Developer Report PDF

Acunetix Website Audit
20 June, 2016
Developer Report
Generated by Acunetix WVS Reporter (v9.0 Build 20130904)
Scan of http://ns1.war2.ru:80/
Scan details
Scan information
Start time
Finish time
Scan time
Profile
6/20/2016 6:24:23 PM
The scan was aborted
42 minutes, 46 seconds
Default
Server information
Responsive
Server banner
Server OS
Server technologies
True
Apache/2.2.25 (FreeBSD) PHP/5.2.17 with Suhosin-Patch mod_ssl/2.2.25 OpenSSL/1.0.1e DAV/2
Unix
PHP
Threat level
Acunetix Threat Level 3
One or more high-severity type vulnerabilities have been discovered by the scanner. A
malicious user can exploit these vulnerabilities and compromise the backend database
and/or deface your website.
Alerts distribution
Total alerts found
46
High
Medium
Low
17
Informational
16
Alerts summary
Blind SQL Injection
Affects
/modules/news/
/modules/news/index.php
Variation
s1
1
PHP Hash Collision denial of service vulnerability

Affects
Web Server
Variation
s1
Slow HTTP Denial of Service Attack

Affects
Web Server
Variation
s1
Application error message

Affects
Variation
s6
Backup files
Affects
/serverdat.php_
Variation
s1
User credentials are sent in clear text

Affects
/register.php
Variation
s2
Login page password-guessing attack

Affects
/webmail/src/redirect.php
Variation
s1
Possible sensitive directories

Affects
/cache/system
/class/database
/class/fckeditor
/include
/manager
/modules/news/admin
/modules/news/include
/modules/news/sql
/temp
Variation
s1
1
1
1
1
1
1
1
1
Possible sensitive files

Affects
/admin.php
/manual/INSTALL.txt
Variation
s1
1
Session Cookie without HttpOnly flag set

Affects
/
Variation
s1
Session Cookie without Secure flag set

Affects
/
Variation
s3
TRACE method is enabled

Affects
Web Server
Variation
s1
Broken links
Variation
Affects
/%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Use%20of%20undefined%20constant%20XOOPS_U s1
RL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data/www/www.war2.ru/include/fu
nctions.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20/%3EXOOPS_URL/include/sty
le.css
/function.include
/function.include-once
/function.readfile
1
1
1
3
Email address found

Affects
/modules/news
Variation
s1
1
GHDB: Default phpinfo page

Affects
/temp/1.php
Variation
s1
GHDB: Mp3 file

Affects
/files
/files/other/ksa2005
/image/other
Variation
s1
1
1
GHDB: phpinfo()
Affects
/temp/1.php
Variation
s1
GHDB: SquirrelMail login page

Affects
/webmail/src/login.php
Variation
s1
Password type input with auto-complete enabled

Affects
/modules/news
/register.php
Variation
s1
2
1
Alert details
Blind SQL Injection
Severity
High
Type
Validation
Reported by module Scripting (Blind_Sql_Injection.script)
Description
This script is possibly vulnerable to SQL Injection attacks.
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input.
An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't
properly filter out dangerous characters.
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is
relatively easy to protect against, there is a large number of web applications vulnerable.
Impact
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your
database and/or expose sensitive information.
Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access
for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use sub
selects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell
commands on the underlying operating system.
Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server
functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.
Recommendation
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing this vulnerability.
References
VIDEO: SQL Injection tutorial
OWASP PHP Top 5
SQL Injection Walkthrough
OWASP Injection Flaws
Acunetix SQL Injection Attack
How to check for SQL injection vulnerabilities
Affected items
/modules/news/
Details
HTTP Header input Client-IP was set to
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
Tests performed:
- if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ =>
13.39 s
- if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ ...
(line truncated)
Request headers
GET /modules/news/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Client-IP:
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sys
date(),sleep(0),0))OR"*/
5
X-Requested-With: XMLHttpRequest
Referer: http://ns1.war2.ru:80/
Host: ns1.war2.ru
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
Details
HTTP Header input X-Forwarded-For was set to
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
Tests performed:
- (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v)+"*/ =>
20.015 s
- (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(slee ... (line truncated)
Request headers
GET /modules/news/index.php HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
X-Forwarded-For:
(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)fr
om(select(sleep(0)))v)+"*/
X-Requested-With: XMLHttpRequest
Host: ns1.war2.ru
Accept: */*
PHP Hash Collision denial of service vulnerability

