0% found this document useful (1 vote)

851 views39 pages

PMB

Uploaded by

kartit

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (1 vote)

851 views39 pages

PMB

Uploaded by

kartit

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 39

Qualys Freescan

Page 1 sur 39

Scan on 02/10/2012
URL : http://pmb.esi.ac.ma
Summary: 36 vulnerabilities found 4 5 27

10 February 2012 at 23:30

SQL Injection Reflected Cross-Site Scripting (XSS) Vulnerabilities Reflected Cross-Site Scripting (XSS) Vulnerabilities Reflected Cross-Site Scripting (XSS) Vulnerabilities Path-Based Vulnerability Path-Based Vulnerability Path-Based Vulnerability Path-Based Vulnerability Path-Based Vulnerability Connection Error Occurred During Web Application Scan Possible Clickjacking vulnerability Unencoded characters Possible Clickjacking vulnerability Unencoded characters Possible Clickjacking vulnerability Possible Clickjacking vulnerability Unencoded characters Possible Clickjacking vulnerability

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 2 sur 39

Unencoded characters

Possible Clickjacking vulnerability Possible Clickjacking vulnerability Possible Clickjacking vulnerability Possible Clickjacking vulnerability Possible Clickjacking vulnerability Cookies Collected Links Crawled Host Scan Time External Links Discovered Scan Diagnostics Maximum Number of Links Reached During Crawl DNS Host Name DNS Host Name Email Addresses Collected PHP "spl_object_storage_attach" Use-After-Free Vulnerability PHP 'popen()' Function Buffer Overflow Vulnerability PHP Versions Prior to 5.2.12 Multiple Vulnerabilities Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day PHP Hashtables Denial of Service Web Directories Listable Vulnerability Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability PHP Versions Prior to 5.3.3/5.2.14 Multiple Vulnerabilities PHP "strrchr()" Function Information Disclosure Vulnerability PHP Versions Prior to 5.3.1 Multiple Vulnerabilities

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 3 sur 39

PHP 5.2.10 and Prior Versions Multiple Vulnerabilities

PHP Versions Prior to 5.2.13 Multiple Vulnerabilities Web Applications and Plugins Detected Host Uptime Based on TCP TimeStamp Option Web Server Probed For Various URL-Encoding Schemes Supported Expose_php Set to On in php.ini Host Scan Time Degree of Randomness of TCP Initial Sequence Numbers IP ID Values Randomness Default Web Page DNS Host Name Target Network Information Traceroute Host Names Found HTTP method TRACE and/or TRACK Enabled Web Server Supports HTTP Request Pipelining Internet Service Provider List of Web Directories

Type: Web Application Findings

SQL Injection
QID: 150003 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
SQL injection enables an attacker to modify the syntax of a SQL query in order to retrieve, corrupt or delete data. This is accomplished by manipulating query criteria in a manner that affects the query's logic. The typical causes of this vulnerability are lack of input validation and insecure construction of the SQL query.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 4 sur 39

Queries created by concatenating strings with SQL syntax and user-supplied data are prone to this vulnerability. If any part of the string concatenation can be modified, then the meaning of the query can be changed. Examples: These two lines demonstrate an insecure query that is created by appending the usersupplied data (userid): dim strQuery as String strQuery = "SELECT name,email FROM users WHERE userid=" + Request.QueryString("userid") If no checks are performed against the userid parameter, then the query may be arbitrarily modified as shown in these two examples of a completed query: SELECT name,email FROM users WHERE userid=42 SELECT name,email FROM users WHERE userid=42; SHUTDOWN WITH NOWAIT

Impact:
The scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into the query, then the attacker has the equivalent access of a database administrator. This access could lead to theft of data, malicious corruption of data, or deletion of data.

Solution:
SQL injection vulnerabilities can be addressed in three areas: input validation, query creation, and database security. All input received from the Web client should be validated for correct content. If a value's type or content range is known beforehand, then stricter filters should be applied. For example, an email address should be in a specific format and only contain characters that make it a valid address; or numeric fields like a U.S. zip code should be limited to five digit values. Prepared statements (sometimes referred to as parameterized statements) provide strong protection from SQL injection. Prepared statements are precompiled SQL queries whose parameters can be modified when the query is executed. Prepared statements enforce the logic of the query and will fail if the query cannot be compiled correctly. Programming languages that support prepared statements provide specific functions for creating queries. These functions are more secure than string concatenation for assigning user-supplied data to a query. Stored procedures are precompiled queries that reside in the database. Like prepared statements, they also enforce separation of query data and logic. SQL statements that call stored procedures should not be created via string concatenation, otherwise their security benefits are negated. SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access within the database. For example, a read-only account would prevent an attacker from modifying data, but would not prevent the user from viewing unauthorized data. Table and row-based access controls potentially minimize the scope of a compromise, but they do not prevent exploits. Example of a secure query created with a prepared statement: PreparedStatement ps = "SELECT name,email FROM users WHERE userid=?"; ps.setInt(1, userid);

Results:
http://pmb.esi.ac.ma/home/index.php?lang=http%3a%2f%2frfitest%2f -<br /> <b>Warning</b>: Error parsing ../EasyPHP.ini on line 11 in <b>C:\Program Files\EasyPHP5.2.10\home\i18n.inc.php</b> on line <b>5</b><br /> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd"> <html> <head> <link rel="shortcut icon" href="images_easyphp/easyphp_favicon.ico" /> <title>[EasyPHP] administration</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="styleshe

Reflected Cross-Site Scripting (XSS) Vulnerabilities

QID: 150001 Category: Web Application CVEID: CVSS Base: 7.5 Port: -

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 5 sur 39

destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.

Impact:
XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.

Solution:
Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers. Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -_litteraux[i],i+terms.length,1,onoff); } } } } </script> <div id="resultatrech"><h3>Rsultat de la recherche</h3> <div id="resultatrech_container"> <div id="resultatrech_see"> <h3><span><EMBED SRC=//localhost/q.swf AllowScriptAccess=always></EMBED> titres trouvs pour la recherche 'John'</span></h3> </div> <div id="resultatrech_liste"><a href='javascript:expandAll()'><img class='img_plusplus' src='./images/expand_all.gif' border='0' id='expandall'></a>

Reflected Cross-Site Scripting (XSS) Vulnerabilities

QID: 150001 Category: Web Application CVEID: CVSS Base: 7.5 Port: -

Threat:
XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- ut type="hidden" id="id_thes" name="id_thes" value=""> <input

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 6 sur 39

type="hidden" name="surligne" value="0"> <input type="hidden" name="tags" value=""> <input type="hidden" name="page" value="1"> <input type="hidden" name="nbexplnum_to_photo" value="\"><qss>"> </form><div class='row'></div> <script type='text/javascript'> <!-function test_form(form) { if (form.page.value > 20) { alert("Numro de page trop lev !"); form.page.focus(); return false; } if (form.page

Reflected Cross-Site Scripting (XSS) Vulnerabilities

QID: 150001 Category: Web Application CVEID: CVSS Base: 7.5 Port: -

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -onoff); } } } } </script>Aucun document trouv<form name="form_values" action="./index.php?lvl=more_results" method="post"> <input type="hidden" name="user_query" value="John"> <input type="hidden" name="mode" value="\"\'><qqs `;!--=&{()}>"> <input type="hidden" name="count" value="193"> <input type="hidden" name="clause" value="where (((index_infos_global like '% john %' ))) and (notices_global_index.num_notice = notice_id and statut=id_notice_statut and ((not

Path-Based Vulnerability
QID: 150004 Category: Web Application CVEID: CVSS Base: 2.1 Port: -

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.

Impact:
The contents of this file or directory may disclose sensitive information.

Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 7 sur 39

Results:
http://pmb.esi.ac.ma/opac_css/includes/ -- HTTP/1.1 200 OK

Path-Based Vulnerability
QID: 150004 Category: Web Application CVEID: CVSS Base: 2.1 Port: -

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.

Impact:
The contents of this file or directory may disclose sensitive information.

Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Results:
http://pmb.esi.ac.ma/temp/ -- HTTP/1.1 200 OK

Path-Based Vulnerability
QID: 150004 Category: Web Application CVEID: CVSS Base: 2.1 Port: -

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.

Impact:
The contents of this file or directory may disclose sensitive information.

Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Results:
http://pmb.esi.ac.ma/admin/ -- HTTP/1.1 200 OK

Path-Based Vulnerability
QID: 150004 Category: Web Application CVEID: CVSS Base: 2.1 Port: -

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.

Impact:
The contents of this file or directory may disclose sensitive information.

Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Results:
http://pmb.esi.ac.ma/opac_css/admin/ -- HTTP/1.1 200 OK

Path-Based Vulnerability

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 8 sur 39

QID: 150004 Category: Web Application CVEID: -

CVSS Base: 2.1 Port: -

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.

Impact:
The contents of this file or directory may disclose sensitive information.

Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Results:
http://pmb.esi.ac.ma/opac_css/temp/ -- HTTP/1.1 200 OK

Connection Error Occurred During Web Application Scan

QID: 150018 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application.

Impact:
Some of the links were not crawled or scanned. Results may be incomplete or incorrect.

Solution:
Investigate the root cause of failure accessing the listed links.

