Acunetix Audit Finds Directory Traversal and Cleartext Credentials

Acunetix Website Audit
18 June, 2019
Developer Report
Generated by Acunetix WVS Reporter (v10.5 Build 20160217)

Scan of http://192.168.1.67:8080/
Scan details
Scan information
Start time 6/18/2019 11:38:38 AM
Finish time 6/18/2019 11:42:22 AM
Scan time 3 minutes, 44 seconds
Profile Default
Server information
Responsive True
Server banner GlassFish Server Open Source Edition 4.1
Server OS Unknown
Threat level
Acunetix Threat Level 3
One or more high-severity type vulnerabilities have been discovered by the
scanner. A malicious user can exploit these vulnerabilities and compromise the
backend database and/or deface your website.
Alerts distribution
Total alerts 22
found
High 4
Medium 8
Low 0
Information 10
al
Knowledge base
List of file extensions
File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:
- xhtml => 1 file(s)

- css => 2 file(s)
- js => 2 file(s)
- woff2 => 1 file(s)
- jsp => 1 file(s)
List of client scripts
These files contain Javascript code referenced from the website.
- /faces/javax.faces.resource/watermark/watermark.js
- /faces/javax.faces.resource/jsf.js
- /faces/javax.faces.resource/jquery/jquery.js
- /faces/javax.faces.resource/jquery/jquery-plugins.js
- /faces/javax.faces.resource/core.js
- /faces/javax.faces.resource/components.js
- /js/jquery.validate.js
- /js/form.validator.js
List of files with inputs
These files have at least one input (GET or POST).
Acunetix Website Audit 2
- / - 4 inputs
- /faces/pages/login.xhtml - 1 inputs
- /fonts/fontawesome-webfont.woff2 - 1 inputs
List of authentication pages
This is a list of pages that require HTTP authentication.
- /j_security_check
Alerts summary
Directory traversal
Classification
CVSS Base Score: 6.8
- Access Vector: Network

- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
CVSS3 Base Score: 5.3
- Attack Vector: Network

- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CWE CWE-22
Affected items Variation
/css s
1
/fonts 1
/images 1
/js 1
Apache JServ protocol service

Classification

- Access Complexity: Low
- Confidentiality Impact: None
CWE CWE-16
Server s
1
Error message on page

Classification


- Scope: Unchanged
- Confidentiality Impact: High
CWE CWE-200
/bea_wls_internal/classes s
1
/css 1
/fonts 1
/images 1
/js 1
Slow HTTP Denial of Service Attack

Classification

- Scope: Unchanged
- Availability Impact: Low
Web Server s
1
User credentials are sent in clear text

Classification


- Scope: Unchanged
- Integrity Impact: High
CWE CWE-310
/ s
1
Broken links
Classification

CWE CWE-16
/faces/javax.faces.resource/components.css s
1
/faces/javax.faces.resource/components.js 1
/faces/javax.faces.resource/core.js 1
/faces/javax.faces.resource/jquery/jquery.js 1
/faces/javax.faces.resource/jquery/jquery-plugins.js 1
/faces/javax.faces.resource/jsf.js 1
/faces/javax.faces.resource/theme.css 1
/faces/javax.faces.resource/watermark/watermark.css 1
/faces/javax.faces.resource/watermark/watermark.js 1
Possible username or password disclosure

Classification


- Scope: Unchanged
CWE CWE-200
/css/font-awesome.min.css s
1
Alert details
Directory traversal
Severity High
Type Validation
Reported by Scripting (Server_Directory_Traversal.script)
module
Description
This script is possibly vulnerable to directory traversal attacks.
Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute
commands outside of the web server's root directory.
Impact
By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in
other directories. As a result, attackers might view restricted files or execute commands, leading to a full
compromise of the Web server.
Recommendation
Your script should filter metacharacters from user input.
References
Acunetix Directory Traversal Attacks
Affected items
/css
Details
This file was found using the pattern ${dirName}/%C0%AE%C0%AE/WEB-INF/web.xml?.
Original directory: /css
Directory traversal pattern found: <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-
app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<context-param>
<param-name>javax.faces.application.CONFIG_FILES</param-name>
<param-value>/WEB-INF/faces-config.xml</param-value>
</context-param>



