ran a vulnerbility scan and it detected vulnerbilitys in Urchin! :o
opened a support ticket about it
QUOTE
The web server on the remote host suffers from a cross-site scripting
(XSS) vulnerability because the result returned when a non-existing
file is requested contains Javascript code passed along with the
initial GET request.
The vulnerability would allow an attacker to make the server present
the user with the attacker's JavaScript/HTML code. Since the content
is presented by the server, the user will give it the trust level of
the server (for example, the trust level of banks, shopping centers,
etc. would usually be high).
Sample url : http://58.70-85-71.reverse.theplanet.com:9...</SCRIPT>
Risk factor : Medium
Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/do...ownload/update/
- http://www.securiteam.com/windowsntfocus/A...nerability.html
. Apache:
- http://httpd.apache.org/info/css-security/
CVE : CVE-2002-1060, CAN-2005-2453
BID : 5305, 7344, 7353, 8037, 9245, 14473
Nessus ID : 10815
Warning unknown (9999/tcp) The remote web server appears to be running a version of
Apache that is less that 2.0.49 or 1.3.31.
These versions are vulnerable to a denial of service attack where a remote
attacker can block new connections to the server by connecting to a listening
socket on a rarely accessed port.
Solution: Upgrade to Apache 2.0.49 or 1.3.31.
CVE : CAN-2004-0174
BID : 9921
Nessus ID : 12280
Warning unknown (9999/tcp)
The target is running an Apache web server which allows for the
injection of arbitrary escape sequences into its error logs. An
attacker might use this vulnerability in an attempt to exploit similar
vulnerabilities in terminal emulators.
***** Nessus has determined the vulnerability exists only by looking at
***** the Server header returned by the web server running on the target.
Solution : Upgrade to Apache version 1.3.31 or 2.0.49 or newer.
Risk factor : Low
CVE : CVE-2003-0020
BID : 9930
Other references : APPLE-SA:APPLE-SA-2004-05-03, CLSA:CLSA-2004:839, HPSB:HPSBUX01022, RHSA:RHSA-2003:139-07, RHSA:RHSA-2003:243-07, MDKSA:MDKSA-2003:050, OpenPKG-SA:OpenPKG-SA-2004.021-apache, SSA:SSA:2004-133-01, SuSE-SA:SuSE-SA:2004:009, TLSA:TLSA-2004-11, TSLSA:TSLSA-2004-0017
Nessus ID : 12239
Warning unknown (9999/tcp)
The target is running an Apache web server that may not properly handle
access controls. In effect, on big-endian 64-bit platforms, Apache
fails to match allow or deny rules containing an IP address but not a
netmask.
***** Nessus has determined the vulnerability exists only by looking at
***** the Server header returned by the web server running on the target.
***** If the target is not a big-endian 64-bit platform, consider this a
***** false positive.
Additional information on the vulnerability can be found at :
- http://www.apacheweek.com/features/security-13
- http://marc.theaimsgroup.com/?l=apache-cvs...xxxxyyyyzzzz722
- http://nagoya.apache.org/bugzilla/show_bug...ug.cgi?id=23850
Solution : Upgrade to Apache version 1.3.31 or newer.
Risk factor : Medium
CVE : CVE-2003-0993
BID : 9829
Other references : GLSA:GLSA 200405-22, MDKSA:MDKSA-2004:046, OpenPKG-SA:OpenPKG-SA-2004.021-apache, SSA:SSA:2004-133-01, TSLSA:TSLSA-2004-0027
Nessus ID : 14177
Warning unknown (9999/tcp)
The remote web server appears to be running a version of Apache that is older
than version 1.3.33.
This version is vulnerable to a local buffer overflow in the get_tag()
function of the module 'mod_include' when a specially crafted document
with malformed server-side includes is requested though an HTTP session.
Successful exploitation can lead to execution of arbitrary code with
escalated privileges, but requires that server-side includes (SSI) is enabled.
Solution: Disable SSI or upgrade to a newer version when available.
Risk factor: Medium
CVE : CAN-2004-0940
BID : 11471
Nessus ID : 15554
Warning unknown (9999/tcp)
The remote web server appears to be running a version of Apache that is older
than version 1.3.32.
This version is vulnerable to a heap based buffer overflow in proxy_util.c
for mod_proxy. This issue may lead remote attackers to cause a denial of
service and possibly execute arbitrary code on the server.
Solution: Don't use mod_proxy or upgrade to a newer version.
Risk factor: Medium
CVE : CAN-2004-0492
BID : 10508
Nessus ID : 15555
Warning unknown (9999/tcp)
The remote host appears to be running Apache 1.3.33 or older.