Results:
http://pmb.esi.ac.ma -- Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Links that timed out: http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATAuser_query=John&mode=tous&count=193&clause=%3b--%20&pert= ((index_infos_global%20like%20'%%20john%20%')%2b(trim(infos_global)% 20like%20'John%')*0.2)%2b((index_sew%20like%20'%%20john%20%')%2b (trim(index_wew)%20like%20'John%')*0.2)*0.5%20as% 20pert&l_typdoc=a&tri=ORDER%20BY%20pert%20DESC%2c% 20index_infos_global%20&nbexplnum_to_photo=1 http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATAuser_query=John&mode=tous&count=193&clause=where%20 (((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20 (notices_global_index.num_notice%20%3d%20notice_id%20and%20statut% 3did_notice_statut%20and%20((notice_visible_opac%3d1%20and% 20notice_visible_opac_abon%3d0)))&pert=%3b--% 20&l_typdoc=a&tri=ORDER%20BY%20pert%20DESC%2c%20index_infos_global% 20&nbexplnum_to_photo=1 http://pmb.esi.ac.ma/opac_css/index.php? lvl=more_results -FORMDATAuser_query=John&mode=tous&count=193&clause=where%20 (((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20 (notices_global_index.num_notice%20%3d%20notice_id%20and%20statut% 3did_notice_statut%20and%20((notice_visible_opac%3d1%20and% 20notice_visible_opac_abon%3d0)))&pert=((index_infos_global%20like% 20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b ((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like% 20'John%')*0.2)*0.5%20as%20pert&l_typdoc=%3b--%20&tri=ORDER%20BY% 20pert%20DESC%2c%20index_infos_global%20&nbexplnum_to_photo=1 http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -FORMDATAuser_query=John&mode=tous&count=193&clause=where%20 (((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20 (notices_global_index.num_notice%20%3d%20notice_id%20and%20statut% 3did_notice_statut%20and%20((notice_visible_opac%3d1%20and%

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 9 sur 39

20notice_visible_opac_abon%3d0)))&pert=((index_infos_global%20like% 20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b ((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like% 20'John%')*0.2)*0.5%20as%20pert&l_typdoc=a&tri=%3b--% 20&nbexplnum_to_photo=1 http://pmb.esi.ac.ma/opac_css/index.php? lvl=more_results -FORMDATAuser_query=John&mode=tous&count=193&clause=where%20 (((index_infos_global%20like%20'%%20john%20%'%20)))%20and%20 (notices_global_index.num_notice%20%3d%20notice_id%20and%20statut% 3did_notice_statut%20and%20((notice_visible_opac%3d1%20and% 20notice_visible_opac_abon%3d0)))&pert=((index_infos_global%20like% 20'%%20john%20%')%2b(trim(infos_global)%20like%20'John%')*0.2)%2b ((index_sew%20like%20'%%20john%20%')%2b(trim(index_wew)%20like% 20'John%')*0.2)*0.5%20as%20pert&l_typdoc=a&tri=ORDER%20BY%20pert% 20DESC%2c%20index_infos_global%20&nbexplnum_to_photo=%3b--%20 http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA- typdoc=%3b--% 20&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_A UTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_ INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=%3b--% 20&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&loo k_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1& look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=%3b--% 20&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&lo ok_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1& look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=%3b--% 20&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1 &look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&loo k_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=% 3b--% 20&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGOR Y=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Re chercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=%3b--% 20&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEX INT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=%3b--% 20&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWOR DS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=%3b--% 20&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&l ook_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=% 3b--% 20&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rec hercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1 &look_INDEXINT=%3b--% 20&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1 &look_INDEXINT=1&look_KEYWORDS=%3b--% 20&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 10 sur 39

&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=%3b--% 20&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1 &look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=%3b--% 20&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAlang_sel=%3b--%20 http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=%3b--% 20&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_A UTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_ INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=%3b--% 20&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&loo k_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1& look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=%3b--% 20&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&lo ok_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1& look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=%3b--% 20&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1 &look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&loo k_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=% 3b--% 20&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGOR Y=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Re chercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=%3b--% 20&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEX INT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=%3b--% 20&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWOR DS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=%3b--% 20&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&l ook_ALL=1&ok=Rechercher Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase. Connection lost during ePhaseFormParameterTests phase.

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Solution:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 11 sur 39

Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.

Results:
http://pmb.esi.ac.ma/styles/light/images/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Unencoded characters
QID: 150084 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).

Impact:
No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.

Solution:
Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. ; } } } } </script>Aucun document trouv<form name="form_values" action="./index.php?lvl=more_results" method="post"> <input type="hidden" name="user_query" value="John"> <input type="hidden" name="mode" value="<IMG SRC=javascript:qss=777>"> <input type="hidden" name="count" value="193"> <input type="hidden" name="clause" value="where (((index_infos_global like '% john %' ))) and (notices_global_index.num_notice = notice_id and statut=id_notice_statut and ((not

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Solution:
Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.

Results:
http://pmb.esi.ac.ma/opac_css/index.php -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 12 sur 39

Unencoded characters
QID: 150084 Category: Web Application CVEID: CVSS Base: Port: -

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. avig_etageres'><span>Retourner au premier cran avec les tagres virtuelles...</span></a></td> </tr></table></div> <script> terms=new Array('script','qss','777','script'); terms_litteraux=new Array('< script a=4>qss=777< /script>'); codes=new Array(); codes ['a']='[A]'; codes['c']='[C]'; codes['e'] ='[E]'; codes['i']='[I]'; codes['o'] ='[O]'; codes['u']='[U]'; codes['

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/images/tree/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 13 sur 39

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/images/dtree/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Unencoded characters
QID: 150084 Category: Web Application CVEID: CVSS Base: Port: -

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. obj,terms_litteraux [i],i+terms.length,1,onoff); } } } } </script> <div id="resultatrech"><h3>Rsultat de la recherche</h3> <div id="resultatrech_container"> <div id="resultatrech_see"> <h3><span>\"\'><<SCRIPT a=2>qss=777;//<</SCRIPT> titres trouvs pour la recherche 'John'</span></h3> </div> <div id="resultatrech_liste"><a href='javascript:expandAll()'><img class='img_plusplus' src='./images/expand_all.gif' border='0' id='expandall'></a> <a href='javas

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 14 sur 39

Results:
http://pmb.esi.ac.ma/home/index.php -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Unencoded characters
QID: 150084 Category: Web Application CVEID: CVSS Base: Port: -

Results:
http://pmb.esi.ac.ma/opac_css/index.php?lvl=more_results -- comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. ="hidden" id="id_thes" name="id_thes" value=""> <input type="hidden" name="surligne" value="0"> <input type="hidden" name="tags" value=""> <input type="hidden" name="page" value="1"> <input type="hidden" name="nbexplnum_to_photo" value="<script src=//localhost/j>"> </form><div class='row'></div> <script type='text/javascript'> <!-- function test_form(form) { if (form.page.value > 20) { alert("Numro de page trop lev !"); form.page.focus(); return false; } if

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/images/mimetype/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 15 sur 39

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/styles/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/images/type_param/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 16 sur 39

Possible Clickjacking vulnerability

QID: 150081 Category: Web Application CVEID: CVSS Base: 10 Port: -

Threat:
Click-jacking lets an attacker to trick the user on clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.

Impact:
Attacks like CSRF can be performed using Clickjacking techniques.

Results:
http://pmb.esi.ac.ma/opac_css/ -- The response for this request did not have an "X-FRAME-OPTIONS" header present.

Cookies Collected
QID: 150028 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
The cookies listed in the Results section were received from the web application during the crawl phase.

Impact:
Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed.

Solution:
Review cookie values to ensure that sensitive information such as passwords are not present within them.

Results:
http://pmb.esi.ac.ma -- Total cookies: 3 PHPSESSID=rriq7vmfs22p89i93ctnqs44n6; path=/; domain=pmb.esi.ac.ma PhpMyBibli-LANG=fr_FR; expires=Tue Jan 22 20:14:09 2013; path=/opac_css/; domain=pmb.esi.ac.ma; max-age=29999817 PhpMyBibliOPACDB=bibli; expires=Tue Jan 22 20:14:13 2013; path=/opac_css/; domain=pmb.esi.ac.ma; max-age=29999821

Links Crawled
QID: 150009 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user.

Impact:
N/A

Solution:
N/A

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 17 sur 39

Results:
http://pmb.esi.ac.ma -- Duration of crawl phase (seconds): 314.00 Number of links: 50 (This number excludes form requests and links re -requested during authentication.) http://pmb.esi.ac.ma/ http://pmb.esi.ac.ma/acquisition http://pmb.esi.ac.ma/admin http://pmb.esi.ac.ma/ajax http://pmb.esi.ac.ma/alert http://pmb.esi.ac.ma/autorites http://pmb.esi.ac.ma/carts http://pmb.esi.ac.ma/catalog http://pmb.esi.ac.ma/circ http://pmb.esi.ac.ma/classes http://pmb.esi.ac.ma/classes%20-% 20Copie http://pmb.esi.ac.ma/demandes http://pmb.esi.ac.ma/devel http://pmb.esi.ac.ma/doc http://pmb.esi.ac.ma/dsi http://pmb.esi.ac.ma/edit http://pmb.esi.ac.ma/external_services http://pmb.esi.ac.ma/fichier http://pmb.esi.ac.ma/home/fr/index.html http://pmb.esi.ac.ma/home/images_easyphp/easyphp_favicon.ico http://pmb.esi.ac.ma/home/index.php http://pmb.esi.ac.ma/home/index.php?lang=en http://pmb.esi.ac.ma/home/index.php?lang=es http://pmb.esi.ac.ma/home/index.php?lang=fr http://pmb.esi.ac.ma/home/index.php?lang=it http://pmb.esi.ac.ma/home/index.php?lang=nw http://pmb.esi.ac.ma/home/index.php?lang=pt http://pmb.esi.ac.ma/home/index.php?lang=pt_br http://pmb.esi.ac.ma/home/index.php?to=change_docroot http://pmb.esi.ac.ma/home/index.php?to=default_docroot http://pmb.esi.ac.ma/home/licence_apache.php http://pmb.esi.ac.ma/home/styles.css http://pmb.esi.ac.ma/images http://pmb.esi.ac.ma/images/add.png http://pmb.esi.ac.ma/images/aide.gif http://pmb.esi.ac.ma/images/alert.gif http://pmb.esi.ac.ma/images/arrow_down.png http://pmb.esi.ac.ma/images/arrow_up.png http://pmb.esi.ac.ma/images/attachment.png http://pmb.esi.ac.ma/images/autorite.gif http://pmb.esi.ac.ma/images/b_edit.png http://pmb.esi.ac.ma/images/bandeau_edc.jpg http://pmb.esi.ac.ma/images/bar_spacer.gif http://pmb.esi.ac.ma/images/basket_20x20.gif http://pmb.esi.ac.ma/images/basket_del.gif http://pmb.esi.ac.ma/images/basket_empr.gif http://pmb.esi.ac.ma/images/basket_empty_20x20.gif http://pmb.esi.ac.ma/images/basket_small.gif http://pmb.esi.ac.ma/images/basket_small_20x20.gif http://pmb.esi.ac.ma/images/bortlesorgues.png

Host Scan Time

QID: 45038 Category: Information gathering CVEID: CVSS Base: Port: -

Threat:
The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.