Severity
High
Type
Configuration
Reported by module Scripting (PHP_Hash_Collision_Denial_Of_Service.script)
Description
This alert was generated using only banner information. It may be a false positive.
Hash tables are a commonly used data structure in most programming languages. Web application servers or platforms
commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by
application developers. If the language does not provide a randomized hash function or the application server does not
recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The
algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of
CPU time using a single HTTP request.
Affected PHP versions (up to 5.3.8).
Impact
Denial of service
Recommendation
Upgrade PHP to version 5.3.9 or higher.
References
Denial of Service through hash table multi-collisions
PHP 5.3.9 Changelog
#2011-003 multiple implementations denial-of-service via hash algorithm collision
Affected items
Web Server
Details
Current version is : 5.2.17
Slow HTTP Denial of Service Attack

Severity
High
Type
Configuration
Reported by module Slow_HTTP_DOS
Description
Your web server is vulnerable to Slow HTTP DoS (Denial of Service) attacks.
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be
completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is
very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources
busy, this creates a denial of service.
Impact
A single machine can take down another machine's web server with minimal bandwidth and side effects on unrelated
services and ports.
Recommendation
Consult Web references for information about protecting your web server against this type of attack.
References
Slowloris HTTP DoS
Slowloris DOS Mitigation Guide
Protect Apache Against Slowloris Attack
Affected items
Web Server
Details
Time difference between connections: 10328 ms
Application error message

Severity
Medium
Type
Validation
Reported by module Scripting (MongoDB_Injection.script)
Description
This page contains an error/warning message that may disclose sensitive information.The message can also contain the
location of the file that produced the unhandled exception.
This may be a false positive if the error message is found in documentation pages.
Impact
The error messages may disclose sensitive information. This information can be used to launch further attacks.
Recommendation
Review the source code for this script.
References
PHP Runtime Configuration
Affected items
Details
URL encoded GET input start was set to 1
Error message found: Warning: preg_match() expects parameter 2 to be string, array given in
/home/war2/data/www/www.war2.ru/include/common.php on line 78 
Request headers
GET /modules/news/index.php?start[$acunetix]=1&storynum=5&storytopic=0 HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
URL encoded GET input start was set to 10
Request headers
GET /modules/news/index.php?start[]=10&storynum=5&storytopic=0 HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
URL encoded GET input storynum was set to 1
Request headers
GET /modules/news/index.php?start=105&storynum[$acunetix]=1&storytopic=0 HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
URL encoded GET input storynum was set to 5
Request headers
GET /modules/news/index.php?start=105&storynum[]=5&storytopic=0 HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
URL encoded GET input storytopic was set to 1
Request headers
GET /modules/news/index.php?start=105&storynum=5&storytopic[$acunetix]=1 HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
URL encoded GET input storytopic was set to 0
Request headers
GET /modules/news/index.php?start=105&storynum=5&storytopic[]=0 HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
10
Backup files
Severity
Medium
Type
Validation
Reported by module Scripting (Backup_File.script)
Description
A possible backup file was found on your web-server. These files are usually created by developers to backup their work.
Impact
Backup files can contain script sources, configuration files or other sensitive information that may help an malicious user
to prepare more advanced attacks.
Recommendation
Remove the file(s) if they are not required on your website. As an additional step, it is recommended to implement a
security policy within your organization to disallow creation of backup files in directories accessible from the web.
References
Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)
Security Tips for Server Configuration
Protecting Confidential Documents at Your Site
Affected items
11
/serverdat.php_
Details
This file was found using the pattern ${fileName}${fileExt}_.
Original filename: serverdat.php
Source code pattern found:
<?php
function Lecho($arrmsg)
{
global $lang;
if(isset($arrmsg[$lang]))echo $arrmsg[$lang];
elseif(isset($arrmsg["en"]))echo $arrmsg["en"];
}
$url_date = 'http://report.war2.ru/server.dat';
if(isset($_GET["server"]))
{
switch($_GET["server"])
{
case "reportb":$url_date = 'http://reportb.war2.ru/server.dat';break;
}
}
$lang="en";
if(isset($_GET["lang"]))
{
switch($_GET["lang"])
{
case "ru":
$lang="ru"; break;
default:
$lang="en";
}
}
if($lang=="ru")header("Content-type: text/html; charset=windows-1251");
if(!@$fd = file($url_date))
{
Lecho(array("en"=>'Server unavailable ',"ru"=>'
Request headers
GET /serverdat.php_ HTTP/1.1
Range: bytes=0-99999
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
12
User credentials are sent in clear text