There is a local buffer overflow in the 'htpasswd' command in these
versions that may allow a local user to gain elevated privileges if
'htpasswd' is run setuid or a remote user to run arbitrary commands
remotely if the script is accessible through a CGI.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
See also : http://archives.neohapsis.com/archives/bug...04-10/0345.html
Solution : Make sure htpasswd does not run setuid and is not accessible
through any CGI scripts.
Risk factor : Medium
BID : 13777, 13778
Nessus ID : 14771
Informational unknown (9999/tcp) A web server is running on this port
Nessus ID : 10330
Informational unknown (9999/tcp) The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/session.cgi (user [] pass [] app [admin.exe] action [login] )
Nessus ID : 10662
Informational unknown (9999/tcp) The remote web server type is :
Apache/1.3.29 (Win32)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
Informational unknown (9999/tcp)
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to
give him their credentials.
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
See also http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
CVE : CAN-2004-2320
BID : 9506, 9561, 11604
Nessus ID : 11213
several security warnings detected by Vulnerbility Scanning on port 9999, if i remember correctly that is the port urchin runs on?
------------------------------------------
(dstevens-10/01/2005 14:58:24):
Normally as Urchin is the only thing running on this port this is not a problem and I have never seen an exploit for Urchin released but I will forward this ticket to our Information Security Team for advice on how to handle these warnings.
------------------------------------------
(tcorley-10/04/2005 20:09:55):
Since Urchin is propiertary software, not much can be done to stop this warning from occurring beyond uninstalling the software. You can firewall off the port if you wish to limit the access to the port, which is the best way to run Urchin.
--------------------------------------
(c14672barr-10/05/2005 11:18:07):are these warnings exploitable?
also, i did not get these warnings before? has the Vulnerbility scanning been updated recently?
------------------------------------------
(jmason-10/05/2005 11:23:24):
These warnings are most likely exploitable and warrant further investigation. As noted above, the best solution is to disable the application or firewall it off. How do you wish to proceed?
--------------------------------------
(c14672barr-10/05/2005 12:20:07):i never had these warnings before, has the Vulnerbility scanning been updated recently?
also, does anybody else get these issues?
------------------------------------------
(jmason-10/05/2005 12:58:17):
I have never seen these warnings before and it is a good possibility that the vulnerability database has been updated. Either shut down the service or firewall it off. How do you wish to proceed.
(XSS) vulnerability because the result returned when a non-existing
file is requested contains Javascript code passed along with the
initial GET request.
The vulnerability would allow an attacker to make the server present
the user with the attacker's JavaScript/HTML code. Since the content
is presented by the server, the user will give it the trust level of
the server (for example, the trust level of banks, shopping centers,
etc. would usually be high).
Sample url : http://58.70-85-71.reverse.theplanet.com:9...</SCRIPT>
Risk factor : Medium
Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/do...ownload/update/
- http://www.securiteam.com/windowsntfocus/A...nerability.html
. Apache:
- http://httpd.apache.org/info/css-security/
CVE : CVE-2002-1060, CAN-2005-2453
BID : 5305, 7344, 7353, 8037, 9245, 14473
Nessus ID : 10815
Warning unknown (9999/tcp) The remote web server appears to be running a version of
Apache that is less that 2.0.49 or 1.3.31.
These versions are vulnerable to a denial of service attack where a remote
attacker can block new connections to the server by connecting to a listening
socket on a rarely accessed port.
Solution: Upgrade to Apache 2.0.49 or 1.3.31.
CVE : CAN-2004-0174
BID : 9921
Nessus ID : 12280
Warning unknown (9999/tcp)
The target is running an Apache web server which allows for the
injection of arbitrary escape sequences into its error logs. An
attacker might use this vulnerability in an attempt to exploit similar
vulnerabilities in terminal emulators.
***** Nessus has determined the vulnerability exists only by looking at
***** the Server header returned by the web server running on the target.
Solution : Upgrade to Apache version 1.3.31 or 2.0.49 or newer.
Risk factor : Low
CVE : CVE-2003-0020
BID : 9930
Other references : APPLE-SA:APPLE-SA-2004-05-03, CLSA:CLSA-2004:839, HPSB:HPSBUX01022, RHSA:RHSA-2003:139-07, RHSA:RHSA-2003:243-07, MDKSA:MDKSA-2003:050, OpenPKG-SA:OpenPKG-SA-2004.021-apache, SSA:SSA:2004-133-01, SuSE-SA:SuSE-SA:2004:009, TLSA:TLSA-2004-11, TSLSA:TSLSA-2004-0017
Nessus ID : 12239
Warning unknown (9999/tcp)
The target is running an Apache web server that may not properly handle
access controls. In effect, on big-endian 64-bit platforms, Apache
fails to match allow or deny rules containing an IP address but not a
netmask.