Impact:
N/A

Solution:
N/A

Results:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 18 sur 39

http://pmb.esi.ac.ma -- Scan duration: 2266 seconds Start time: Fri, Feb 10 2012, 22:51:24 GMT End time: Fri, Feb 10 2012, 23:29:10 GMT

External Links Discovered

QID: 150010 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled.

Impact:
N/A

Solution:
N/A

Results:
http://pmb.esi.ac.ma -- Number of links: 14 http://www.hcp.ma/ http://www.creaweb.ma/ http://www.easyphp.org/ http://www.bnrm.ma/ http://www.sigb.net/ http://www.alastore.ala.org/ http://www.esi.ac.ma/ http://www.bnf.fr/ http://www.google.fr/ http://www.php.net/ChangeLog-5.php http://www.php.net/migration53 http://www.php.net/releases/5_2_10.php mailto:besi@esi.ac.ma http://httpd.apache.org/

Scan Diagnostics
QID: 150021 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.

Impact:
The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application.

Solution:
No action is required.

Results:
http://pmb.esi.ac.ma -- Loaded 0 blacklist entries. HTML form authentication unavailable, no WEBAPP entry found Maximum request count reached: 50 Links remaining in queue: 400 Collected 758 links overall. Path manipulation: estimated time < 30 minutes (82 tests, 362 inputs) Path manipulation: 82 vulnsigs tests, completed 8656 requests, 305 seconds. All tests completed. Batch #0 WS enumeration: estimated time < 10 minutes (9 tests, 0 inputs) WS enumeration: 9 vulnsigs tests, completed 198 requests, 7 seconds. All tests completed. Batch #1 URI parameter manipulation: estimated time < 1 minute (37 tests, 4 inputs) Batch #1 URI parameter manipulation: 37 vulnsigs tests, completed 80 requests, 19 seconds. XSS optimization removed 68 links. Completed 80 requests of 148 estimated requests (54%). All tests completed. Batch #1 Form parameter manipulation: estimated time < 1 minute (37 tests, 13 inputs) Reached the threshold for timed-out links: 20 Batch #1 Form parameter manipulation: 37 vulnsigs tests, completed 836 requests, 1587 seconds. Module did not finish. Completed 836 requests of 333 estimated requests (251% complete). Reached the threshold for timedout links: 20 Reached the threshold for timed-out links: 20 Reached

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 19 sur 39

the threshold for timed-out links: 20 Total requests made: 10261 Average server response time: 0.50 seconds Most recent links: --http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=1&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1 &look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=%3b--% 20&ok=Rechercher --- http://pmb.esi.ac.ma/opac_css/index.php FORMDATA- lang_sel=%3b--%20 --http://pmb.esi.ac.ma/opac_css/index.php -FORMDATA- typdoc=%3b--% 20&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_A UTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_ INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher --- http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=%3b--% 20&user_query=John&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&loo k_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1& look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher --http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=%3b--% 20&look_FIRSTACCESS=1&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&lo ok_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1& look_ABSTRACT=1&look_ALL=1&ok=Rechercher --http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=%3b--% 20&look_TITLE=1&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1 &look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&loo k_ALL=1&ok=Rechercher --- http://pmb.esi.ac.ma/opac_css/index.php FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=% 3b--% 20&look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGOR Y=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Re chercher --- http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=%3b--% 20&look_PUBLISHER=1&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEX INT=1&look_KEYWORDS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher --http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=%3b--% 20&look_TITRE_UNIFORME=1&look_CATEGORY=1&look_INDEXINT=1&look_KEYWOR DS=1&look_ABSTRACT=1&look_ALL=1&ok=Rechercher --http://pmb.esi.ac.ma/opac_css/index.php -FORMDATAtypdoc=1&surligne=0&user_query=John&look_FIRSTACCESS=1&look_TITLE=1& look_AUTHOR=1&look_PUBLISHER=1&look_TITRE_UNIFORME=%3b--% 20&look_CATEGORY=1&look_INDEXINT=1&look_KEYWORDS=1&look_ABSTRACT=1&l ook_ALL=1&ok=Rechercher Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timedout links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20 Reached the threshold for timed-out links: 20

Maximum Number of Links Reached During Crawl

QID: 150026 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.

Impact:
Some links that lead to different areas of the site's functionality may have been missed.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 20 sur 39

Solution:
Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application.

Results:
http://pmb.esi.ac.ma -- Maximum request count reached: 50 Links remaining in queue: 400

DNS Host Name

QID: 6 Category: Information gathering CVEID: CVSS Base: 0 Port: -

Threat:
The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.

Impact: Solution: Results:

http://pmb.esi.ac.ma -- #table IP_address Host_name

DNS Host Name

QID: 6 Category: Information gathering CVEID: CVSS Base: 0 Port: -

Threat:
The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.

Impact: Solution: Results:

http://pmb.esi.ac.ma -- 212.217.22.95 scanesi.esi.ac.ma

Email Addresses Collected

QID: 150054 Category: Web Application CVEID: CVSS Base: Port: -

Threat:
The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase.

Impact:
Email addresses may help a malicious user with brute force and phishing attacks.

Solution:
Review the email list to see if they are all email addresses you want to expose.

Results:
http://pmb.esi.ac.ma -- Number of emails: 14 adam@zeus.co.uk apache@apache.org besi@esi.ac.ma campanella@stevms.enet.dec.com erich@eye.com httpd@ncsa.uiuc.edu jgm+@cmu.edu jloup@gzip.org madler@alumni.caltech.edu martin@net.lut.ac.uk mbelshe@netscape.com oz@nexus.yorku.ca ph10@cam.ac.uk phk@login.dknet.dk

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 21 sur 39

Type: Perimeter Findings

PHP "spl_object_storage_attach" Use-After-Free Vulnerability

QID: 12378 Category: CGI CVEID: CVE-2010-2225 CVSS Base: Port: 0

Threat:
PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML. PHP is prone to a vulnerability that is caused by a use-after-free error within the "spl_object_storage_attach()" function, which can be exploited by inserting the same object twice. Affected Versions: PHP 5.2 <= 5.2.13 PHP 5.3 <= 5.3.2

Impact:
If this vulnerability is successfully exploited, attackers can get potentially sensitive information and compromise a vulnerable system.

Solution:
The vendor has released PHP Version 5.3.3 and 5.2.14 to address these issues. It is available for download from the PHP Download Web site. Refer to PHP 5.2.14 Change Log and PHP 5.3.3 Change Log to obtain additional details about the issues fixed in the update.

Results:
Detected on port 80 - Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 ContentLength: 3094 Connection: close Content-Type: text/html; charset=utf8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'> <head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='nocache' /> <meta http-equiv='Cache-Control' content='no-cache' /> <meta http-equiv='content-type' content='text/html; charset=utf8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo

PHP 'popen()' Function Buffer Overflow Vulnerability

QID: 12271 Category: CGI CVEID: CVE-2009-3294 CVSS Base: 5 Port: 80

Threat:
PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The "popen" function opens a pipe to the program specified in the command parameter. PHP is prone to a buffer overflow vulnerability that occurs in the "popen" function because it fails to perform adequate boundary checks before copying user-supplied data to insufficiently sized memory buffers. This issue can be exploited by passing a large string to the "mode" argument of the function. PHP Versions before 5.2.11 and Version 5.3.x before 5.3.1 are affected.

Impact:
If this vulnerability is successfully exploited, a malicious user can execute arbitrary machine code in the context of the affected Web server. Failed attempts cause denial of service attacks by crashing the Web server.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 22 sur 39

Solution:
This issue is resolved in PHP Version 5.2.11 and later or Version 5.3.1 or later. Refer to PHP 5.2.11 Release Notes and PHP 5.3.1 Release Notes to obtain additional details.

Results:
Date: Fri, 10 Feb 2012 22:53:25 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'> <head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='nocache' /> <meta http-equiv='Cache-Control' content='no-cache' /> <meta http-equiv='content-type' content='text/html; charset=utf8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo

PHP Versions Prior to 5.2.12 Multiple Vulnerabilities

QID: 12318 CVSS Base: 7.5

Category: CGI Port: 80 CVEID: CVE-2009-3557, CVE-2009-3558, CVE-2009-4017, CVE-2009-4142, CVE-20094143

Threat:
PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML. The following vulnerabilities exist in PHP: 1) An error in "tempnam()" can be exploited to bypass the "safe_mode" feature. 2) An error in "posix_mkfifo()" can be exploited to bypass the "open_basedir" feature. 3) An error within the processing of form-based file uploads can be exploited to cause a DoS by sending specially crafted requests. 4) Errors related to a insufficient protection of $_SESSION against interrupt corruption and a weak "session.save_path" check have unknown impacts. 5) The "htmlspecialchars()" function does not properly sanitize certain input, which can be exploited to conduct cross-site scripting attacks. PHP versions prior to 5.2.12 and prior to 5.3.1 are affected by these vulnerabilities.

Impact:
Successfully exploiting these issue may allow remote attackers to bypass certain security restrictions or to conduct cross-site scripting attacks and cause a denial of service.

