phpMyAdmin localhost"

/phpmyadmin/:/ realm="phpMyAdmin localhost"
/pma/:/ realm="phpMyAdmin localhost"

112.213.89.96 29
48204 - Apache HTTP Server Version

Synopsis

It is possible to obtain the version number of the remote Apache HTTP server.

Description

The remote host is running the Apache HTTP Server, an open source web server. It was possible to read the
version number from the banner.

See Also

https://httpd.apache.org/

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0030
XREF IAVT:0001-T-0530

Plugin Information

Published: 2010/07/30, Modified: 2023/08/17

Plugin Output

tcp/80/www

URL : http://ns8996.dotvndns.vn/
Version : 2
Source : Server: Apache/2
backported : 0

112.213.89.96 30
48204 - Apache HTTP Server Version

Synopsis

It is possible to obtain the version number of the remote Apache HTTP server.

Description

The remote host is running the Apache HTTP Server, an open source web server. It was possible to read the
version number from the banner.

See Also

https://httpd.apache.org/

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0030
XREF IAVT:0001-T-0530

Plugin Information

Published: 2010/07/30, Modified: 2023/08/17

Plugin Output

tcp/443/www

URL : https://ns8996.dotvndns.vn/
Version : 2
Source : Server: Apache/2
backported : 0

112.213.89.96 31
47830 - CGI Generic Injectable Parameter

Synopsis

Some CGIs are candidate for extended injection tests.

Description

Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP
response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be
useful for a human pen-tester.

Solution

n/a

Risk Factor

None

References

XREF CWE:86

Plugin Information

Published: 2010/07/26, Modified: 2021/01/19

Plugin Output

tcp/80/www

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to injectable parameter :

+ The '_action' parameter of the /webmail/ CGI :

/webmail/?_action=%00kpdesm

-------- output --------

*/
var rcmail = new rcube_webmail();
rcmail.set_env({"task":"login","x_frame_options":"sameorigin","standard_
windows":false,"locale":"en_US","devel_mode":null,"cookie_domain":"","co
okie_path":"\/","cookie_secure":false,"skin":"larry","refresh_interval":
60,"session_lifetime":600,"action":"kpdesm","comm_path":".\/?_task=login
","compose_extwin":false,"date_format":"yy-mm-dd","request_token":"Bm3Lr
Tl8rfhf6fB22VZHfxm9sAx8qVyD"});
rcmail.add_label({"loading":"Loading...","servererror":"Server Err [...]

112.213.89.96 32
rcmail.gui_container("loginfooter","bottomline");
------------------------

+ The '_action' parameter of the /roundcube/ CGI :

/roundcube/?_action=%00kpdesm

-------- output --------

*/
var rcmail = new rcube_webmail();
rcmail.set_env({"task":"login","x_frame_options":"sameorigin","standard_
windows":false,"locale":"en_US","devel_mode":null,"cookie_domain":"","co
okie_path":"\/","cookie_secure":false,"skin":"larry","refresh_interval":
60,"session_lifetime":600,"action":"kpdesm","comm_path":".\/?_task=login
","compose_extwin":false,"date_format":"yy-mm-dd","request_token":"mnS97
zMFT9ZxHJlJeombx7XAcrHDcTod"});
rcmail.add_label({"loading":"Loading...","servererror":"Server Err [...]
rcmail.gui_container("loginfooter","bottomline");
------------------------

Clicking directly on these URLs should exhibit the issue :

(you will probably need to read the HTML source)

http://ns8996.dotvndns.vn/webmail/?_action=%00kpdesm
http://ns8996.dotvndns.vn/roundcube/?_action=%00kpdesm

112.213.89.96 33
47830 - CGI Generic Injectable Parameter

Synopsis

Some CGIs are candidate for extended injection tests.

Description

Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP
response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be
useful for a human pen-tester.

Solution

n/a

Risk Factor

None

References

XREF CWE:86

Plugin Information

Published: 2010/07/26, Modified: 2021/01/19

Plugin Output

tcp/443/www

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to injectable parameter :

+ The '_action' parameter of the /webmail/ CGI :

/webmail/?_action=%00kpdesm

-------- output --------

*/
var rcmail = new rcube_webmail();
rcmail.set_env({"task":"login","x_frame_options":"sameorigin","standard_
windows":false,"locale":"en_US","devel_mode":null,"cookie_domain":"","co
okie_path":"\/","cookie_secure":true,"skin":"larry","refresh_interval":6
0,"session_lifetime":600,"action":"kpdesm","comm_path":".\/?_task=login"
,"compose_extwin":false,"date_format":"yy-mm-dd","request_token":"PbKuk7
rTjFU8iYuP7VSYiUDeM0THU7Xf"});
rcmail.add_label({"loading":"Loading...","servererror":"Server Err [...]