Severity
Medium
Type
Informational
Reported by module Crawler
Description
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an
encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server over an
encrypted connection (HTTPS).
Affected items
/register.php
Details
Form name: userinfo
Form action: http://ns1.war2.ru/register.php
Form method: POST
Form inputs:
- uname [Text]
- email [Text]
- user_viewemail [Checkbox]
- timezone_offset [Select]
- user_avatar [Select]
- pass [Password]
- vpass [Password]
- zonetext [TextArea]
- user_mailok [Radio]
- verify_text [Text]
- verify_crc [Hidden]
- op [Hidden]
- submit [ ... (line truncated)
Request headers
GET /register.php HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://ns1.war2.ru/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
13
/register.php
Details
Form name: userinfo
Form action: http://ns1.war2.ru/register.php
Form method: POST
Form inputs:
- uname [Text]
- email [Text]
- user_viewemail [Checkbox]
- timezone_offset [Select]
- user_avatar [Select]
- pass [Password]
- vpass [Password]
- zonetext [TextArea]
- user_mailok [Radio]
- verify_text [Text]
- verify_crc [Hidden]
- op [Hidden]
- submit [ ... (line truncated)
Request headers
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
14
Login page password-guessing attack

Severity
Low
Type
Validation
Reported by module Scripting (Html_Authentication_Audit.script)
Description
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack
is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and
symbols until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended
to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web
references for more information about fixing this problem.
Impact
An attacker may attempt to discover a weak password by systematically trying every possible combination of letters,
numbers, and symbols until it discovers the one correct combination that works.
Recommendation
It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.
References
Blocking Brute Force Attacks
Affected items
/webmail/src/redirect.php
Details
The scanner tested 10 invalid credentials and no account lockout was detected.
Request headers
POST /webmail/src/redirect.php HTTP/1.1
Content-Length: 83
Content-Type: application/x-www-form-urlencoded
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
js_autodetect_results=1&just_logged_in=1&login_username=BpyhY7Jt&secretkey=1n73Y7Kd
15
Possible sensitive directories

Severity
Low
Type
Validation
Reported by module Scripting (Possible_Sensitive_Directories.script)
Description
A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks for
common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each
one of these directories could help an attacker to learn more about his target.
Impact
This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks.
Recommendation
Restrict access to this directory or remove it from the website.
References
Web Server Security and Database Server Security
Affected items
/cache/system
Details
No details are available.
Request headers
GET /cache/system HTTP/1.1
Accept: acunetix/wvs
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/class/database
Details
Request headers
GET /class/database HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/class/fckeditor
Details
Request headers
GET /class/fckeditor HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
16
/include
Details
Request headers
GET /include HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/manager
Details
Request headers
GET /manager HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/modules/news/admin
Details
Request headers
GET /modules/news/admin HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/modules/news/include
Details
Request headers
GET /modules/news/include HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/modules/news/sql
Details
Request headers
GET /modules/news/sql HTTP/1.1
Host: ns1.war2.ru
17

Chrome/28.0.1500.63 Safari/537.36
/temp
Details
Request headers
GET /temp HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
18
Possible sensitive files

Severity
Low
Type
Validation
Reported by module Scripting (Possible_Sensitive_Files.script)
Description
A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common
sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Each
one of these files could help an attacker to learn more about his target.
Impact
This file may expose sensitive information that could help a malicious user to prepare more advanced attacks.
Recommendation
Restrict access to this file or remove it from the website.
References
Web Server Security and Database Server Security
Affected items
/admin.php
Details
Request headers
GET /admin.php HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
/manual/INSTALL.txt
Details
Request headers
GET /manual/INSTALL.txt HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
19
Session Cookie without HttpOnly flag set

Severity
Low
Type
Informational
Description
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser
that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection
for session cookies.
Impact
None
Recommendation
If possible, you should set the HTTPOnly flag for this cookie.
Affected items
/
Details
Cookie name: "PPA_ID"
Cookie domain: "ns1.war2.ru"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
20
Session Cookie without Secure flag set