Solution:
The vendor has released PHP Version 5.2.12 and 5.3.1 to address these issues. It is available for download from the PHP Download Web site.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 23 sur 39

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day

QID: 86847 Category: Web server CVEID: CVSS Base: 7.8 Port: 0

Threat:
The Apache HTTP Server, commonly referred to as Apache is a freely available Web server. Apache is vulnerable to a denial of service due to holding a connection open for partial HTTP requests. Apache Versions 1.x and 2.x are vulnerable.

Impact:
A remote attacker can cause a denial of service against the Web server which would prevent legitimate users from accessing the site. Denial of service tools and scripts such as Slowloris takes advantage of this vulnerability.

Solution:
Patch: There are no vendor-supplied patches available at this time. Workaround: - Reverse proxies, load balancers and iptables can help to prevent this attack from occurring. - Adjusting the TimeOut Directive can also prevent this attack from occurring. - A new module mod_reqtimeout has been introduced since Apache 2.2.15 to provide tools for mitigation against these forms of attack, however; the module is marked experimental. Also refer to Cert Blog and Slowloris and Mitigations for Apache document for further information.

Results:
Detected on port 80 - Apache 1.3

PHP Hashtables Denial of Service

QID: 12539 Category: CGI CVEID: CVE-2011-4885 CVSS Base: 5 Port: 80

Threat:
PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to remote denial of service issue due to the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions. Affected Versions: PHP 5.3 versions prior to 5.3.9 are affected.

Impact:
By exploiting this vulnerability, remote attackers can cause a denial of service (CPU consumption) by sending many crafted HTTP requests.

Solution:
There are no official vendor-supplied patches at this time. Workaround: Update to development version of 5.3.9 or 5.4 which supports max_input_vars directive to prevent attacks based on hash collisions. For more information, please refer to the PHP SVN site. Another method is to reduce the CPU time that a request is allowed to take. For PHP, this can be configured using the max_input_time parameter.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 24 sur 39

Group' /> <meta name='description' content='Logiciel libre de gestion de m diath que' /> <meta name='keywords' content='logiciel, gestion, biblioth que, m diath que, libre, free, software, mysql, php, linux, windows, mac' /> <meta http-equiv='Pragma' content='nocache' /> <meta http-equiv='Cache-Control' content='no-cache' /> <meta http-equiv='content-type' content='text/html; charset=utf8' /> <meta http-equiv='Content-Language' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colo

Web Directories Listable Vulnerability

QID: 86445 Category: Web server CVEID: CVSS Base: 2.3 Port: 80

Threat:
The Web server has some listable directories. Very sensitive information can be obtained from directory listings.

Impact:
A remote user may exploit this vulnerability to obtain very sensitive information on the host. The information obtained may assist in further attacks against the host.

Solution:
Disable directory browsing or listing for all directories.

Results:
#table cols="1" Listable_Directories /images/ /admin/ /catalog/

Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

QID: 86473 Category: Web server CVEID: CVE-2004-2320, CVE-2007-3008 CVSS Base: 2.8 Port: 80

Threat:
A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same. A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests to a Web server that supports this Trace method. Usually, browser security disallows access to Web sites outside of the present site's domain. Although unlikely and difficult to achieve, it's possible, in the presence of other browser vulnerabilities, for the active HTML content to make external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the client request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser automatically sent to the specified Web application on the specified Web server. The significance of the Trace capability in this vulnerability is that the active component in the page visited by the victim user has no direct access to this authentication information, but gets it after the target Web server echoes it back as its Trace response. Since this vulnerability exists as a support for a method required by the HTTP protocol specification, most common Web servers are vulnerable. The exact method(s) supported, Trace and/or Track, and their responses are in the Results section below.

Impact:
If this vulnerability is successfully exploited, users of the Web server may lose their authentication credentials for the server and/or for the Web applications hosted by the server to an attacker. This may be the case even if the Web applications are not vulnerable to cross site scripting attacks due to input validation errors.

Solution:
Solutions for some of the common Web servers are supplied below. For other Web servers, please check your vendor's documentation.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 25 sur 39

Apache: Recent Apache versions have a Rewrite module that allows HTTP requests to be
rewritten or handled in a specific way. Compile the Apache server with the mod_rewrite module. You might need to uncomment the 'AddModule' and 'LoadModule' directives in the httpd.conf configuration file. Add the following lines for each virtualhost in your configuration file (Please note that, by default, Rewrite configurations are not inherited. This means that you need to have Rewrite directives for each virtual host in which you wish to use it): <IfModule mod_rewrite.c> RewriteEngine on RewriteCond % {REQUEST_METHOD} ^TRACE RewriteRule .* - [F] </IfModule> With this configuration, Apache catches all TRACE requests, and replies with a page reporting the request as forbidden. None of the original request's contents are echoed back. A slightly tighter fix is to use: <IfModule mod_rewrite.c> RewriteEngine on RewriteCond % {REQUEST_METHOD} !^(GET|POST|HEAD)$ RewriteRule .* - [F] </IfModule> Please note that RewriteEngine can be processor intensive and may impact the web server performance. The trace method can also be controlled by use of the TraceEnable directive. In the httpd.conf add or modify: TraceEnable Off Microsoft IIS: Microsoft released URLScan, which can be used to screen all incoming requests based on customized rulesets. URLScan can be used to sanitize or disable the TRACE requests from the clients. Note that IIS aliases 'TRACK' to 'TRACE'. Therefore, if URLScan is used to specfically block the TRACE method, the TRACK method should also be added to the filter. URLScan uses the 'urlscan.ini' configuration file, usually in \System32\InetSrv\URLScan directory. In that, we have two sections - AllowVerbs and DenyVerbs. The former is used if the UseAllowVerbs variable is set to 1, else (if its set to 0), the DenyVerbs are used. Clearly, either can be used, depending on whether we want a Default-Deny-Explicit-Allow or a Default-Allow-Explicit-Deny policy. To disallow TRACE and TRACK methods through URLScan, first remove 'TRACK', 'TRACE' methods from the 'AllowVerbs' section and add them to the 'DenyVerbs' section. With this, URLScan will disallow all 'TRACE' and 'TRACK' methods, and generate an error page for all requests using that method. To enable the changes, restart the 'World Wide Web Publishing Service' from the 'Services' Control Panel item. Sun ONE/iPlanet Web Server: Here are the sun recommandations to disable the trace method. For more details about other web servers : Cert Advisory.

Results:
TRACE / HTTP/1.1 Host: scanesi.esi.ac.ma Via: <script>alert ('QualysXSS');</script> HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:55:51 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 TransferEncoding: chunked Content-Type: message/http TRACE / HTTP/1.1 Host: scanesi.esi.ac.ma Via: <script>alert('QualysXSS');</script> -CRTRACE / HTTP/1.0 Via: <script>alert('QualysXSS');</script> HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:55:51 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 Connection: close Content-Type: message/http TRACE / HTTP/1.0 Via: <script>alert('QualysXSS');</script>

PHP Versions Prior to 5.3.3/5.2.14 Multiple Vulnerabilities

QID: 12390 Category: CGI CVEID: CVE-2010-2484, CVE-2010-2531 CVSS Base: Port: 80

Threat:
PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML. PHP is prone to multiple memory corruption and buffer overflow security vulnerabilities. PHP Versions Prior to 5.3.3/5.2.14 are affected

Impact:
An attacker can exploit these issues to execute arbitrary code, gain access to sensitive information, and bypass security restrictions. Other attacks are also possible.

Solution:
The vendor has released PHP Version 5.3.3 and 5.2.14 to address these issues. It is available for download from the PHP Download Web site. Refer to PHP 5.2.14 Change Log PHP 5.3.3 Change Logto obtain additional details about the issues fixed in the update.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 26 sur 39

PHP "strrchr()" Function Information Disclosure Vulnerability

QID: 12384 Category: CGI CVEID: CVE-2010-2484 CVSS Base: 5 Port: 80

Threat:
PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML. PHP is prone to an information disclosure vulnerability. This is due to a possible memory corruption in strrchr() function. The strrchr function allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler. Affected Versions: PHP 5.2 before 5.2.14

Impact:
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.

Solution:
Update to PHP 5.2.14 or later to resolve this vulnerability. Refer to PHP 5.2.14 ChangeLog to obtain more information.

PHP Versions Prior to 5.3.1 Multiple Vulnerabilities

QID: 12314 Category: CGI CVSS Base: Port: 80

CVEID: CVE-2009-3292, CVE-2009-3557, CVE-2009-3558

Threat:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 27 sur 39

PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML. The following vulnerabilities exist in PHP: - Input validation errors exist in the processing of exif data. -An error in "tempnam()" can be exploited to bypass the "safe_mode" feature. -An error in "posix_mkfifo()" can be exploited to bypass the "open_basedir" feature. Versions prior to 5.3.1 are affected.

Impact:
These vulnerabilities can be exploited by malicious users to bypass certain security restrictions.

Solution:
The vendor has released PHP Version 5.3.1 to address these issues. It is available for download from the PHP Download Web site .

PHP 5.2.10 and Prior Versions Multiple Vulnerabilities

QID: 12299 CVSS Base: 7.5 Category: CGI Port: 80 CVEID: CVE-2009-3291, CVE-2009-3292, CVE-2009-3293

Threat:
PHP is a general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. The following multiple vulnerabilities exist in PHP: 1) An unspecified error exists in the certificate validation in "php_openssl_apply_verification_policy". 2) An input validation error exists related to the color index in "imagecolortransparent()". 3) An input validation error exists in the processing of exif data. 4) An unspecified issue related to "popen" and invalid modes exists. These issues affect PHP 5.2.10 and prior versions.

Impact:
Exploitation of the vulnerabilities may result in an unspecified impact.

Solution:
The vendor has released PHP Version 5.2.11 to address these issues. It is available for download from the PHP Download Web site.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 28 sur 39

PHP Versions Prior to 5.2.13 Multiple Vulnerabilities

QID: 12334 Category: CGI CVEID: CVE-2010-1129 CVSS Base: 6.4 Port: 80

Threat:
PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML. The following vulnerabilities exist in PHP: An error in the session extension can be exploited to bypass the "safe_mode" and "open_basedir" feature. A validation error within the "tempnam()" function can be exploited to bypass the "safe_mode" feature. PHP 5.2.12 and prior versions are affected.

