0% found this document useful (0 votes)

9 views36 pages

OWASP Top 10 2017 HTTP Sisacademico Umsa Edu Bo

Uploaded by

Wilber

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

9 views36 pages

OWASP Top 10 2017 HTTP Sisacademico Umsa Edu Bo

Uploaded by

Wilber

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 36

OWASP TOP 10 2017

Compliance Report

2025-07-23

Generated by Acunetix

1
Description

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about
the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to
protect against these high risk problem areas - and also provides guidance on where to go from here.

Disclaimer

This document or any of its content cannot account for, or be included in any form of legal advice. The outcome of a
vulnerability scan (or security evaluation) should be utilized to ensure that diligent measures are taken to lower the risk of
potential exploits carried out to compromise data.

Legal advice must be supplied according to its legal context. All laws and the environments in which they are applied, are
constantly changed and revised. Therefore no information provided in this document may ever be used as an alternative to
a qualified legal body or representative.

A portion of this report is taken from OWASP's Top Ten 2017 Project document, that can be found at http://www.owasp.org.

Scan
URL sisacademico.umsa.edu.bo
Scan date 2025-07-21T00:28:51.641339-04:00
Duration 1 minutes, 21 seconds
Profile Full Scan

Compliance at a Glance

This section of the report is a summary and lists the number of alerts found according to individual compliance categories.

- Injection(A1)
Total number of alerts in this category: 2

- Broken Authentication(A2)
Total number of alerts in this category: 1

- Sensitive Data Exposure(A3)

Total number of alerts in this category: 8

- XML External Entity (XXE)(A4)

No alerts in this category

- Broken Access Control(A5)

Total number of alerts in this category: 1

- Security Misconfiguration(A6)
Total number of alerts in this category: 6

- Cross Site Scripting (XSS)(A7)

No alerts in this category

- Insecure Deserialization(A8)
No alerts in this category

- Using Components with Known Vulnerabilities(A9)

Total number of alerts in this category: 4

- Insufficient Logging and Monitoring(A10)

No alerts in this category

2
Compliance According to Categories: A Detailed Report

This section is a detailed report that explains each vulnerability found according to individual compliance categories.

(A1)Injection

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.

Total number of alerts in this category: 2

Alerts in this category

SQL injection

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a
web application's database server.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score: 10.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
Base Score: 6.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-89
Affected item /mi/login/login1.do
Affected parameter clave
Variants 1␀À§À¢%2527%2522

SQL injection

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a
web application's database server.

3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score: 10.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
Base Score: 6.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-89
Affected item /mi/login/login1.do
Affected parameter id_usuario
Variants 1␀À§À¢%2527%2522

(A2)Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing
attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other
users' identities.

Total number of alerts in this category: 1

Alerts in this category

Unencrypted connection (verified)

This scan target was connected to over an unencrypted connection. A potential attacker can intercept and modify data sent
and received from this site.

4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score: 9.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
Base Score: 5.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-310
Affected item Web Server
Affected parameter

(A3)Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers
may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data
may be compromised without extra protection, such as encryption at rest or in transit, and requires pecial precautions when
exchanged with the browser.

Total number of alerts in this category: 8

Alerts in this category

Apache JServ protocol service

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an
application server that sits behind the web server. It's not recommended to have AJP services publicly accessible on the
internet. If AJP is misconfigured it could allow an attacker to access to internal resources.

5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter

Application error messages

This alert requires manual confirmation

Acunetix found one or more error/warning messages. Application error or warning messages may expose sensitive
information about an application's internal workings to an attacker.
These messages may also contain the location of the file that produced an unhandled exception.
Consult the 'Attack details' section for more information about the affected page(s).

6
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-200
Affected item Web Server
Affected parameter

Directory listings (verified)

Directory listing is a web server function that displays the directory contents when there is no index file in a specific website
directory. It is dangerous to leave this function turned on for the web server because it leads to information disclosure.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-538
Affected item Web Server
Affected parameter

Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28

7
List of vulnerabilities that were fixed in PHP versions 5.5.12 and 5.4.28:

Core:

Fixed bug #61019 (Out of memory on command stream_get_contents).

Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
Fixed bug #66182 (exit in stream filter produces segfault).
Fixed bug #66736 (fpassthru broken).
Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
Fixed bug #67043 (substr_compare broke by previous change).

cURL:

Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).

Date:

Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).

Embed:

Fixed bug #65715 (php5embed.lib isn't provided anymore).

Fileinfo:

Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).

FPM:

Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).

Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).

Json:

Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).

LDAP:

Fixed issue with null bytes in LDAP bindings.

mysqli:

Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack
of escaping).

Openssl:

Fixed bug #66942 (memory leak in openssl_seal()).

Fixed bug #66952 (memory leak in openssl_open()).

SimpleXML:

Fixed bug #66084 (simplexml_load_string() mangles empty node name).

SQLite:

Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)

XSL:

Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://")

Apache2 Handler SAPI:

8
Fixed Apache log issue caused by APR's lack of support for %zu (APR issue
https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 5.6
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CVE CVE-2014-0185
CWE CWE-16
Affected item Web Server
Affected parameter

Source code disclosures

One or more pages disclosing source code were found. This check is using pattern matching to determine if server side
tags are found in the file. In some cases this alert may generate false positives.

9
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-538
Affected item Web Server
Affected parameter

Clickjacking: X-Frame-Options header missing

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user
into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential
information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking
attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed
to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is
not embedded into other sites.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Base Score: 5.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
Base Score: 4.3
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-693

10
Affected item Web Server
Affected parameter

Content Security Policy (CSP) not implemented

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
including Cross Site Scripting (XSS) and data injection attacks.

Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header
is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define
lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that
needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP
header could look like the following:

Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing
from the response. It's recommended to implement Content Security Policy (CSP) into your web application.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter

11
Password type input with auto-complete enabled

When a new name and password is entered in a form and the form is submitted, the browser asks if the password should
be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the
name is entered. An attacker with local access could obtain the cleartext password from the browser cache.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 7.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-200
Affected item Web Server
Affected parameter

(A4)XML External Entity (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External
entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote
code execution, and denial of service attacks.

No alerts in this category.

(A5)Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these
flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify
other users' data, change access rights, etc.

Total number of alerts in this category: 1

Alerts in this category

12
Clickjacking: X-Frame-Options header missing

(A6)Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations,
incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages
containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securly
configured, but they must be patched and upgraded in a timely fashion.

Total number of alerts in this category: 6

Alerts in this category

Apache JServ protocol service

13
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an
application server that sits behind the web server. It's not recommended to have AJP services publicly accessible on the
internet. If AJP is misconfigured it could allow an attacker to access to internal resources.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter

Directory listings (verified)

14
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-538
Affected item Web Server
Affected parameter

Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28

List of vulnerabilities that were fixed in PHP versions 5.5.12 and 5.4.28:

Core:

Fixed bug #61019 (Out of memory on command stream_get_contents).

cURL:

Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).

Date:

Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).

Embed:

Fixed bug #65715 (php5embed.lib isn't provided anymore).

Fileinfo:

Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).

FPM:

Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).

Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).

Json:

Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).

LDAP:

Fixed issue with null bytes in LDAP bindings.

15
mysqli:

Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack
of escaping).

Openssl:

Fixed bug #66942 (memory leak in openssl_seal()).

Fixed bug #66952 (memory leak in openssl_open()).

SimpleXML:

Fixed bug #66084 (simplexml_load_string() mangles empty node name).

SQLite:

Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)

XSL:

Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://")

Apache2 Handler SAPI:

Fixed Apache log issue caused by APR's lack of support for %zu (APR issue
https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)

Content Security Policy (CSP) not implemented

16
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
including Cross Site Scripting (XSS) and data injection attacks.

Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

Insecure Referrer Policy

Referrer Policy controls behaviour of the Referer header, which indicates the origin or web page URL the request was
made from. The web application uses insecure Referrer Policy configuration that may leak user's information to third-party
sites.

17
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter

No HTTP Redirection

It was detected that your web application uses HTTP protocol, but doesn't automatically redirect users to HTTPS.

18
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected item Web Server
Affected parameter

(A7)Cross Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping,
or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS
allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the
user to malicious sites.

No alerts in this category.

(A8)Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code
execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

No alerts in this category.

(A9)Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a
vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using
components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and
impacts.

Total number of alerts in this category: 4

Alerts in this category

Apache JServ protocol service

19
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an
application server that sits behind the web server. It's not recommended to have AJP services publicly accessible on the
internet. If AJP is misconfigured it could allow an attacker to access to internal resources.

Directory listings (verified)

20
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-538
Affected item Web Server
Affected parameter

Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28

List of vulnerabilities that were fixed in PHP versions 5.5.12 and 5.4.28:

Core:

Fixed bug #61019 (Out of memory on command stream_get_contents).

cURL:

Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).

Date:

Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).

Embed:

Fixed bug #65715 (php5embed.lib isn't provided anymore).

Fileinfo:

Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).

FPM:

Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).

Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).

Json:

Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).

LDAP:

Fixed issue with null bytes in LDAP bindings.

21
mysqli:

Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack
of escaping).

Openssl:

Fixed bug #66942 (memory leak in openssl_seal()).

Fixed bug #66952 (memory leak in openssl_open()).

SimpleXML:

Fixed bug #66084 (simplexml_load_string() mangles empty node name).

SQLite:

Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)

XSL:

Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://")

Apache2 Handler SAPI:

Fixed Apache log issue caused by APR's lack of support for %zu (APR issue
https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)

Content Security Policy (CSP) not implemented

22
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
including Cross Site Scripting (XSS) and data injection attacks.

Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

(A10)Insufficient Logging and Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers
to further attack systesm, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach
studies show time to detect a breach is over 200 days, typically detected by external parties rathre than inernal processes
or monitoring.

23
No alerts in this category.

24
Affected Items: A Detailed Report

This section provides full details of the types of vulnerabilities found according to individual affected items.

/mi/login/login1.do

SQL injection

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a
web application's database server.

This alert belongs to the following categories: A1

SQL injection

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a
web application's database server.

Web Server

Apache JServ protocol service

Application error messages

This alert requires manual confirmation

This alert belongs to the following categories: A3

27
Parameter
Variants

Directory listings (verified)

This alert belongs to the following categories: A3, A6, A9

Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28

List of vulnerabilities that were fixed in PHP versions 5.5.12 and 5.4.28:

Core:

Fixed bug #61019 (Out of memory on command stream_get_contents).

cURL:

Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).

28
Date:

Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).

Embed:

Fixed bug #65715 (php5embed.lib isn't provided anymore).

Fileinfo:

Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).

FPM:

Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).

Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).

Json:

Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).

LDAP:

Fixed issue with null bytes in LDAP bindings.

mysqli:

Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack
of escaping).

Openssl:

Fixed bug #66942 (memory leak in openssl_seal()).

Fixed bug #66952 (memory leak in openssl_open()).

SimpleXML:

Fixed bug #66084 (simplexml_load_string() mangles empty node name).

SQLite:

Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)

XSL:

Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://")

Apache2 Handler SAPI:

Fixed Apache log issue caused by APR's lack of support for %zu (APR issue
https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)

Source code disclosures

30
Clickjacking: X-Frame-Options header missing

This alert belongs to the following categories: A3, A5

Unencrypted connection (verified)

This scan target was connected to over an unencrypted connection. A potential attacker can intercept and modify data sent
and received from this site.

Content Security Policy (CSP) not implemented

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
including Cross Site Scripting (XSS) and data injection attacks.

Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

Insecure Referrer Policy

No HTTP Redirection

It was detected that your web application uses HTTP protocol, but doesn't automatically redirect users to HTTPS.

This alert belongs to the following categories: A6

34
Password type input with auto-complete enabled

This alert belongs to the following categories: A3

35
Scanned items (coverage report)
http://sisacademico.umsa.edu.bo/
http://sisacademico.umsa.edu.bo/dat/
http://sisacademico.umsa.edu.bo/dat/bkp2-main_module.php
http://sisacademico.umsa.edu.bo/dat/circ_list_prest.php
http://sisacademico.umsa.edu.bo/dat/ddesmultar_usuario.php
http://sisacademico.umsa.edu.bo/dat/main_module.php
http://sisacademico.umsa.edu.bo/dat/user_admin_edit.php
http://sisacademico.umsa.edu.bo/dat/user_lector_edit.php
http://sisacademico.umsa.edu.bo/dat/user_lector_edit_1417796514283.php
http://sisacademico.umsa.edu.bo/dat/user_lector_edit_select.php
http://sisacademico.umsa.edu.bo/dat/user_lector_new.php
http://sisacademico.umsa.edu.bo/icons/
http://sisacademico.umsa.edu.bo/mi/
http://sisacademico.umsa.edu.bo/mi/imagenes/
http://sisacademico.umsa.edu.bo/mi/imagenes/principal/
http://sisacademico.umsa.edu.bo/mi/images/
http://sisacademico.umsa.edu.bo/mi/images/infobox/
http://sisacademico.umsa.edu.bo/mi/images/pagina/
http://sisacademico.umsa.edu.bo/mi/images/pagina/b3/
http://sisacademico.umsa.edu.bo/mi/login/
http://sisacademico.umsa.edu.bo/mi/login/login.do
http://sisacademico.umsa.edu.bo/mi/login/login1.do
http://sisacademico.umsa.edu.bo/mi/login/login2.do
http://sisacademico.umsa.edu.bo/mi/style_css_900.css
http://sisacademico.umsa.edu.bo/mi/validar.js
http://sisacademico.umsa.edu.bo/mi/verBarra.do
http://sisacademico.umsa.edu.bo/mi/verCabeza.do
http://sisacademico.umsa.edu.bo/mi/verCuerpo.do
http://sisacademico.umsa.edu.bo/mi/verPie.do

