Your Company New Vulnerability Descriptions - April 2010

Reference:
YC 201135
AllNew [Selected]Fixed Stoplist

Show Category: 
Filter by CVE or Vulnerability Id:      

Expand / collapse allCollapse Details   Collapse Systems

Collapse   Vulnerability 90027High Risk Ports OpenCollapse  3 SystemsHigh Risk
DescriptionThe following high risk ports are open:
[For specific url or description click server link below.]
It is generally not recommended to expose these ports to the internet as they may be used as attack vectors. If access to these services from remote sites is required, tunnelling or a VPN would be recommended instead of exposing these ports.

Note: Even if the ports are immediately closed after being opened, this is still a security risk as packets are reaching the destination host. It is recommended to completely drop packets from untrusted sources instead. 

SolutionEnsure that the ports are filtered by your router or firewall or close the ports on the affected systems. 
CategoryHosting or infrastructure flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.4 (Medium) (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Systemswww.your_company.fr (192.168.0.105)   www.your_company.nl (192.168.0.103)  
www.yourcompany.com (192.168.0.101)    

Collapse   Vulnerability 90052Administration Interface with Weak PasswordCollapse  1 SystemHigh Risk
DescriptionThis host is exposing an administration interface to the Internet with a default or easily guessable password. This allows a remote attacker full access to modify settings or content. The login details are:
[For specific url or description click server link below.]
 
SolutionSet a stronger password and/or ensure this interface is not accessible from the Internet. 
CategoryHosting or infrastructure flaw.
CVE Reference CVE-1999-0508CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Systemswww.your_company.nl (192.168.0.103)    

Collapse   Vulnerability 90064Authentication Bypass Through Cookie ManipulationCollapse  1 SystemHigh Risk
DescriptionThe remote webserver contains a CGI script or web application which uses cookies for authentication in such a way that login bypass is possible by modifying the cookie value. Example cookie values which allow a login are:
[For specific url or description click server link below.]
 
SolutionRecode your web application source code to use stronger authentication. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.8 (Medium) (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Systemswww.example.com (192.168.0.112)    

Collapse   Vulnerability 10993IIS ASP.NET Application Trace EnabledCollapse  1 SystemHigh Risk
DescriptionThis web server has an ASP.NET application running with application tracing enabled. This allows an attacker to view detailed information on recent HTTP requests. Sensitive information revealed includes physical paths and even session IDs. An example URL you can use to exploit this is:
[For specific url or description click server link below.]
 
SolutionSet 'trace enabled=false' in web.config 
CategoryHosting or infrastructure flaw.
ReferencesASP.Net Tracing Overview    Tracing    How to: Enable Tracing for an ASP.NET Page    How to: Enable Tracing for an ASP.NET Application   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Systemswww.your_company.nl (192.168.0.103)    

Collapse   Vulnerability 90109Possible CompromiseCollapse  1 SystemHigh Risk
DescriptionSuspicious content or behaviour from the remote host indicates that it may have been compromised by a virus or remote attacker.
[For specific url or description click server link below.]
 
SolutionConsider restoring the host from trusted media. 
CategoryN/A
CVE ReferenceCVE-MAP-NOMATCHCVSS2 10 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Systemswww.yourcompany.co.uk (192.168.0.100)    

Collapse   Vulnerability 10264SNMP Default Community Names   SANSCollapse  1 SystemHigh Risk
DescriptionThis system is running an SNMP agent which uses an easily guessable community string. This enables an attacker to extract a large amount of useful information. If a writeable community string is guessable, an attacker could make configuration changes to the server. Here is a sample of the information that can be extracted:
[For specific url or description click server link below.]
 
SolutionDisable SNMP, or change the community string to something unguessable. 
CategoryHosting or infrastructure flaw.
CVE References CVE-1999-0517CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  CVE-1999-0516CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  CVE-1999-0254CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-2010-1574CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-1999-0186CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-2004-0311CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-2004-1474CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Systemswww.your_company.fr (192.168.0.105)    

Collapse   Vulnerability 90139Script Allows Arbitrary Command ExecutionCollapse  1 SystemHigh Risk
DescriptionOne or more scripts on this host appear to execute commands which can be manipulated by remote users. This flaw may allow arbitrary commands to be executed with the same privileges as the web server. A remote attacker could exploit this flaw to compromise the system. Under some circumstances it may be possible for attacker to elevate the privileges gained though the exploitation of local system flaws. An example that demonstrates this is:
[For specific url or description click server link below.]
This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working. 
SolutionRecode the web application to ensure that unsanitised user supplied input is never included in executable statements. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Systemswww.yourcompany.co.uk (192.168.0.100)    