Impact:
Successful exploits could allow an attacker to access files in unauthorized locations or create files in any writable directory.

Solution:
The vendor has released PHP Version 5.2.13 to address these issues and several other bugs. It is available for download from the PHP Download Web site. Refer to PHP 5.2.13 Change Log to obtain additional details about the issues fixed in the update.

Web Applications and Plugins Detected

QID: 45114 Category: Information gathering CVEID: CVSS Base: Port: 80

Threat:
The result section of this QID lists web applications and plugins that were detected on the target using web application fingerprinting. This technique compares static files at known locations against precomputed hashes for versions of those files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable. Following applications are currently supported: Joomla! MediaWiki WordPress phpBB MovableType Drupal osCommerce

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 29 sur 39

PHP-Nuke Moodle Liferay Tikiwiki Twiki phpmyadmin SPIP Confluence(free versions) Wikka Wacko Usemod Following Drupal plugins are supported: Date ImageField Pathauto Spamicide CCK FileField ImageAPI IMCE Print TagaDelic Token Views Following WordPress plugins are supported: Akismet Buddypress stats WP-E-Commerce WP-Super-Cache This QID is based on the blind elephant project.

Impact:
N/A

Solution:
N/A

Results:
#table cols="2" usemod _1.0.5

Host Uptime Based on TCP TimeStamp Option

QID: 82063 Category: TCP/IP CVEID: CVSS Base: Port: 0

Threat:
The TCP/IP stack on the host supports the TCP TimeStamp (kind 8) option. Typically the timestamp used is the host's uptime (since last reboot) in various units (e.g., one hundredth of second, one tenth of a second, etc.). Based on this, we can obtain the host's uptime. The result is given in the Result section below. Some operating systems (e.g., MacOS, OpenBSD) use a non-zero, probably random, initial value for the timestamp. For these operating systems, the uptime obtained does not reflect the actual uptime of the host; the former is always larger than the latter.

Impact:
N/A

Solution:
N/A

Results:
Based on TCP timestamps obtained via port 80, the host's uptime is 2 days, 8 hours, and 59 minutes. The TCP timestamps from the host are in units of 10 milliseconds.

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 30 sur 39

Web Server Probed For Various URL-Encoding Schemes Supported

QID: 12059 Category: CGI CVEID: CVSS Base: Port: 80

Threat:
The target Web server was probed for various URL-encoding schemes that it supports. Per this paper by Daniel Roelker that was presented at Defcon 11, popular Web servers like Microsoft IIS support a variety of encoding schemes for the URLs. These include Percentescaped Hex Encoding, Double-percent Escaped Hex Encoding, Microsoft's %U Encoding, Percent-escaped 2-Byte UTF-8 Encoding, and Raw 2-Byte UTF-8 Encoding. For a sample HTTP GET request, GET /. HTTP/1.0, the following illustrates the encoded URI under these schemes: Percent-escaped Hex Encoding: GET /%2e HTTP/1.0 Double-percent Escaped Hex Encoding: GET /%252e HTTP/1.0 Percent-escaped 2-Byte UTF -8 Encoding: GET /%C0%AE HTTP/1.0 Raw 2-Byte UTF-8 Encoding: GET / \xC0\xAE HTTP/1.0 (Actual raw 0xC0 and 0xAE bytes) Microsoft's %U Encoding: GET /%u002e HTTP/1.0 The supported encoding schemes are listed in the Results section. URI encoding is relevant to Web server security since, as mentioned in the paper above, attackers could launch HTTP attacks while at the same time obfuscating the URIs to evade detection by Intrusion Detection Systems that are not capable of decoding the URIs.

Impact:
N/A

Solution:
N/A

Results:
Single-%-Escaped Hex-Encoding Supported

Expose_php Set to On in php.ini

QID: 12087 Category: CGI CVEID: CVSS Base: 1.9 Port: 80

Threat:
The scanner found PHP version information in the headers returned by the PHP-enabled target Web server. This likely means that the "expose_php" variable is set to "On" in the "php.ini" configuration file for the Web server.

Impact:
This allows remote users to easily know that PHP is installed on the Web server. It also provides version information of the PHP installation. This could aid an attacker in launching more targeted attacks in the future.

Solution:
Locate the "php.ini" configuration file on the target host and add this setting to it: "expose_php=Off". Restart the Web server.

Results:
HEAD / HTTP/1.1 Host: scanesi.esi.ac.ma Connection: Keep-Alive HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:55:55 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 KeepAlive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 GET /?=PHPB8B5F2A0-3C92-11d3-A3A94C7B08C10000 HTTP/1.1 Host: scanesi.esi.ac.ma Connection: Keep-Alive HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:56:01 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 KeepAlive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html><head> <style type="text/css"> body {background-color: #ffffff; color: #000000;} body, td, th, h1, h2 {font-family: sansserif;} pre {margin: 0px; font-family: monospace;} a:link {color: #000099; text-decoration: none; background-color: #ffffff;} a:hover

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 31 sur 39

{text-decoration: underline;} table {border-collapse: collapse;} .center {text-align: center;} .center table { marginleft: auto; margin-right: auto; text-align: left;} .center th { text -align: center !important; } td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;} h1 {font-size: 150%;} h2 {font-size: 125%;} .p {text-align: left;} .e {background-color: #ccccff; font-weight: bold; color: #000000;} .h {background-color: #9999cc; font-weight: bold; color: #000000;} .v {background-color: #cccccc; color: #000000;} .vr {background-color: #cccccc; textalign: right; color: #000000;} img {float: right; border: 0px;} hr {width: 600px; background-color: #cccccc; border: 0px; height: 1px; color: #000000;} </style> <title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head> <body><div class="center"> <h1>PHP Credits</h1> <table border="0" cellpadding="3" width="600"> <tr class="h"><th>PHP Group</th></tr> <tr><td class="e">Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, Andrei Zmievski </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th>Language Design & Concept</th></tr> <tr><td class="e">Andi Gutmans, Rasmus Lerdorf, Zeev Suraski </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">PHP 5 Authors</th></tr> <tr class="h"><th>Contribution</th><th>Authors</th></tr> <tr><td class="e">Zend Scripting Language Engine </td><td class="v">Andi Gutmans, Zeev Suraski </td></tr> <tr><td class="e">Extension Module API </td><td class="v">Andi Gutmans, Zeev Suraski, Andrei Zmievski </td></tr> <tr><td class="e">UNIX Build and Modularization </td><td class="v">Stig Bakken, Sascha Schumann, Jani Taskinen </td></tr> <tr><td class="e">Win32 Port </td><td class="v">Shane Caraveo, Zeev Suraski, Wez Furlong </td></tr> <tr><td class="e">Server API (SAPI) Abstraction Layer </td><td class="v">Andi Gutmans, Shane Caraveo, Zeev Suraski </td></tr> <tr><td class="e">Streams Abstraction Layer </td><td class="v">Wez Furlong, Sara Golemon </td></tr> <tr><td class="e">PHP Data Objects Layer </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">SAPI Modules</th></tr> <tr class="h"><th>Contribution</th><th>Authors</th></tr> <tr><td class="e">AOLserver </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">Apache 1.3 (apache_hooks) </td><td class="v">Rasmus Lerdorf, Zeev Suraski, Stig Bakken, David Sklar, George Schlossnagle, Lukas Schroeder </td></tr> <tr><td class="e">Apache 1.3 </td><td class="v">Rasmus Lerdorf, Zeev Suraski, Stig Bakken, David Sklar </td></tr> <tr><td class="e">Apache 2.0 Filter </td><td class="v">Sascha Schumann, Aaron Bannert </td></tr> <tr><td class="e">Apache 2.0 Handler </td><td class="v">Ian Holsman, Justin Erenkrantz (based on Apache 2.0 Filter code) </td></tr> <tr><td class="e">Caudium / Roxen </td><td class="v">David Hedbor </td></tr> <tr><td class="e">CGI / FastCGI </td><td class="v">Rasmus Lerdorf, Stig Bakken, Shane Caraveo, Dmitry Stogov </td></tr> <tr><td class="e">CLI </td><td class="v">Edin Kadribasic, Marcus Boerger, Johannes Schlueter </td></tr> <tr><td class="e">Continuity </td><td class="v">Alex Leigh (based on nsapi code) </td></tr> <tr><td class="e">Embed </td><td class="v">Edin Kadribasic </td></tr> <tr><td class="e">ISAPI </td><td class="v">Andi Gutmans, Zeev Suraski </td></tr> <tr><td class="e">NSAPI </td><td class="v">Jayakumar Muthukumarasamy, Uwe Schindler </td></tr> <tr><td class="e">phttpd </td><td class="v">Thies C. Arntzen </td></tr> <tr><td class="e">pi3web </td><td class="v">Holger Zimmermann </td></tr> <tr><td class="e">Sendmail Milter </td><td class="v">Harald Radi </td></tr> <tr><td class="e">thttpd </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">tux </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">WebJames </td><td class="v">Alex Waugh </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">Module Authors</th></tr> <tr class="h"><th>Module</th><th>Authors</th></tr> <tr><td class="e">Assert </td><td class="v">Thies C. Arntzen </td></tr> <tr><td class="e">BC Math </td><td class="v">Andi Gutmans </td></tr> <tr><td class="e">Bzip2 </td><td class="v">Sterling