112.213.89.96 34
rcmail.gui_container("loginfooter","bottomline");
------------------------

+ The '_action' parameter of the /roundcube/ CGI :

/roundcube/?_action=%00kpdesm

-------- output --------

*/
var rcmail = new rcube_webmail();
rcmail.set_env({"task":"login","x_frame_options":"sameorigin","standard_
windows":false,"locale":"en_US","devel_mode":null,"cookie_domain":"","co
okie_path":"\/","cookie_secure":true,"skin":"larry","refresh_interval":6
0,"session_lifetime":600,"action":"kpdesm","comm_path":".\/?_task=login"
,"compose_extwin":false,"date_format":"yy-mm-dd","request_token":"blR5Ey
ecOtkOiEAMw6kiFnnjU39Gp1fL"});
rcmail.add_label({"loading":"Loading...","servererror":"Server Err [...]
rcmail.gui_container("loginfooter","bottomline");
------------------------

Clicking directly on these URLs should exhibit the issue :

(you will probably need to read the HTML source)

https://ns8996.dotvndns.vn/webmail/?_action=%00kpdesm
https://ns8996.dotvndns.vn/roundcube/?_action=%00kpdesm

112.213.89.96 35
47830 - CGI Generic Injectable Parameter

Synopsis

Some CGIs are candidate for extended injection tests.

Description

Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP
response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks.

This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be
useful for a human pen-tester.

Solution

n/a

Risk Factor

None

References

XREF CWE:86

Plugin Information

Published: 2010/07/26, Modified: 2021/01/19

Plugin Output

tcp/2222/www

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to injectable parameter :

+ The 'password' parameter of the /CMD_LOGIN CGI :

/CMD_LOGIN?password=%00kpdesm

-------- output --------

<td class=listtitle colspan=2>Please enter your Username and Passw [...]
<form action="/CMD_LOGIN" method="POST" name="form">
<input type=hidden name=referer value="/CMD_LOGIN?password=&
#37;00kpdesm">
<tr><td class=list align=right>Username:</td><td class=list><input [...]
<tr><td class=list align=right>Password:</td><td class=list><input [...]
------------------------

Clicking directly on these URLs should exhibit the issue :

112.213.89.96 36
(you will probably need to read the HTML source)

http://ns8996.dotvndns.vn:2222/CMD_LOGIN?password=%00kpdesm

112.213.89.96 37
33817 - CGI Generic Tests Load Estimation (all tests)

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests,
depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual
tests.

Note that the script does not try to compute this duration based on external factors such as the network
and web servers loads.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/10/26, Modified: 2022/04/11

Plugin Output

tcp/80/www

Here are the estimated number of requests in miscellaneous modes

for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

on site request forgery : S=2 SP=2 AP=2 SC=2 AC=2

SQL injection : S=336 SP=336 AP=1200 SC=0

AC=2112
unseen parameters : S=490 SP=490 AP=1750 SC=0
AC=3080
local file inclusion : S=14 SP=14 AP=50 SC=0 AC=88

web code injection : S=14 SP=14 AP=50 SC=0 AC=88

XML injection : S=14 SP=14 AP=50 SC=0 AC=88

format string : S=28 SP=28 AP=100 SC=0

AC=176
script injection : S=2 SP=2 AP=2 SC=2 AC=2

cross-site scripting (comprehensive test): S=56 SP=56 AP=200 SC=0

AC=352

112.213.89.96 38
injectable parameter : S=28 SP=28 AP=100 SC=0
AC=176
cross-site scripting (extended patterns) : S=12 SP=12 AP=12 SC=12 AC=12

directory traversal (write access) : S=28 SP=28 AP=100 SC=0

AC=176
SSI injection : S=42 SP=42 AP=150 SC=0
AC=264
header injection : S=4 SP=4 AP=4 SC=4 AC=4

HTML injection : S=10 SP=10 AP=10 SC=10 AC=10

directory traversal : S=350 SP=350 AP=1250 SC=0

AC=2200
arbitrary command execution (time based) : S=84 SP=84 AP=300 SC=0
AC=528
persistent XSS [...]

112.213.89.96 39
33817 - CGI Generic Tests Load Estimation (all tests)

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests,
depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual
tests.