Collapse   Vulnerability 11139Script Appears Vulnerable to SQL InjectionCollapse  1 SystemHigh Risk
DescriptionOne or more scripts on this host appear vulnerable to an SQL injection attack. By requesting the page with parameters containing particular SQL commands, it is possible to force a database level error or otherwise demonstrate that the database is executing user supplied code. This implies that the parameter is being passed to the database without proper input validation. A maliciously crafted parameter could modify the contents of the database, damage it, extract hidden information, allow an attacker to login without a password or allow execution of arbitrary system commands, depending on the type of database. The issue can be demonstrated as follows:
[For specific url or description click server link below.]

This is simply an example that illustrates the problem, you should fix the underlying injection issue rather than attempting to prevent this exploit from working.

Note: Users of Microsoft Internet Explorer may need to disable the 'Show Friendly HTTP Error Messages' option in the Advanced tab of the options dialog in order to see the example properly. 

SolutionUse bound parameters (also known as parameterised commands) and improve input validation in the web application source code. 
CategoryApplication or content flaw.
ReferencesSQL Injection: Modes of Attack, Defence, and Why It Matters    OWASP Top Ten - Injection Flaws    Security Considerations for SQL Server: SQL Injection   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Systemswww.yourcompany.co.uk (192.168.0.100)    

Collapse   Vulnerability 90085Sensitive Information LeakageCollapse  1 SystemHigh Risk
DescriptionThis host is leaking information that may be commercially sensitive or help an attacker craft an attack. An example of the information leaked can be found below:
[For specific url or description click server link below.]
 
SolutionUse a firewall to restrict access to this service. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Systemswww.example.com (192.168.0.112)    

Collapse   Vulnerability 10539Globally Useable Name Server   SANSCollapse  2 SystemsMedium Risk
DescriptionThis system is running a name server that allows any system on the Internet to perform recursive queries and resolve third-party domain names. A remote attacker could use this to extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks. 
SolutionRestrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives. 
CategoryHosting or infrastructure flaw.
ReferencesSecuring Windows Server 2003 Domain Controllers   
CVE Reference CVE-1999-0024CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Systemswww.your_company.fr (192.168.0.105)   www.your_company.nl (192.168.0.103)  

Collapse   Vulnerability 10815Cross-Site ScriptingCollapse  1 SystemMedium Risk
DescriptionThis system is running a web server or web application which is vulnerable to Cross-Site Scripting (XSS) attacks. Certain pages include user-supplied input in the response and HTML special characters are not escaped. An attacker could use this to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, etc. An example that demonstrates this is:
[For specific url or description click server link below.]
This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working.

Note: This vulnerability must be addressed server-side. Adding JavaScript (client-side) validation on form fields does not offer any protection against Cross-Site Scripting or other attacks. 

SolutionRecode your web application to ensure all user supplied input is escaped when displayed, or contact your web application vendor for a patch. Any JavaScript-based fix will not be effective. 
CategoryApplication or content flaw.
ReferencesGeneral Info    CERT Advisory CA-2000-02    XSS Anatomy    PHP htmlspecialchars Quoting Function    How To: Prevent Cross-Site Scripting in ASP.NET    OWASP XSS Prevention Cheat Sheet   
CVE References CVE-2003-1543CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  CVE-2006-1681CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  CVE-2002-1060CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  CVE-2005-2453CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Systemswww.your_company.nl (192.168.0.103)    

Collapse   Vulnerability 90068SSL Certificate ProblemsCollapse  1 SystemMedium Risk
DescriptionThe remote host has presented a certificate that does not meet the requirements for establishing a secure session. The problems detected were: [For specific url or description click server link below.] 
SolutionEnsure you have a valid certificate issued by a trusted certificate authority. 
CategoryHosting or infrastructure flaw.
ReferencesMicrosoft KB245030    Apache SSL/TLS Strong Encryption: How-To    Microsoft KB187498   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Systemswww.example.com (192.168.0.112)    

Collapse   Vulnerability 90072Script Allows Arbitrary RedirectionCollapse  1 SystemMedium Risk
DescriptionIt is possible to craft a URL which appears to be located on this site, but will redirect users to an arbitrary location. This site could then pose as the legitimate site and prompt users to provide sensitive information. It could also contain any other type of malicious content. The following is an example of a URL which will redirect you to another site:
[For specific url or description click server link below.]
 