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 32 sur 39

Hughes </td></tr> <tr><td class="e">Calendar </td><td class="v">Shane Caraveo, Colin Viebrock, Hartmut Holzgraefe, Wez Furlong </td></tr> <tr><td class="e">COM and .Net </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">ctype </td><td class="v">Hartmut Holzgraefe </td></tr> <tr><td class="e">cURL </td><td class="v">Sterling Hughes </td></tr> <tr><td class="e">Date/Time Support </td><td class="v">Derick Rethans </td></tr> <tr><td class="e">DBA </td><td class="v">Sascha Schumann, Marcus Boerger </td></tr> <tr><td class="e">dBase </td><td class="v">Jim Winstead </td></tr> <tr><td class="e">DB-LIB (MS SQL, Sybase) </td><td class="v">Wez Furlong, Frank M. Kromann </td></tr> <tr><td class="e">DOM </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger </td></tr> <tr><td class="e">EXIF </td><td class="v">Rasmus Lerdorf, Marcus Boerger </td></tr> <tr><td class="e">FBSQL </td><td class="v">Frank M. Kromann </td></tr> <tr><td class="e">FDF </td><td class="v">Uwe Steinmann </td></tr> <tr><td class="e">Firebird/InterBase driver for PDO </td><td class="v">Ard Biesheuvel </td></tr> <tr><td class="e">FTP </td><td class="v">Stefan Esser, Andrew Skalski </td></tr> <tr><td class="e">GD imaging </td><td class="v">Rasmus Lerdorf, Stig Bakken, Jim Winstead, Jouni Ahto, Ilia Alshanetsky, Pierre-Alain Joye, Marcus Boerger </td></tr> <tr><td class="e">GetText </td><td class="v">Alex Plotnick </td></tr> <tr><td class="e">GNU GMP support </td><td class="v">Stanislav Malyshev </td></tr> <tr><td class="e">Iconv </td><td class="v">Rui Hirokawa, Stig Bakken, Moriyoshi Koizumi </td></tr> <tr><td class="e">IMAP </td><td class="v">Rex Logan, Mark Musone, Brian Wang, Kaj-Michael Lang, Antoni Pamies Olive, Rasmus Lerdorf, Andrew Skalski, Chuck Hagenbuch, Daniel R Kalowsky </td></tr> <tr><td class="e">Input Filter </td><td class="v">Rasmus Lerdorf, Derick Rethans, PierreAlain Joye, Ilia Alshanetsky </td></tr> <tr><td class="e">InterBase </td><td class="v">Jouni Ahto, Andrew Avdeev, Ard Biesheuvel </td></tr> <tr><td class="e">JSON </td><td class="v">Omar Kilani </td></tr> <tr><td class="e">LDAP </td><td class="v">Amitay Isaacs, Eric Warnke, Rasmus Lerdorf, Gerrit Thomson, Stig Venaas </td></tr> <tr><td class="e">LIBXML </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger, Wez Furlong, Shane Caraveo </td></tr> <tr><td class="e">mcrypt </td><td class="v">Sascha Schumann, Derick Rethans </td></tr> <tr><td class="e">mhash </td><td class="v">Sascha Schumann </td></tr> <tr><td class="e">mime_magic </td><td class="v">Hartmut Holzgraefe </td></tr> <tr><td class="e">MING </td><td class="v">Dave Hayden, Frank M. Kromann </td></tr> <tr><td class="e">mSQL </td><td class="v">Zeev Suraski </td></tr> <tr><td class="e">MS SQL </td><td class="v">Frank M. Kromann </td></tr> <tr><td class="e">Multibyte String Functions </td><td class="v">Tsukada Takuya, Rui Hirokawa </td></tr> <tr><td class="e">mySQL driver for PDO </td><td class="v">George Schlossnagle, Wez Furlong, Ilia Alshanetsky </td></tr> <tr><td class="e">MySQLi </td><td class="v">Zak Greant, Georg Richter, Andrey Hristov, Ulf Wendel </td></tr> <tr><td class="e">MySQL </td><td class="v">Zeev Suraski, Zak Greant, Georg Richter </td></tr> <tr><td class="e">ncurses </td><td class="v">Ilia Alshanetsky, Wez Furlong, Hartmut Holzgraefe, Georg Richter </td></tr> <tr><td class="e">OCI8 </td><td class="v">Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong </td></tr> <tr><td class="e">ODBC driver for PDO </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">ODBC </td><td class="v">Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky </td></tr> <tr><td class="e">OpenSSL </td><td class="v">Stig Venaas, Wez Furlong, Sascha Kettler </td></tr> <tr><td class="e">Oracle (OCI) driver for PDO </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">pcntl </td><td class="v">Jason Greene </td></tr> <tr><td class="e">Perl Compatible Regexps </td><td class="v">Andrei Zmievski </td></tr> <tr><td class="e">PHP Data Objects </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr> <tr><td class="e">PHP hash </td><td class="v">Sara Golemon, Rasmus Lerdorf, Stefan Esser, Michael Wallner </td></tr> <tr><td class="e">Posix </td><td class="v">Kristian Koehntopp </td></tr> <tr><td class="e">PostgreSQL driver for PDO </td><td class="v">Edin Kadribasic, Ilia Alshanetsky </td></tr> <tr><td class="e">PostgreSQL </td><td class="v">Jouni

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 33 sur 39

Ahto, Zeev Suraski, Yasuo Ohgaki, Chris Kings-Lynne </td></tr> <tr><td class="e">Pspell </td><td class="v">Vlad Krupin </td></tr> <tr><td class="e">Readline </td><td class="v">Thies C. Arntzen </td></tr> <tr><td class="e">Recode </td><td class="v">Kristian Khntopp </td></tr> <tr><td class="e">Reflection </td><td class="v">Marcus Boerger, Timm Friebe, George Schlossnagle, Andrei Zmievski, Johannes Schlueter </td></tr> <tr><td class="e">Sessions </td><td class="v">Sascha Schumann, Andrei Zmievski </td></tr> <tr><td class="e">Shared Memory Operations </td><td class="v">Slava Poliakov, Ilia Alshanetsky </td></tr> <tr><td class="e">SimpleXML </td><td class="v">Sterling Hughes, Marcus Boerger, Rob Richards </td></tr> <tr><td class="e">SNMP </td><td class="v">Rasmus Lerdorf, Harrie Hazewinkel, Mike Jackson, Steven Lawrance, Johann Hanne </td></tr> <tr><td class="e">SOAP </td><td class="v">Brad Lafountain, Shane Caraveo, Dmitry Stogov </td></tr> <tr><td class="e">Sockets </td><td class="v">Chris Vandomelen, Sterling Hughes, Daniel Beulshausen, Jason Greene </td></tr> <tr><td class="e">SPL </td><td class="v">Marcus Boerger </td></tr> <tr><td class="e">SQLite 3.x driver for PDO </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">SQLite </td><td class="v">Wez Furlong, Tal Peer, Marcus Boerger, Ilia Alshanetsky </td></tr> <tr><td class="e">Sybase-CT </td><td class="v">Zeev Suraski, Tom May, Timm Friebe </td></tr> <tr><td class="e">Sybase-DB </td><td class="v">Zeev Suraski </td></tr> <tr><td class="e">System V Message based IPC </td><td class="v">Wez Furlong </td></tr> <tr><td class="e">System V Semaphores </td><td class="v">Tom May </td></tr> <tr><td class="e">System V Shared Memory </td><td class="v">Christian Cartus </td></tr> <tr><td class="e">tidy </td><td class="v">John Coggeshall, Ilia Alshanetsky </td></tr> <tr><td class="e">tokenizer </td><td class="v">Andrei Zmievski, Johannes Schlueter </td></tr> <tr><td class="e">WDDX </td><td class="v">Andrei Zmievski </td></tr> <tr><td class="e">XMLReader </td><td class="v">Rob Richards </td></tr> <tr><td class="e">xmlrpc </td><td class="v">Dan Libby </td></tr> <tr><td class="e">XML </td><td class="v">Stig Bakken, Thies C. Arntzen, Sterling Hughes </td></tr> <tr><td class="e">XMLWriter </td><td class="v">Rob Richards, Pierre-Alain Joye </td></tr> <tr><td class="e">XSL </td><td class="v">Christian Stocker, Rob Richards </td></tr> <tr><td class="e">Zip </td><td class="v">Pierre-Alain Joye </td></tr> <tr><td class="e">Zlib </td><td class="v">Rasmus Lerdorf, Stefan Roehrich, Zeev Suraski, Jade Nicoletti </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th colspan="2">PHP Documentation</th></tr> <tr><td class="e">Authors </td><td class="v">Mehdi Achour, Friedhelm Betz, Antony Dovgal, Nuno Lopes, Hannes Magnusson, Georg Richter, Damien Seguy, Jakub Vrana </td></tr> <tr><td class="e">Editor </td><td class="v">Philip Olson </td></tr> <tr><td class="e">User Note Maintainers </td><td class="v">Friedhelm Betz, Etienne Kneuss, Nuno Lopes, Hannes Magnusson, Felipe Pena, Maciek Sokolewicz </td></tr> <tr><td class="e">Other Contributors </td><td class="v">Previously active authors, editors and other contributors are listed in the manual. </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th>PHP Quality Assurance Team</th></tr> <tr><td class="e">Ilia Alshanetsky, Joerg Behrens, Antony Dovgal, Stefan Esser, Moriyoshi Koizumi, Magnus Maatta, Sebastian Nohn, Derick Rethans, Melvyn Sopacua, Jani Taskinen </td></tr> </table><br /> <table border="0" cellpadding="3" width="600"> <tr class="h"><th>PHP Website Team</th></tr> <tr><td class="e">Rasmus Lerdorf, Hannes Magnusson, Philip Olson </td></tr> </table><br /> </div></body></html> -CR-

Host Scan Time

QID: 45038 Category: Information gathering CVEID: CVSS Base: Port: 0

Threat:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 34 sur 39

The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.

Impact:
N/A

Solution:
N/A

Results:
Scan duration: 512 seconds Start time: Fri, Feb 10 2012, 22:50:37 GMT End time: Fri, Feb 10 2012, 22:59:09 GMT

Degree of Randomness of TCP Initial Sequence Numbers

QID: 82045 Category: TCP/IP CVEID: CVSS Base: Port: 0

Threat:
TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host.