Severity
Low
Type
Informational
Description
This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the
cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.
Impact
None
Recommendation
If possible, you should set the Secure flag for this cookie.
Affected items
/
Details
Cookie name: "SQMSESSID"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/
Details
Cookie name: "squirrelmail_language"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
21
/
Details
Cookie name: "PPA_ID"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
22
TRACE method is enabled

Severity
Low
Type
Validation
Reported by module Scripting (Track_Trace_Server_Methods.script)
Description
HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web
browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.
Impact
Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and
authentication data.
Recommendation
Disable TRACE Method on the web server.
References
W3C - RFC 2616
US-CERT VU#867593
Cross-site tracing (XST)
Affected items
Web Server
Details
Request headers
TRACE /0XX1x4a3AM HTTP/1.1
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
23
Broken links
Severity
Informational
Type
Informational
Description
A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error.
This page was linked from the website but it is inaccessible.
Impact
Problems navigating the site.
Recommendation
Remove the links to this file or make it accessible.
Affected items
/%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Use%20of%20undefined%20constant%20XOOPS_URL%20%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data/www/www.war2.ru/include/functions.php%
3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20/%3EXOOPS_URL/include/style.css
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET
/%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Use%20of%20undefined%20constant%20XOOPS_URL%20%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data/www/www.war2.ru/include/functions
.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20/%3EXOOPS_URL/include/style.css
HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/header.php
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/function.include
Details
Request headers
GET /function.include HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
24
Accept: */*
/function.include-once
Details
Request headers
GET /function.include-once HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/function.readfile
Details
Request headers
GET /function.readfile HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
25
Email address found

Severity
Informational
Type
Informational
Reported by module Scripting (Text_Search_Dir.script)
Description
One or more email addresses have been found on this page. The majority of spam comes from email addresses
harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour
the internet looking for email addresses on any website they come across. Spambot programs look for strings like
myname@mydomain.com and then record any addresses found.
Impact
Email addresses posted on Web sites may attract spam.
Recommendation
Check references for details on how to solve this problem.
References
Email Address Disclosed on Website Can be Used for Spam
Affected items
/modules/news
Details
Pattern found: ksa@graalksa.ru
Request headers
Pragma: no-cache
Referer: http://ns1.war2.ru/modules/news/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
Pattern found: ksa@graalksa.ru
Request headers
GET /modules/news/index.php HTTP/1.1
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
26
Accept: */*
27
GHDB: Default phpinfo page

Severity
Informational
Type
Informational
Reported by module GHDB
Description
The description for this alert is contributed by the GHDB community, it may contain inappropriate language.
Category : Files containing passwords
This will look throught default phpinfo pages for ones that have a default mysql password.
The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community.
Impact
Not available. Check description.
Recommendation
References
The Google Hacking Database (GHDB) community
Acunetix Google hacking
Affected items
/temp/1.php
Details
We found intitle:"phpinfo()" +"mysql.default_password" +"Zend Scripting Language Engine"
Request headers
GET /temp/1.php HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/temp/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
28
GHDB: Mp3 file

Severity
Informational
Type
Informational
Description
Category : Sensitive Directories
Yes! I probably have should have told you guys earlier, but this is how ive been getting 100% of my mp3s. It fricken
rocks, use it and abuse it. Downfalls to it... a)sometimes you shouldnt include mp3 in the query and getting what you
want takes several different methods of searching b)a lot of the time google gives you results and they are not there
thanks to good old friend 404 c)finding stuff takes a lot of practice. Goods... a)ive found whole albums b)ive mass
downloaded directories of hundreds of songs that i have intrest in c)its exciting seeing the results, like fining treasure.
Impact
Recommendation
References
Affected items
/files
Details
We found intitle:"index of" -inurl:htm -inurl:html mp3
Request headers
GET /files/ HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/files/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/files/other/ksa2005
Details
Request headers
GET /files/other/ksa2005/ HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/files/other/ksa2005/
Cookie: PPA_ID=2oe42d1pb80rre6l17qnrdml07
Host: ns1.war2.ru
29
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/image/other
Details
Request headers
GET /image/other/ HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/image/other/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
30
GHDB: phpinfo()
Severity
Informational
Type
Informational
Description
Category : Files containing juicy info
this brings up sites with phpinfo(). There is SO much cool stuff in here that you just have to check one out for yourself! I
mean full blown system versioning, SSL version, sendmail version and path, ftp, LDAP, SQL info, Apache mods, Apache
env vars, *sigh* the list goes on and on! Thanks "joe!" =)
Impact
Recommendation
References
Affected items
/temp/1.php
Details
We found intitle:phpinfo "PHP Version"
Request headers
GET /temp/1.php HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/temp/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
31
GHDB: SquirrelMail login page