OWASP TOP 10 2017: Compliance Report
No ratings yet
OWASP TOP 10 2017: Compliance Report
20 pages
Vapt 1
No ratings yet
Vapt 1
18 pages
OWASP Top 10 2017 Https Cei Synerioncloud Com SynerionWeb Account Login
No ratings yet
OWASP Top 10 2017 Https Cei Synerioncloud Com SynerionWeb Account Login
32 pages
CWE SANS Top 25 HTTP Sisacademico Umsa Edu Bo
No ratings yet
CWE SANS Top 25 HTTP Sisacademico Umsa Edu Bo
21 pages
ISO 27001 HTTP Sisacademico Umsa Edu Bo
No ratings yet
ISO 27001 HTTP Sisacademico Umsa Edu Bo
51 pages
Security Audit Summary Report
No ratings yet
Security Audit Summary Report
18 pages
Why Hackers Don T Care About Your Firewall: Seba Deleersnyder
No ratings yet
Why Hackers Don T Care About Your Firewall: Seba Deleersnyder
48 pages
International Standard - ISO 27001:2013: Compliance Report
No ratings yet
International Standard - ISO 27001:2013: Compliance Report
22 pages
OWASP Top 10 2017 Https WWW Seci Co in
No ratings yet
OWASP Top 10 2017 Https WWW Seci Co in
45 pages
Web Application Penetration Testing Report of Juice Shop
67% (3)
Web Application Penetration Testing Report of Juice Shop
15 pages
Must Know Hacking!3
No ratings yet
Must Know Hacking!3
60 pages
Ethical Hacking OWASP
No ratings yet
Ethical Hacking OWASP
22 pages
OWASP Top 10 2021 HTTP 10 11 31 8 80 Vulnerable Shop
No ratings yet
OWASP Top 10 2021 HTTP 10 11 31 8 80 Vulnerable Shop
41 pages
ISO 27001:2013 Web Security Report
0% (1)
ISO 27001:2013 Web Security Report
464 pages
Security Audit for Developers
No ratings yet
Security Audit for Developers
16 pages
Web Penetration Report OWASP
No ratings yet
Web Penetration Report OWASP
16 pages
OWASP Top 10: Key Security Risks
No ratings yet
OWASP Top 10: Key Security Risks
41 pages
OWASP Top 10 - 2010
No ratings yet
OWASP Top 10 - 2010
41 pages
OWASP Top 10 Guide for Sysadmins
No ratings yet
OWASP Top 10 Guide for Sysadmins
38 pages
2010 CWE/SANS Top 25: OWASP Education
No ratings yet
2010 CWE/SANS Top 25: OWASP Education
61 pages
OWASP Top 10 2017 All Vulnerabilities
No ratings yet
OWASP Top 10 2017 All Vulnerabilities
84 pages
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
No ratings yet
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
59 pages
CWE Top 25 HTTP Testphp Vulnweb Com
No ratings yet
CWE Top 25 HTTP Testphp Vulnweb Com
60 pages
Lecture 10 Web App Security
No ratings yet
Lecture 10 Web App Security
43 pages
Puru - Secure Coding Best Practices
No ratings yet
Puru - Secure Coding Best Practices
66 pages
Website Vulnerability Scanner Report (Light)
No ratings yet
Website Vulnerability Scanner Report (Light)
6 pages
DVWA
No ratings yet
DVWA
11 pages
IT Security Threats Vulnerabilities and Countermeasures
0% (1)
IT Security Threats Vulnerabilities and Countermeasures
35 pages
Eccouncil Ecihv2 7 6 1 Web Application Security Threats and Attacks
No ratings yet
Eccouncil Ecihv2 7 6 1 Web Application Security Threats and Attacks
3 pages
UNIT1
No ratings yet
UNIT1
59 pages
pt0 002 13
No ratings yet
pt0 002 13
35 pages
VVATP
No ratings yet
VVATP
11 pages
Web App Vulnerability Report
No ratings yet
Web App Vulnerability Report
16 pages
Bot Central
No ratings yet
Bot Central
249 pages
Security Audit: High-Risk Alerts
No ratings yet
Security Audit: High-Risk Alerts
15 pages
PROJECT Yhills
No ratings yet
PROJECT Yhills
27 pages
Forecepts Tech Sharing OWASP Top 10 (2013)
No ratings yet
Forecepts Tech Sharing OWASP Top 10 (2013)
29 pages
Chap 2 Web Application Security
No ratings yet
Chap 2 Web Application Security
26 pages
Dvwa2 Sample Report
No ratings yet
Dvwa2 Sample Report
11 pages
OWASP Top 10 Security Guide
No ratings yet
OWASP Top 10 Security Guide
25 pages
VAPT Report - Zero - Webappsecurity.com by Sudhakar Reddy-Updated
0% (1)
VAPT Report - Zero - Webappsecurity.com by Sudhakar Reddy-Updated
44 pages
Web S1 Retest Report
No ratings yet