Impact:
N/A

Solution:
N/A

Results:
Average change between subsequent TCP initial sequence numbers is 1057730495 with a standard deviation of 609671435. These TCP initial sequence numbers were triggered by TCP SYN probes sent to the host at an average rate of 1/(9995 microseconds). The degree of difficulty to exploit the TCP initial sequence number generation scheme is: hard.

IP ID Values Randomness
QID: 82046 Category: TCP/IP CVEID: CVSS Base: Port: 0

Threat:
The values for the identification (ID) field in IP headers in IP packets from the host are analyzed to determine how random they are. The changes between subsequent ID values for either the network byte ordering or the host byte ordering, whichever is smaller, are displayed in the RESULT section along with the duration taken to send the probes. When incremental values are used, as is the case for TCP/IP implementation in many operating systems, these changes reflect the network load of the host at the time this test was conducted. Please note that for reliability reasons only the network traffic from open TCP ports is analyzed.

Impact:
N/A

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 35 sur 39

Solution:
N/A

Results:
IP ID changes observed (network order) for port 80: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 3 3 3 3 Duration: 309 milli seconds

Default Web Page

QID: 12230 Category: CGI CVEID: CVSS Base: Port: 80

Threat:
The Result section displays the default Web page for the Web server.

Impact:
N/A

Solution:
N/A

DNS Host Name

QID: 6 Category: Information gathering CVEID: CVSS Base: 0 Port: 0

Threat:
The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.

Impact: Solution: Results:

#table IP_address Host_name 212.217.22.95 scanesi.esi.ac.ma

Target Network Information

QID: 45004 Category: Information gathering CVEID: CVSS Base: Port: 0

Threat:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 36 sur 39

This information was gathered using WHOIS service for the target network. Note that this is not all the information that WHOIS service provides.

Impact:
This information can be used by malicious users to gather more information about the network infrastructure that may help in launching attacks against it.

Solution: Results:
The network handle is: AFRINIC-NET-TRANSFERRED-20050223 Network description: This network has been transferred to AFRINIC

Traceroute
QID: 45006 Category: Information gathering CVEID: CVSS Base: Port: 0

Threat:
Traceroute describes the path in realtime from the scanner to the remote host being contacted. It reports the IP addresses of all the routers in between.

Impact: Solution: Results:

#table cols="4" Hops IP Round_Trip_Time Probe 1 64.39.111.2 0.44ms ICMP 2 64.14.1.121 1.21ms ICMP 3 216.33.4.61 0.61ms ICMP 4 204.70.200.205 0.58ms ICMP 5 204.70.200.230 3.09ms ICMP 6 204.70.192.46 44.33ms ICMP 7 204.70.196.30 42.87ms ICMP 8 204.70.204.145 43.21ms ICMP 9 208.175.175.110 96.69ms ICMP 10 94.142.126.130 82.59ms ICMP 11 84.16.12.29 164.72ms ICMP 12 213.140.43.150 155.79ms ICMP 13 213.140.36.133 181.13ms ICMP 14 81.192.222.9 200.73ms ICMP 15 212.217.3.54 202.93ms ICMP 16 81.192.222.9 204.83ms ICMP 17 212.217.7.94 210.14ms ICMP 18 212.217.22.95 207.98ms TCP

Host Names Found

QID: 45039 Category: Information gathering CVEID: CVSS Base: Port: 0

Threat:
The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query.

Impact:
N/A

Solution:
N/A

Results:
#table cols="2" Host_Name Source scanesi.esi.ac.ma FQDN

HTTP method TRACE and/or TRACK Enabled

QID: 45033 Category: Information gathering CVEID: CVSS Base: Port: 80

Threat:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 37 sur 39

The target Web server supports the TRACE and/or TRACK HTTP methods. These methods allow debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS Web server uses an alias TRACK for the TRACE method, and is functionally the same. The exact method(s) used are shown in the Results section.

Impact:
N/A

Solution:
N/A

Results:
TRACE method enabled on / directory

Web Server Supports HTTP Request Pipelining

QID: 86565 Category: Web server CVEID: CVSS Base: Port: 80

Threat:
Version 1.1 of the HTTP protocol supports URL-Request Pipelining. This means that instead of using the "Keep-Alive" method to keep the TCP connection alive over multiple requests, the protocol allows multiple HTTP URL requests to be made in the same TCP packet. Any Web server which is HTTP 1.1 compliant should then process all the URLs requested in the single TCP packet and respond as usual. The target Web server was found to support this functionality of the HTTP 1.1 protocol.

Impact:
Support for URL-Request Pipelining has interesting consequences. For example, as explained in this paper by Daniel Roelker, it can be used for evading detection by Intrusion Detection Systems. Also, it can be used in HTTP Response-Spliting style attacks.

Solution:
N/A

Results:
GET / HTTP/1.1 Host:212.217.22.95:80 GET /Q_Evasive/ HTTP/1.1 Host:212.217.22.95:80 HTTP/1.1 200 OK Date: Fri, 10 Feb 2012 22:53:40 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 X-Powered-By: PHP/5.2.10 Content-Length: 3094 Content-Type: text/html; charset=utf -8 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' lang='fr' charset='utf-8'> <head> <title> PMB </title> <meta name='author' content='PMB Group' /> <meta name='description' content='Logiciel libre de gestion de m_E9diath_E8que' /> <meta name='keywords' content='logiciel, gestion, biblioth_E8que, m_E9diath_E8que, libre, free, software, mysql, php, linux, windows, mac' /> <meta httpequiv='Pragma' content='no-cache' /> <meta http-equiv='CacheControl' content='no-cache' /> <meta http-equiv='content-type' content='text/html; charset=utf-8' /> <meta http-equiv='ContentLanguage' content='fr_FR' /> <link rel='stylesheet' type='text/css' href='styles/light/colonnes.css ' title='lefttoright' /> <link rel='stylesheet' type='text/css' href='styles/light/dtree.css ' title='lefttoright' /> <link rel='stylesheet' type='text/css' href='styles/light/layout.css ' title='lefttoright' /> <link rel='stylesheet' type='text/css' href='styles/light/rub_colours.css ' title='lefttoright' /> <link rel="SHORTCUT ICON" href="images/favicon.ico"> </head> <body class='index'> <div id='navbar'> <h3> </h3> <ul> <li id='navbar-index' class='current'> <a title='Gestion' class='current' href='./' accesskey='8'>Gestion</a> </li> <li id='navbar-opac'> <a title='Ouvrir le catalogue public dans une nouvelle fen_C3_AAtre' href='./opac_css/' accesskey='7'>OPAC</a> </li> </ul> </div> <div id='extra'>Base de donn_C3_A9es : bibli / 10807 notice(s) </div> <div id='noconteneur'> <div id='nomenu'> </div> <div id='nocontenu'> <div id='login-box'> <h1>Identification</h1> <form class='form-

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 38 sur 39

index' id='login' method='post' action='./main.php'> <div class='form-contenu'><div class='row'> <label class='etiquette' for='user'>Utilisateur :</label> </div> <div class='row'> <input class='saisie-20em' type='text' name='user' id='user' value='' size='15'/> </div> <div class='row'> <label class='etiquette' for='password'>Mot de passe :</label> </div> <div class='row'> <input class='saisie-20em' type='password' name='password' id='password' value='' size='15'/> </div> <input type='hidden' name='database' value='bibli'> </div>  <div class='row'> <input type='submit' class='bouton' value='Connexion' /> </div> </form> <div class='row'> </div> </div><script type='text/javascript'>document.forms ['login'].elements['user'].focus();</script> </div> <div id='footer'> <hr /> <a title='PMB : http://www.sigb.net/' href='http://www.sigb.net/'>PMB</a> (</b>3.4.12</b> - v4.96) 2002~8 <a title='PMB Group : http://www.sigb.net/' href='http://www.sigb.net/'>PMB Group</a> </div> </div> </body> </html> HTTP/1.1 404 Not Found Date: Fri, 10 Feb 2012 22:53:40 GMT Server: Apache/2.2.13 (Win32) PHP/5.2.10 Vary: acceptlanguage,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 ContentLanguage: en 1e <?xml version="1.0" encoding=" a ISO-8859-1 a8 "?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" e en" xml:lang=" 15 en"> <head> <title> 39 Object not found!</title> <link rev="made" href="mailto: 112 admin@localhost" /> <style type="text/css"></style> </head>

Internet Service Provider

QID: 45005 Category: Information gathering CVEID: CVSS Base: Port: 0

Threat:
This information was gathered using the WHOIS service for the network and is believed to be the ISP of the target network.

Impact:
This information can be used by malicious users to gather more information about the network infrastructure that may aid in launching further attacks against it.

Solution: Results:
The ISP network handle is: TDATANET ISP Network description: Telefonica International Wholesale Network

List of Web Directories

QID: 86672 Category: Web server CVEID: CVSS Base: Port: 80

Threat:
Based largely on the HTTP reply code, the following directories are most likely present on the host.