***** Nessus has determined the vulnerability exists only by looking at
***** the Server header returned by the web server running on the target.
***** If the target is not a big-endian 64-bit platform, consider this a
***** false positive.
Additional information on the vulnerability can be found at :
- http://www.apacheweek.com/features/security-13
- http://marc.theaimsgroup.com/?l=apache-cvs...xxxxyyyyzzzz722
- http://nagoya.apache.org/bugzilla/show_bug...ug.cgi?id=23850
Solution : Upgrade to Apache version 1.3.31 or newer.
Risk factor : Medium
CVE : CVE-2003-0993
BID : 9829
Other references : GLSA:GLSA 200405-22, MDKSA:MDKSA-2004:046, OpenPKG-SA:OpenPKG-SA-2004.021-apache, SSA:SSA:2004-133-01, TSLSA:TSLSA-2004-0027
Nessus ID : 14177
Warning unknown (9999/tcp)
The remote web server appears to be running a version of Apache that is older
than version 1.3.33.
This version is vulnerable to a local buffer overflow in the get_tag()
function of the module 'mod_include' when a specially crafted document
with malformed server-side includes is requested though an HTTP session.
Successful exploitation can lead to execution of arbitrary code with
escalated privileges, but requires that server-side includes (SSI) is enabled.
Solution: Disable SSI or upgrade to a newer version when available.
Risk factor: Medium
CVE : CAN-2004-0940
BID : 11471
Nessus ID : 15554
Warning unknown (9999/tcp)
The remote web server appears to be running a version of Apache that is older
than version 1.3.32.
This version is vulnerable to a heap based buffer overflow in proxy_util.c
for mod_proxy. This issue may lead remote attackers to cause a denial of
service and possibly execute arbitrary code on the server.
Solution: Don't use mod_proxy or upgrade to a newer version.
Risk factor: Medium
CVE : CAN-2004-0492
BID : 10508
Nessus ID : 15555
Warning unknown (9999/tcp)
The remote host appears to be running Apache 1.3.33 or older.
There is a local buffer overflow in the 'htpasswd' command in these
versions that may allow a local user to gain elevated privileges if
'htpasswd' is run setuid or a remote user to run arbitrary commands
remotely if the script is accessible through a CGI.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
See also : http://archives.neohapsis.com/archives/bug...04-10/0345.html
Solution : Make sure htpasswd does not run setuid and is not accessible
through any CGI scripts.
Risk factor : Medium
BID : 13777, 13778
Nessus ID : 14771
Informational unknown (9999/tcp) A web server is running on this port
Nessus ID : 10330
Informational unknown (9999/tcp) The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/session.cgi (user [] pass [] app [admin.exe] action [login] )
Nessus ID : 10662
Informational unknown (9999/tcp) The remote web server type is :
Apache/1.3.29 (Win32)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
Informational unknown (9999/tcp)
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to
give him their credentials.
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
See also http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
CVE : CAN-2004-2320
BID : 9506, 9561, 11604
Nessus ID : 11213
several security warnings detected by Vulnerbility Scanning on port 9999, if i remember correctly that is the port urchin runs on?
------------------------------------------
(dstevens-10/01/2005 14:58:24):
Normally as Urchin is the only thing running on this port this is not a problem and I have never seen an exploit for Urchin released but I will forward this ticket to our Information Security Team for advice on how to handle these warnings.
------------------------------------------
(tcorley-10/04/2005 20:09:55):
Since Urchin is propiertary software, not much can be done to stop this warning from occurring beyond uninstalling the software. You can firewall off the port if you wish to limit the access to the port, which is the best way to run Urchin.
--------------------------------------
(c14672barr-10/05/2005 11:18:07):are these warnings exploitable?
also, i did not get these warnings before? has the Vulnerbility scanning been updated recently?
------------------------------------------
(jmason-10/05/2005 11:23:24):
These warnings are most likely exploitable and warrant further investigation. As noted above, the best solution is to disable the application or firewall it off. How do you wish to proceed?
--------------------------------------
(c14672barr-10/05/2005 12:20:07):i never had these warnings before, has the Vulnerbility scanning been updated recently?
also, does anybody else get these issues?
------------------------------------------
(jmason-10/05/2005 12:58:17):
I have never seen these warnings before and it is a good possibility that the vulnerability database has been updated. Either shut down the service or firewall it off. How do you wish to proceed.
does anyone else get this issue?