Web S1 Retest Report
58 pages
Week10 P
No ratings yet
Week10 P
37 pages
RA2211030010040 Vulnerability Report On BWAPP
No ratings yet
RA2211030010040 Vulnerability Report On BWAPP
11 pages
Owasp Top 10
No ratings yet
Owasp Top 10
41 pages
01 - Security Essentials
No ratings yet
01 - Security Essentials
34 pages
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
No ratings yet
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
99 pages
Web Security Basics & Vulnerabilities
No ratings yet
Web Security Basics & Vulnerabilities
16 pages
03 - Web Application Penetration Testing
No ratings yet
03 - Web Application Penetration Testing
25 pages
OWASP Top 10: Key Security Risks
No ratings yet
OWASP Top 10: Key Security Risks
43 pages
Penetration Test - Example Report
No ratings yet
Penetration Test - Example Report
21 pages
Ridho Abdul Majid
No ratings yet
Ridho Abdul Majid
24 pages
Demo - testfireVAPT Report
No ratings yet
Demo - testfireVAPT Report
65 pages
OWASP Top 10 - 2010
No ratings yet
OWASP Top 10 - 2010
41 pages
The Mask-BabaBreach ASSGNMNT PT REPORT Unlocked
No ratings yet
The Mask-BabaBreach ASSGNMNT PT REPORT Unlocked
30 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
5 pages
FORENCIS
No ratings yet
FORENCIS
56 pages
Network and Sharing Center Operations Guide
No ratings yet
Network and Sharing Center Operations Guide
160 pages
Ict Skills For The 21st Century
No ratings yet
Ict Skills For The 21st Century
55 pages
AWS Certified Developer Associate - Sample Questions
No ratings yet
AWS Certified Developer Associate - Sample Questions
5 pages
Nasuni Solution Brief Teamcenter
No ratings yet
Nasuni Solution Brief Teamcenter
4 pages
Motorola Camera Debug Log
No ratings yet
Motorola Camera Debug Log
5 pages
Oracle RAC Commands
No ratings yet
Oracle RAC Commands
8 pages
This Study Resource Was: Chapter 8: User Interface Design
No ratings yet
This Study Resource Was: Chapter 8: User Interface Design
3 pages
ARGUSDeveloper Install Guide
No ratings yet
ARGUSDeveloper Install Guide
41 pages
Assembly Language Programming Guide
100% (1)
Assembly Language Programming Guide
9 pages
Step by Step: Doing A Data Recovery With Getdataback Pro
No ratings yet
Step by Step: Doing A Data Recovery With Getdataback Pro
8 pages
PowerEdge T110 II Technical Guide
No ratings yet
PowerEdge T110 II Technical Guide
2 pages
CMM Levels & IT Tools Overview
No ratings yet
CMM Levels & IT Tools Overview
5 pages
MailServer Workgroupmail
No ratings yet
MailServer Workgroupmail
195 pages
Lab Activity 1.6
No ratings yet
Lab Activity 1.6
11 pages
MAC Randomization Behavior - Android Open Source Project
No ratings yet
MAC Randomization Behavior - Android Open Source Project
4 pages
OTT Navigator IPTV FAQ PDF
100% (1)
OTT Navigator IPTV FAQ PDF
14 pages
02-Terminal Basics
No ratings yet
02-Terminal Basics
18 pages
Srs Airline Management System
No ratings yet
Srs Airline Management System
15 pages
Multi Touch Technology
No ratings yet
Multi Touch Technology
16 pages
HP Universal Print Driver TRAINING
No ratings yet
HP Universal Print Driver TRAINING
6 pages
CloudFlare Best Practices v2.0
100% (1)
CloudFlare Best Practices v2.0
15 pages
Alerts To Syslog
No ratings yet
Alerts To Syslog
25 pages
Manual QA Engineer Profile Summary
No ratings yet
Manual QA Engineer Profile Summary
4 pages
PDF Measap Config
No ratings yet
PDF Measap Config
50 pages
Lab 6 Worksheet: Working With Disks
No ratings yet
Lab 6 Worksheet: Working With Disks
12 pages
Network Operating Systems
No ratings yet
Network Operating Systems
68 pages
Bellamkonda Manoj Resume
No ratings yet
Bellamkonda Manoj Resume
3 pages
Rover Eagle Security Agency Incorperation Data Management System
No ratings yet
Rover Eagle Security Agency Incorperation Data Management System
11 pages
f5 Tmos Operations Guide
100% (2)
f5 Tmos Operations Guide
273 pages