Note that the script does not try to compute this duration based on external factors such as the network
and web servers loads.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/10/26, Modified: 2022/04/11

Plugin Output

tcp/443/www

Here are the estimated number of requests in miscellaneous modes

for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

cross-site scripting (comprehensive test): S=56 SP=56 AP=200 SC=0

AC=352
persistent XSS : S=56 SP=56 AP=200 SC=0
AC=352
arbitrary command execution : S=224 SP=224 AP=800 SC=0
AC=1408
web code injection : S=14 SP=14 AP=50 SC=0 AC=88

script injection : S=2 SP=2 AP=2 SC=2 AC=2

HTML injection : S=10 SP=10 AP=10 SC=10 AC=10

arbitrary command execution (time based) : S=84 SP=84 AP=300 SC=0

AC=528
XML injection : S=14 SP=14 AP=50 SC=0 AC=88

unseen parameters : S=490 SP=490 AP=1750 SC=0

AC=3080

112.213.89.96 40
directory traversal (write access) : S=28 SP=28 AP=100 SC=0
AC=176
SQL injection (2nd order) : S=14 SP=14 AP=50 SC=0 AC=88

on site request forgery : S=2 SP=2 AP=2 SC=2 AC=2

blind SQL injection (4 requests) : S=56 SP=56 AP=200 SC=0

AC=352
HTTP response splitting : S=18 SP=18 AP=18 SC=18 AC=18

directory traversal (extended test) : S=714 SP=714 AP=2550 SC=0

AC=4488
header injection : S=4 SP=4 AP=4 SC=4 AC=4

injectable parameter : S=28 SP=28 AP=100 SC=0

AC=176
local file inclusion [...]

112.213.89.96 41
33817 - CGI Generic Tests Load Estimation (all tests)

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests,
depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual
tests.

Note that the script does not try to compute this duration based on external factors such as the network
and web servers loads.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/10/26, Modified: 2022/04/11

Plugin Output

tcp/2222/www

Here are the estimated number of requests in miscellaneous modes

for one method only (GET or POST) :
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

cross-site scripting (extended patterns) : S=6 SP=6 AP=6 SC=6 AC=6

web code injection : S=3 SP=3 AP=7 SC=0 AC=8

HTTP response splitting : S=9 SP=9 AP=9 SC=9 AC=9

SQL injection (2nd order) : S=3 SP=3 AP=7 SC=0 AC=8

directory traversal : S=75 SP=75 AP=175 SC=0

AC=200
persistent XSS : S=12 SP=12 AP=28 SC=0 AC=32

cross-site scripting (comprehensive test): S=12 SP=12 AP=28 SC=0 AC=32

header injection : S=2 SP=2 AP=2 SC=2 AC=2

unseen parameters : S=105 SP=105 AP=245 SC=0

AC=280

112.213.89.96 42
HTML injection : S=5 SP=5 AP=5 SC=5 AC=5

directory traversal (extended test) : S=153 SP=153 AP=357 SC=0

AC=408
local file inclusion : S=3 SP=3 AP=7 SC=0 AC=8

directory traversal (write access) : S=6 SP=6 AP=14 SC=0 AC=16

on site request forgery : S=1 SP=1 AP=1 SC=1 AC=1

blind SQL injection (4 requests) : S=12 SP=12 AP=28 SC=0 AC=32

arbitrary command execution : S=48 SP=48 AP=112 SC=0

AC=128
format string : S=6 SP=6 AP=14 SC=0 AC=16

SSI injection [...]

112.213.89.96 43
84502 - HSTS Missing From HTTPS Server

Synopsis

The remote web server is not enforcing HSTS.

Description

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional
response header that can be configured on the server to instruct the browser to only communicate via
HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.

See Also

https://tools.ietf.org/html/rfc6797

Solution

Configure the remote web server to use HSTS.

Risk Factor

None

Plugin Information

Published: 2015/07/02, Modified: 2021/05/19

Plugin Output

tcp/443/www

The remote HTTPS server does not send the HTTP

"Strict-Transport-Security" header.

112.213.89.96 44
69826 - HTTP Cookie 'secure' Property Transport Mismatch

Synopsis

The remote web server sent out a cookie with a secure property that does not match the transport on
which it was sent.

Description

The remote web server sends out cookies to clients with a 'secure'
property that does not match the transport, HTTP or HTTPS, over which they were received. This may occur
in two forms :

1. The cookie is sent over HTTP, but has the 'secure'

property set, indicating that it should only be sent over a secure, encrypted transport such as HTTPS.
This should not happen.