Severity
Informational
Type
Informational
Description
Category : Pages containing login portals
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP
and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility
across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the
functionality you would want from an email client, including strong MIME support, address books, and folder
manipulation.
Impact
Recommendation
References
Affected items
Details
We found inurl:login.php "SquirrelMail version"
Request headers
GET /webmail/src/login.php HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/webmail/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
32
Password type input with auto-complete enabled

Severity
Informational
Type
Informational
Description
When a new name and password is entered in a form and the form is submitted, the browser asks if the password
should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are
completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser
cache.
Impact
Possible sensitive information disclosure
Recommendation
The password auto-complete should be disabled in sensitive applications.
To disable auto-complete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
Affected items
/modules/news
Details
Password type input named pass from unnamed form with action http://www.war2.ru/user.php has autocomplete
enabled.
Request headers
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/register.php
Details
Password type input named pass from form named userinfo with action register.php has autocomplete enabled.
Request headers
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
33
/register.php
Details
Password type input named vpass from form named userinfo with action register.php has autocomplete enabled.
Request headers
Pragma: no-cache
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Details
Password type input named secretkey from form named login_form with action redirect.php has autocomplete enabled.
Request headers
GET /webmail/src/login.php HTTP/1.1
Pragma: no-cache
Referer: http://ns1.war2.ru/webmail/
Host: ns1.war2.ru
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
34
Scanned items (coverage report)