SolutionRecode scripts to allow redirections only to specific locations, for example limit redirections to your own domain. 
CategoryApplication or content flaw.
ReferencesOWASP Guide: Phishing    Phishing: Understanding and Preventing Phishing Attacks    Anti-Phishing Technology   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Systemswww.yourcompany.co.uk (192.168.0.100)    

Collapse   Vulnerability 90111Service Permits Unauthenticated Users to Send Arbitrary EmailsCollapse  1 SystemMedium Risk
DescriptionA service on the remote host appears to allow unauthenticated users to send emails containing arbitrary content. This service might be exploited by a remote attacker to conceal their identity whilst performing activities such as spamming, phishing and fraud.
The issue can be demonstrated as follows:
[For specific url or description click server link below.]

Note:This vulnerability may be a false positive as we do not attempt to send arbitrary messages in order to avoid the possibility of crashing the service. 
SolutionRestrict the service to authenticated users, restrict the allowed recipient email addresses or prevent users from controlling the email's content. Implementing a captcha mechanism could help prevent the attacker from automating their activities. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 0 (Low) (AV:N/AC:L/Au:N/C:N/I:N/A:N)
Systemswww.yourcompany.co.uk (192.168.0.100)    

Collapse   Vulnerability 90110Weak or Ineffective Authentication MechanismCollapse  1 SystemMedium Risk
DescriptionThe remote server attempts to protect content through a mechanism which is ineffective, or can be trivially circumvented. The issue can be demonstrated as follows:
[For specific url or description click server link below.]
 
SolutionRecode your application to use a stronger authentication mechanism. 
CategoryApplication or content flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Systemswww.your_company.nl (192.168.0.103)    

Collapse   Vulnerability 90091XPath InjectionCollapse  1 SystemMedium Risk
DescriptionOne or more scripts on this host appear vulnerable to XPath injection attacks. By requesting a page with parameters containing particular XPath elements, it is possible to force an XPath error or otherwise demonstrate that the user supplied code is being interpreted as XPath statements. This implies that a parameter is being passed to an XPath interpreter without proper input validation. A maliciously crafted parameter might be able to extract hidden information, bypass login requirement or even perform code execution depending on the XPath parser used. The issue can be demonstrated as follows:
[For specific url or description click server link below.]

This is simply an example that illustrates the problem, you should fix the underlying injection issue rather than attempting to prevent this exploit from working. 

SolutionPerform input validation within the web application and utilise query parameterisation where supported by the XPath parser. 
CategoryApplication or content flaw.
ReferencesXPath Injection - Threat Classification   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 6.8 (Medium) (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Systemswww.example.com (192.168.0.112)    

Collapse   Vulnerability 12217DNS Cache SnoopingCollapse  1 SystemLow Risk
DescriptionThis system is running a DNS server that accepts queries from any address (although recursive queries may be disabled). The name server responds differently for domains that have recently been looked-up. A remote attacker could use this to determine if certain sites have been visited by users of this nameserver. 
SolutionRestrict access to DNS caches to local users. For Bind, use the "AllowQuery" directive. 
CategoryHosting or infrastructure flaw.
ReferencesDNS Cache Snooping   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Systemswww.your_company.nl (192.168.0.103)    

Collapse   Vulnerability 90001Holes Detected in Firewall ConfigurationCollapse  1 SystemLow Risk
DescriptionThis system is protected by a firewall which blocks access to TCP ports in inconsistent ways. Incoming TCP connections to most ports are simply dropped, however some ports were discovered where the connection is actively refused, for example with a TCP RST. This often indicates a firewall configuration error, and commonly occurs when the configuration has not been altered in line with changing system configuration behind the firewall. For example when a service such as a mail server is removed, but the corresponding firewall rule is not.

The TCP ports which actively refuse connections are: [For specific url or description click server link below.] 

SolutionReconfigure your firewall to completely drop all connections on ports that you are not running services on. 
CategoryHosting or infrastructure flaw.
ReferencesFirewalls FAQ   
CVE ReferenceCVE-MAP-NOMATCHCVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Systemsdns0.example.com (192.168.0.110)    

Collapse   Vulnerability 10884NTP Information LeakageCollapse  1 SystemLow Risk
DescriptionThis system is running an NTP server that responds to information requests. A remote attacker could use this to extract information about the system, e.g. operating system, upstream NTP server and detailed clock information. 
SolutionConfigure ntpd to ignore information requests. Alternatively, use a firewall to restrict NTP to trusted addresses. 
CategoryHosting or infrastructure flaw.
CVE ReferenceCVE-MAP-NOMATCHCVSS2 5 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Systemswww.yourcompany.com (192.168.0.101)    

Scans by RatwareUK