2. The cookie is sent over HTTPS, but has no 'secure'

property set, indicating that it may be sent over both HTTP and HTTPS transports. This is common, but care
should be taken to ensure that the 'secure' property not being set is deliberate.

See Also

https://tools.ietf.org/html/rfc6265

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/09/10, Modified: 2021/12/20

Plugin Output

tcp/80/www

The following cookies have the 'secure' property enabled, despite being served over HTTP :

Domain :
Path : /phpMyAdmin/
Name : pmaCookieVer
Value : 5
Secure : true
HttpOnly : true

112.213.89.96 45
Domain :
Path : /phpmyadmin/
Name : pmaCookieVer
Value : 5
Secure : true
HttpOnly : true

Domain :
Path : /pma/
Name : pmaCookieVer
Value : 5
Secure : true
HttpOnly : true

Domain :
Path : /phpMyAdmin/
Name : pma_collation_connection
Value : utf8mb4_unicode_ci
Secure : true
HttpOnly : true

Domain :
Path : /phpmyadmin/
Name : pma_collation_connection
Value : utf8mb4_unicode_ci
Secure : true
HttpOnly : true

Domain :
Path : /pma/
Name : pma_collation_connection
Value : utf8mb4_unicode_ci
Secure : true
HttpOnly : true

Domain :
Path : /phpMyAdmin/
Name : pma_lang
Value : en
Secure : true
HttpOnly : true

Domain :
Path : /phpmyadmin/
Name : pma_lang
Value : en
Secure : true
HttpOnly : true

Domain :
Path : /pma/
Name : pma_lang
Value : en
Secure : true
HttpOnly : true

Domain :
Path : /
Name : roundcube_sessid
Value : 7tb1n2dhjjf26reed31funobp1
Secure : true
HttpOnly : true

112.213.89.96 46
69826 - HTTP Cookie 'secure' Property Transport Mismatch

Synopsis

The remote web server sent out a cookie with a secure property that does not match the transport on
which it was sent.

Description

The remote web server sends out cookies to clients with a 'secure'
property that does not match the transport, HTTP or HTTPS, over which they were received. This may occur
in two forms :

1. The cookie is sent over HTTP, but has the 'secure'

property set, indicating that it should only be sent over a secure, encrypted transport such as HTTPS.
This should not happen.

2. The cookie is sent over HTTPS, but has no 'secure'

property set, indicating that it may be sent over both HTTP and HTTPS transports. This is common, but care
should be taken to ensure that the 'secure' property not being set is deliberate.

See Also

https://tools.ietf.org/html/rfc6265

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/09/10, Modified: 2021/12/20

Plugin Output

tcp/443/www

The following cookies do not have the 'secure' property enabled, despite being served over HTTPS :

Domain :
Path : /phpMyAdmin/
Name : phpMyAdmin
Value : 7cn1ai334b3mclmva93odmna42qoln8g
Secure : false
HttpOnly : true

112.213.89.96 47
Domain :
Path : /phpmyadmin/
Name : phpMyAdmin
Value : vua9ris6d9sn3e49pth9s7ckbtjt5vi3
Secure : false
HttpOnly : true

Domain :
Path : /pma/
Name : phpMyAdmin
Value : nj0pk32vkpsn8tor172n7jn9gisss0oo
Secure : false
HttpOnly : true

112.213.89.96 48
69826 - HTTP Cookie 'secure' Property Transport Mismatch

Synopsis

The remote web server sent out a cookie with a secure property that does not match the transport on
which it was sent.

Description

The remote web server sends out cookies to clients with a 'secure'
property that does not match the transport, HTTP or HTTPS, over which they were received. This may occur
in two forms :

1. The cookie is sent over HTTP, but has the 'secure'

property set, indicating that it should only be sent over a secure, encrypted transport such as HTTPS.
This should not happen.

2. The cookie is sent over HTTPS, but has no 'secure'

property set, indicating that it may be sent over both HTTP and HTTPS transports. This is common, but care
should be taken to ensure that the 'secure' property not being set is deliberate.

See Also

https://tools.ietf.org/html/rfc6265

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/09/10, Modified: 2021/12/20

Plugin Output

tcp/2222/www

The following cookies have the 'secure' property enabled, despite being served over HTTP :

Domain :
Path : /phpMyAdmin/
Name : pmaCookieVer
Value : 5
Secure : true
HttpOnly : true

112.213.89.96 49
Domain :
Path : /phpmyadmin/
Name : pmaCookieVer
Value : 5
Secure : true
HttpOnly : true