Scanned 430 URLs. Found 18 vulnerable.
URL: http://ns1.war2.ru/
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://ns1.war2.ru/modules/
No vulnerabilities has been identified for this URL
URL: http://ns1.war2.ru/modules/news/
URL: http://ns1.war2.ru/modules/news/index.php
3 input(s) found for this URL
Inputs
Input scheme 1
Input name
start
storynum
storytopic
Input type
URL encoded GET
URL encoded GET
URL encoded GET
URL: http://ns1.war2.ru/modules/news/admin/
URL: http://ns1.war2.ru/modules/news/sql/
URL: http://ns1.war2.ru/modules/news/include/
URL: http://ns1.war2.ru/modules/news/cache/
URL: http://ns1.war2.ru/modules/news/class/
URL: http://ns1.war2.ru/modules/news/images/
URL: http://ns1.war2.ru/modules/banners/
URL: http://ns1.war2.ru/modules/messages/
URL: http://ns1.war2.ru/robots.txt
35
URL: http://ns1.war2.ru/cache/
URL: http://ns1.war2.ru/cache/system/
URL: http://ns1.war2.ru/cache/cache/
URL: http://ns1.war2.ru/admin/
URL: http://ns1.war2.ru/class/
URL: http://ns1.war2.ru/class/database/
URL: http://ns1.war2.ru/class/database.php
URL: http://ns1.war2.ru/class/fckeditor/
URL: http://ns1.war2.ru/class/class/
URL: http://ns1.war2.ru/include/
URL: http://ns1.war2.ru/themes/
URL: http://ns1.war2.ru/images/
URL: http://ns1.war2.ru/images/menu/
URL: http://ns1.war2.ru/images/editor/
URL: http://ns1.war2.ru/images/icons/
36
URL: http://ns1.war2.ru/images/messages/
URL: http://ns1.war2.ru/images/avatar/
URL: http://ns1.war2.ru/language/
URL: http://ns1.war2.ru/language/english/
URL: http://ns1.war2.ru/_install/
URL: http://ns1.war2.ru/system/
URL: http://ns1.war2.ru/manual/
URL: http://ns1.war2.ru/manual/INSTALL.txt
URL: http://ns1.war2.ru/manual/README.txt
URL: http://ns1.war2.ru/manual/manual/
URL: http://ns1.war2.ru/serverdat.php?lang=ru&server=reportb
Inputs
Input scheme 1
Input name
lang
server
Input type
URL encoded GET
URL encoded GET
URL: http://ns1.war2.ru/serverdat.php_
URL: http://ns1.war2.ru/admin.php
URL: http://ns1.war2.ru/temp/
37
URL: http://ns1.war2.ru/temp/1.php
Inputs
Input scheme 1
Input name
Input type
URL encoded GET
URL: http://ns1.war2.ru/temp/pgadmin/
URL: http://ns1.war2.ru/manager/
URL: http://ns1.war2.ru/js/
URL: http://ns1.war2.ru/js/main.js
URL: http://ns1.war2.ru/js/ajax.js
URL: http://ns1.war2.ru/js/common.js
URL: http://ns1.war2.ru/js/jquery.js
URL: http://ns1.war2.ru/js/winscript.js
URL: http://ns1.war2.ru/register.php
Inputs
Input scheme 1
Input name
email
op
pass
submit
timezone_offset
uname
user_avatar
user_mailok
user_viewemail
verify_crc
verify_text
vpass
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
38
zonetext
URL encoded POST
URL: http://ns1.war2.ru/readme.txt
URL: http://ns1.war2.ru/header.php
URL: http://ns1.war2.ru/footer.php
URL: http://ns1.war2.ru/misc.php
URL: http://ns1.war2.ru/files/
URL: http://ns1.war2.ru/files/map/
URL: http://ns1.war2.ru/files/map/KSA8PL_Super_Droch.pud
URL: http://ns1.war2.ru/files/map/Garden%20of%20War%20TE.pud
URL: http://ns1.war2.ru/files/other/
URL: http://ns1.war2.ru/files/other/ksa2005/
URL: http://ns1.war2.ru/files/other/torney60.swf
URL: http://ns1.war2.ru/files/other/gateways.reg
URL: http://ns1.war2.ru/files/other/Gena_cheb.swf
URL: http://ns1.war2.ru/files/repley/
URL: http://ns1.war2.ru/files/repley/film/
39
URL: http://ns1.war2.ru/files/repley/film/requital.wir
URL: http://ns1.war2.ru/files/repley/study/
URL: http://ns1.war2.ru/files/repley/study/Grunt/
URL: http://ns1.war2.ru/files/repley/study/Grunt/Sergey=kf_gow.wir
URL: http://ns1.war2.ru/files/repley/study/Grunt/skyangel=foxzero_gow.wir
URL: http://ns1.war2.ru/files/repley/study/2jugger/
URL: http://ns1.war2.ru/files/repley/study/2jugger/tabac=gimli_HSC.wir
URL: http://ns1.war2.ru/files/repley/study/2jugger/gimli=spbwar_HSC.wir
URL: http://ns1.war2.ru/files/repley/study/desant/
URL: http://ns1.war2.ru/files/repley/study/desant/grim=gimli_hsc.wir
URL: http://ns1.war2.ru/files/repley/study/desant/tabac=gimli_foc.wir
URL: http://ns1.war2.ru/files/repley/study/towers/
URL: http://ns1.war2.ru/files/repley/study/towers/towers_fight.wir
URL: http://ns1.war2.ru/files/repley/study/towers/StudyTowers_Hornet=SkyAngel_gow.wir
URL: http://ns1.war2.ru/files/repley/study/Submarine/
40
URL: http://ns1.war2.ru/files/repley/study/Submarine/incin=foon_foc.wir
URL: http://ns1.war2.ru/files/repley/study/BloodPower_gowbne.wir
URL: http://ns1.war2.ru/files/repley/study/Ogr_4level_gowbne.wir
URL: http://ns1.war2.ru/files/repley/DKbomb.dk2
URL: http://ns1.war2.ru/files/repley/MageBomb.dk2
URL: http://ns1.war2.ru/files/repley/9s_classic.wir
URL: http://ns1.war2.ru/files/repley/study_ksa2catapult.wir
URL: http://ns1.war2.ru/files/repley/10years_ksa=leon_gow.wir
URL: http://ns1.war2.ru/files/repley/ldir_kill_gimli.wir
URL: http://ns1.war2.ru/files/repley/10Years_Gimli=KF_gow.wir
URL: http://ns1.war2.ru/files/repley/study_gimli2catapult.wir
URL: http://ns1.war2.ru/files/repley/10Years_KF=Gimli_HSC.wir
URL: http://ns1.war2.ru/files/repley/x[x[_ksa_blizzard.wir
URL: http://ns1.war2.ru/files/repley/10years_alexon=KF_1vs1.wir
URL: http://ns1.war2.ru/files/repley/10Years_Gimli=KF_GoldSep.wir
41
URL: http://ns1.war2.ru/files/repley/Ldir=Gimli_1vs1_verygood.wir
URL: http://ns1.war2.ru/files/repley/10years_ksa_ldir=B_B_1vs1.wir
URL: http://ns1.war2.ru/files/repley/10years_Gimli_Artemm=B_B_gow.wir
URL: http://ns1.war2.ru/files/10years/
URL: http://ns1.war2.ru/files/10years/reports/