Impact: Solution: Results:

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

Qualys Freescan

Page 39 sur 39

#table cols="2" Directory Source /cgi-bin/ brute_force /doc/ brute_force /images/ brute_force /admin/ brute_force /catalog/ brute_force /error/ brute_force /doc/ web_page /catalog/ web_page /images__easyphp/ web_page /home/ web_page /admin/ web_page /icons/ web_page /styles/ web_page /styles/light/ web_page /images/ web_page /home/images__easyphp/ web_page /home/fr/ web_page /home/en/ web_page /home/es/ web_page /home/it/ web_page /home/nw/ web_page /home/pt/ web_page /home/pt__br/ web_page

https://freescan.qualys.com/freescan-front/module/freescan/print/?domainId=4592&ig... 10/02/2012

SQL Injection
No ratings yet
SQL Injection
32 pages
IANA PORTS - Vulnerabilities
100% (2)
IANA PORTS - Vulnerabilities
60 pages
Use SQLMAP SQL Injection To Hack A Website and Database in Kali Linux
100% (1)
Use SQLMAP SQL Injection To Hack A Website and Database in Kali Linux
21 pages
Sqli Attacks
No ratings yet
Sqli Attacks
149 pages
The Mind in The Making PDF
No ratings yet
The Mind in The Making PDF
257 pages
Wvs Singles Can
No ratings yet
Wvs Singles Can
1,007 pages
Week 3 - SQL Injection
No ratings yet
Week 3 - SQL Injection
17 pages
Tracking Down App Security
No ratings yet
Tracking Down App Security
69 pages
My Report Updated
No ratings yet
My Report Updated
119 pages
SQL Injection
No ratings yet
SQL Injection
27 pages
Chapter-3 Web Security
No ratings yet
Chapter-3 Web Security
71 pages
14 Web Security
No ratings yet
14 Web Security
14 pages
Quick Guide To SQL Injection Attacks and Defenses - English
No ratings yet
Quick Guide To SQL Injection Attacks and Defenses - English
31 pages
Secure Coding Lecture 2: Injections, and Buffer Overflows: Benny Pinkas
No ratings yet
Secure Coding Lecture 2: Injections, and Buffer Overflows: Benny Pinkas
75 pages
10.web Application Security-SQL Injection
No ratings yet
10.web Application Security-SQL Injection
42 pages
DigiBanker 2.0 Guide ADMIN MANUAL FOR ADDITIONAL MODULES
No ratings yet
DigiBanker 2.0 Guide ADMIN MANUAL FOR ADDITIONAL MODULES
22 pages
SQL Injection - Wikipedia
No ratings yet
SQL Injection - Wikipedia
72 pages
Penulisan - SK Penelitian - SK
No ratings yet
Penulisan - SK Penelitian - SK
37 pages
Is Presentation Sqli
No ratings yet
Is Presentation Sqli
23 pages
Web Security Notes
No ratings yet
Web Security Notes
26 pages
SQ L Injection 1
No ratings yet
SQ L Injection 1
26 pages
SQL Injection
No ratings yet
SQL Injection
22 pages
Ak Cyber Next5
No ratings yet
Ak Cyber Next5
23 pages
SQL Injection
No ratings yet
SQL Injection
22 pages
Ultimate Vulnerability Playbook Part 1 1726894026
No ratings yet
Ultimate Vulnerability Playbook Part 1 1726894026
16 pages
Web Tutor
No ratings yet
Web Tutor
17 pages
Ethics - Lect6 - SQL Injection
No ratings yet
Ethics - Lect6 - SQL Injection
19 pages
Cybersecurity Incident & Vulnerability Response Playbooks
No ratings yet
Cybersecurity Incident & Vulnerability Response Playbooks
43 pages
21 Websafety2
No ratings yet
21 Websafety2
11 pages
SQL - Injctions Loop Joks
No ratings yet
SQL - Injctions Loop Joks
35 pages
SQL Injection
No ratings yet
SQL Injection
20 pages
Security For Computer Network Database Attacks From Threats and Hackers
No ratings yet
Security For Computer Network Database Attacks From Threats and Hackers
7 pages
Vulnerability Playbook
No ratings yet
Vulnerability Playbook
14 pages
Trabel Ket
No ratings yet
Trabel Ket
160 pages
Adavanced Postgre SQL Injection
No ratings yet
Adavanced Postgre SQL Injection
15 pages
18bit0236 Ism Lab Da 6
No ratings yet
18bit0236 Ism Lab Da 6
13 pages
SQL Injection
No ratings yet
SQL Injection
10 pages
Manual SQL Injection Using DVWA
100% (1)
Manual SQL Injection Using DVWA
16 pages
Joanna Bloggs: Position & Company Name Key Responsibilities and Achievements Years
0% (1)
Joanna Bloggs: Position & Company Name Key Responsibilities and Achievements Years
2 pages
SQL Injections
0% (1)
SQL Injections
17 pages
SQL Injection Attacks
No ratings yet
SQL Injection Attacks
10 pages
Lecture 8 Database Security
No ratings yet
Lecture 8 Database Security
34 pages
SQL Injection Tutorial
No ratings yet
SQL Injection Tutorial
11 pages
04 AWS - Overview - S3 - Storage PDF
No ratings yet
04 AWS - Overview - S3 - Storage PDF
14 pages
Web Application Penetration Testing
No ratings yet
Web Application Penetration Testing
11 pages
SQL Injection: Not Only AND 1 1: Bernardo Damele Assumpção Guimarães
No ratings yet
SQL Injection: Not Only AND 1 1: Bernardo Damele Assumpção Guimarães
41 pages
Blind SQL Injection: Are Your Web Applications Vulnerable?
No ratings yet
Blind SQL Injection: Are Your Web Applications Vulnerable?
13 pages
Performing SQL Injection
No ratings yet
Performing SQL Injection
8 pages
W11-Attacking Data Stores
No ratings yet
W11-Attacking Data Stores
33 pages
BA Political Science Syllabus From 2017
No ratings yet
BA Political Science Syllabus From 2017
56 pages
SQL Injection
100% (1)
SQL Injection
10 pages
Detection of SQL Injection Attack in Web Applications Using Web Services
No ratings yet
Detection of SQL Injection Attack in Web Applications Using Web Services
8 pages
Aeymon Blogspot Com 2011 09 4th Year Mbbs Community Medicine Ospe - 23 HTML
No ratings yet
Aeymon Blogspot Com 2011 09 4th Year Mbbs Community Medicine Ospe - 23 HTML
5 pages
Comprehensive New Https PHP
No ratings yet
Comprehensive New Https PHP
19 pages
Unit 2 Health Grade 10
100% (2)
Unit 2 Health Grade 10
37 pages
OWASP MAS Checklist
No ratings yet
OWASP MAS Checklist
40 pages
Networks Security SQL Injection
No ratings yet
Networks Security SQL Injection
19 pages
Lab (4) Session - SQL Injection in Practice
No ratings yet
Lab (4) Session - SQL Injection in Practice
4 pages
Pass2U Pass API User Guide
No ratings yet
Pass2U Pass API User Guide
33 pages
m15 SQL Injection
No ratings yet
m15 SQL Injection
2 pages
Advanced SQL Injection Techniques
No ratings yet
Advanced SQL Injection Techniques
13 pages
Uniform Guidelines
No ratings yet
Uniform Guidelines
19 pages
Penetrum Security - The Difference
No ratings yet
Penetrum Security - The Difference
21 pages
Chapt5 OWASP SQL XSS EH
No ratings yet
Chapt5 OWASP SQL XSS EH
29 pages
Reference 1 - 2017
No ratings yet
Reference 1 - 2017
13 pages
14.8.1 Packet Tracer - TCP and UDP Communications
No ratings yet
14.8.1 Packet Tracer - TCP and UDP Communications
5 pages
Reveiw of Tools Against Vulnerabilies in Web Applications
No ratings yet
Reveiw of Tools Against Vulnerabilies in Web Applications
4 pages
Avoidance Techniques: by Pdo by Mysqli
No ratings yet
Avoidance Techniques: by Pdo by Mysqli
2 pages
Ak Cyber Next5
No ratings yet
Ak Cyber Next5
23 pages
Library - Glasgow Caledonian University - Scotland, UK
No ratings yet
Library - Glasgow Caledonian University - Scotland, UK
7 pages
Isaa
No ratings yet
Isaa
17 pages
S.No. Title Page No
No ratings yet
S.No. Title Page No
5 pages
Appendix A: Ciw Javascript Specialist Objectives and Locations
0% (1)
Appendix A: Ciw Javascript Specialist Objectives and Locations
12 pages
Lab 03 SQL Vulnerabilities
No ratings yet
Lab 03 SQL Vulnerabilities
4 pages
Mitre ATT&CK Top Tecnicas
No ratings yet
Mitre ATT&CK Top Tecnicas
4 pages
Personalised Targeting Don't Get
No ratings yet
Personalised Targeting Don't Get
6 pages
CrowdStrike Falcon Certification Guide (CFCP)
No ratings yet
CrowdStrike Falcon Certification Guide (CFCP)
5 pages
Email & Password Authentication - Firebase
No ratings yet
Email & Password Authentication - Firebase
7 pages
Checkpoint Firewall
No ratings yet
Checkpoint Firewall
10 pages
Jayditya Nandkar Resume New
No ratings yet
Jayditya Nandkar Resume New
2 pages
Software Installation Policy
100% (1)
Software Installation Policy
2 pages
CNS Bits Ques
No ratings yet
CNS Bits Ques
2 pages
Reference 1 - HTML Tag Reference
No ratings yet
Reference 1 - HTML Tag Reference
4 pages
CV Firmansyahrozy
No ratings yet
CV Firmansyahrozy
3 pages
This Article Explains How To Test Whether A Website Is Safe From SQL Injection Using The SQLMAP Penetration Testing Tool
No ratings yet
This Article Explains How To Test Whether A Website Is Safe From SQL Injection Using The SQLMAP Penetration Testing Tool
10 pages
Proposal Smart Watch Fitness Tracker (Updated)
No ratings yet
Proposal Smart Watch Fitness Tracker (Updated)
2 pages
JavaScript Programming: 3 In 1 Security Design, Expressions And Web Development
From Everand
JavaScript Programming: 3 In 1 Security Design, Expressions And Web Development
Richie Miller
No ratings yet
JSP-Servlet Interview Questions You'll Most Likely Be Asked
From Everand
JSP-Servlet Interview Questions You'll Most Likely Be Asked
Vibrant Publishers
No ratings yet
Introduction to Web Hacking: Cross-site Scripting
From Everand
Introduction to Web Hacking: Cross-site Scripting
Gary Drocella
No ratings yet
Sql Injection Best Method for Begineers
From Everand
Sql Injection Best Method for Begineers
Kishor Sarkar X
No ratings yet