URL: http://ns1.war2.ru/files/10years/reports/Gimli/
URL: http://ns1.war2.ru/files/10years/reports/Gimli/Loss/
URL: http://ns1.war2.ru/files/10years/reports/Gimli/Loss/gr_20051201160329_000484
42
URL: http://ns1.war2.ru/files/10years/reports/Gimli/gr_20051130235024_000459
43
44
45
46
URL: http://ns1.war2.ru/files/10years/reports/Artemm/
URL: http://ns1.war2.ru/files/10years/reports/Artemm/Loss/
URL: http://ns1.war2.ru/files/10years/reports/Artemm/Loss/gr_20051202225341_000118
47
URL: http://ns1.war2.ru/files/10years/reports/Artemm/gr_20051202213417_000102
URL: http://ns1.war2.ru/files/10years/reports/Gadzila/
URL: http://ns1.war2.ru/files/10years/reports/Gadzila/Loss/
URL: http://ns1.war2.ru/files/10years/reports/Gadzila/Loss/gr_20051119040006_000699
48
URL: http://ns1.war2.ru/files/10years/reports/Gadzila/gr_20051119054240_000707
49
URL: http://ns1.war2.ru/files/10years/reports/MasterKsa/
URL: http://ns1.war2.ru/files/10years/reports/MasterKsa/Loss/
URL: http://ns1.war2.ru/files/10years/reports/MasterKsa/Loss/gr_20051108163955_000232
50
51
URL: http://ns1.war2.ru/files/10years/reports/MasterKsa/gr_20051124125515_000010
52
53
54
55
URL: http://ns1.war2.ru/files/10years/reports/Kind_Friend/
URL: http://ns1.war2.ru/files/10years/reports/Kind_Friend/Loss/
URL: http://ns1.war2.ru/files/10years/reports/Kind_Friend/Loss/gr_20051109192715_000023
URL: http://ns1.war2.ru/files/10years/reports/Kind_Friend/gr_20051116123732_000480
56
57
58
URL: http://ns1.war2.ru/files/june.swf
URL: http://ns1.war2.ru/files/ksa8pl.pud
URL: http://ns1.war2.ru/files/gowbne.pud
URL: http://ns1.war2.ru/files/combat.swf
URL: http://ns1.war2.ru/files/cdkeys.txt
URL: http://ns1.war2.ru/files/bnetwar2.reg
URL: http://ns1.war2.ru/files/seminar2005/
URL: http://ns1.war2.ru/files/seminar2005/Seminar1x2.wir
59
URL: http://ns1.war2.ru/files/seminar2005/Garden_of_War_study.pud
URL: http://ns1.war2.ru/files/one_vs_one.pud
URL: http://ns1.war2.ru/files/ksa_vs_leon.wir
URL: http://ns1.war2.ru/files/war2bne_full.txt
URL: http://ns1.war2.ru/files/combat_changelog.txt
URL: http://ns1.war2.ru/image/
URL: http://ns1.war2.ru/image/maps/
URL: http://ns1.war2.ru/image/cert/
URL: http://ns1.war2.ru/image/ksa30/
URL: http://ns1.war2.ru/image/other/
URL: http://ns1.war2.ru/image/kf2009/
URL: http://ns1.war2.ru/image/about/
URL: http://ns1.war2.ru/image/about/cmds/
URL: http://ns1.war2.ru/image/about/main/
URL: http://ns1.war2.ru/image/about/icons/
60
URL: http://ns1.war2.ru/image/about/resource/
URL: http://ns1.war2.ru/image/sample/
URL: http://ns1.war2.ru/image/ksa2006/
URL: http://ns1.war2.ru/image/gog2008/
URL: http://ns1.war2.ru/image/10years/
URL: http://ns1.war2.ru/image/10years/party/
URL: http://ns1.war2.ru/image/seminar2005/
URL: http://ns1.war2.ru/cgi-bin/
URL: http://ns1.war2.ru/webmail/
URL: http://ns1.war2.ru/webmail/src/
URL: http://ns1.war2.ru/webmail/src/login.php
URL: http://ns1.war2.ru/webmail/src/redirect.php
Inputs
Input scheme 1
Input name
js_autodetect_results
just_logged_in
login_username
secretkey
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL: http://ns1.war2.ru/webmail/images/
61
URL: http://ns1.war2.ru/webmail/index.php
URL: http://ns1.war2.ru/index.php
URL: http://ns1.war2.ru/function.include
URL: http://ns1.war2.ru/function.readfile
URL: http://ns1.war2.ru/function.include-once
URL: http://ns1.war2.ru/%3Cbr%20
URL: http://ns1.war2.ru/%3Cbr%20/%3E%3Cb%3ENotice%3C
URL:
http://ns1.war2.ru/%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Use%20of%20undefined%20constant%20
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E
URL:
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home
URL:
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2
URL:
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data
URL:
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data/www
URL:
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data/www/www.war2.ru
62
URL:
XOOPS_URL%20-%20assumed%20'XOOPS_URL'%20in%20%3Cb%3E/home/war2/data/www/www.war2.ru/includ
e
URL:
e/functions.php%3C
URL:
e/functions.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C
URL:
e/functions.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20
URL:
e/functions.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20/%3EXOOPS_URL
URL:
e/functions.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20/%3EXOOPS_URL/include
URL:
e/functions.php%3C/b%3E%20on%20line%20%3Cb%3E69%3C/b%3E%3Cbr%20/%3EXOOPS_URL/include/style.c
ss
URL: http://ns1.war2.ru/<br%20
URL: http://ns1.war2.ru/<br%20/>Notice<
URL:
http://ns1.war2.ru/<br%20/>Notice:%20%20Use%20of%20undefined%20constant%20XOOPS_URL%20-%
20assumed%20'XOOPS_URL'%20in%20
63
URL:
20assumed%20'XOOPS_URL'%20in%20/home
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2/data
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2/data/www
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2/data/www/www.war2.ru
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2/data/www/www.war2.ru/include
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2/data/www/www.war2.ru/include/functions.php<
URL:
20assumed%20'XOOPS_URL'%20in%20/home/war2/data/www/www.war2.ru/include/functions.php%20o
n%20line%2069<
URL:
n%20line%2069<br%20
URL:
n%20line%2069<br%20/>XOOPS_URL
64
URL:
n%20line%2069<br%20/>XOOPS_URL/include
URL:
n%20line%2069<br%20/>XOOPS_URL/include/style.css
65

Developer Report PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Developer Report PDF

Transféré par

Droits d'auteur :

Formats disponibles

Acunetix Website Audit

Generated by Acunetix WVS Reporter (v9.0 Build 20130904)

PHP Hash Collision denial of service vulnerability

Slow HTTP Denial of Service Attack

Application error message

Acunetix Website Audit

User credentials are sent in clear text

Login page password-guessing attack

Possible sensitive directories

Possible sensitive files

Session Cookie without HttpOnly flag set

Session Cookie without Secure flag set

TRACE method is enabled

Acunetix Website Audit

Email address found

GHDB: Default phpinfo page

GHDB: Mp3 file

GHDB: SquirrelMail login page

Password type input with auto-complete enabled

Acunetix Website Audit

Acunetix Website Audit

PHP Hash Collision denial of service vulnerability

Acunetix Website Audit

Slow HTTP Denial of Service Attack

Acunetix Website Audit

Application error message

Acunetix Website Audit

Acunetix Website Audit

Acunetix Website Audit

User credentials are sent in clear text

Acunetix Website Audit

Acunetix Website Audit

Login page password-guessing attack

Acunetix Website Audit

Possible sensitive directories

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)

Acunetix Website Audit

Possible sensitive files

Acunetix Website Audit

Session Cookie without HttpOnly flag set

Acunetix Website Audit

Session Cookie without Secure flag set

Acunetix Website Audit

Acunetix Website Audit

TRACE method is enabled

Acunetix Website Audit

Acunetix Website Audit

Email address found

Acunetix Website Audit

GHDB: Default phpinfo page

Acunetix Website Audit

GHDB: Mp3 file

Acunetix Website Audit

Acunetix Website Audit

GHDB: SquirrelMail login page

Acunetix Website Audit

Password type input with auto-complete enabled

Acunetix Website Audit

Scanned items (coverage report)

Acunetix Website Audit

URL encoded POST

Acunetix Website Audit