<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<filter>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<filter-class>
org.primefaces.webapp.filter.FileUploadFilter
</filter-class>
</filter>
<filter-mapping>
</filter-mapping>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>com.f1soft.fonebank.adminweb.controllerbean.XSSFilter</filter-class>
</filter>
<filter>
<filter-name>ClickjackingPreventionFilter</filter-name>
<filter-class>com.f1soft.fonebank.adminweb.controllerbean.ClickjackingPreventionFilter</filter-
class>
</filter>
<filter-mapping>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
</filter-mapping>
<context-param>
<param-name>uploadDirectory</param-name>
<param-value>E:/uploaded file</param-value>
</context-param>
<context-param>
<param-
name>javax.faces.DATETIMECONVERTER_DEFAULT_TIMEZONE_IS_SYSTEM_TIMEZONE</param-name>
<param-value>true</param-value>
</context-param>

</context-param>-->
<session-config>
<session-timeout>
10
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/pages/login.xhtml</welcome-file>
</welcome-file-list>
<listener>
<listener-class>
com.sun.faces.config.ConfigureListener
</listener-class>
</listener>
</web-app>
Request headers
GET /css/%C0%AE%C0%AE/WEB-INF/web.xml? HTTP/1.1
Cookie: JSESSIONID=925e86be77cb8bf0cd49eb580889
Host: 192.168.1.67:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/fonts
Details
Original directory: /fonts
app_3_0.xsd">
<context-param>
</context-param>
<context-param>
</context-param>
<servlet>
</servlet>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<filter>
<filter-class>
</filter-class>
</filter>
<filter-mapping>
</filter-mapping>
<filter>
</filter>
<filter>
class>
</filter>
<filter-mapping>
</filter-mapping>
<filter-mapping>
</filter-mapping>
<context-param>
</context-param>
<context-param>
<param-
</context-param>
</context-param>-->
<session-config>
<session-timeout>
10
</session-timeout>
</session-config>
<welcome-file-list>
<listener>
<listener-class>
</listener-class>
</listener>
</web-app>
Request headers
GET /fonts/%C0%AE%C0%AE/WEB-INF/web.xml? HTTP/1.1
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/images
Details
Original directory: /images
app_3_0.xsd">
<context-param>
</context-param>
<context-param>
</context-param>
<servlet>
</servlet>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<filter>
<filter-class>
</filter-class>
</filter>
<filter-mapping>
</filter-mapping>
<filter>
</filter>
<filter>
class>
</filter>
<filter-mapping>
</filter-mapping>
<filter-mapping>
</filter-mapping>
<context-param>
</context-param>
<context-param>
<param-
</context-param>
</context-param>-->
<session-config>
<session-timeout>
10
</session-timeout>
</session-config>
<welcome-file-list>
<listener>
<listener-class>
</listener-class>
</listener>
</web-app>
Request headers
GET /images/%C0%AE%C0%AE/WEB-INF/web.xml? HTTP/1.1
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/js
Details
Original directory: /js
app_3_0.xsd">
<context-param>
</context-param>
<context-param>
</context-param>
<servlet>
</servlet>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<servlet-mapping>
</servlet-mapping>
<filter>
<filter-class>
</filter-class>
</filter>
<filter-mapping>
</filter-mapping>
<filter>
</filter>
<filter>
class>
</filter>
<filter-mapping>
</filter-mapping>
<filter-mapping>
</filter-mapping>
<context-param>
</context-param>
<context-param>
<param-
</context-param>
</context-param>-->
<session-config>
<session-timeout>
10
</session-timeout>
</session-config>
<welcome-file-list>
<listener>
<listener-class>
</listener-class>
</listener>
</web-app>
Request headers
GET /js/%C0%AE%C0%AE/WEB-INF/web.xml? HTTP/1.1
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Apache JServ protocol service
Severity Medium
Type Configuration
Reported by Scripting (AJP_Audit.script)
module
Description
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server
through to an application server that sits behind the web server. It's not recommended to have AJP
services publicly accessible on the internet. If AJP is misconfigured it could allow an attacker to access to
internal resources.
Impact
No impact is associated with this alert.
Recommendation
It's recommended to restrict access to this service on production systems.
References
The Apache Tomcat Connector
Affected items
Server
Details
The AJP service is running on TCP port 8009.
Error message on page
Severity Medium
Type Validation
Reported by Scripting (Text_Search_Dir.script)
module
Description
This page contains an error/warning message that may disclose sensitive information. The message can
also contain the location of the file that produced the unhandled exception.
This may be a false positive if the error message is found in documentation pages.
Impact
The error messages may disclose sensitive information. This information can be used to launch further
attacks.
Recommendation
Review the source code for this script.
References
PHP Runtime Configuration
Affected items
/bea_wls_internal/classes
Details
Pattern found: Exception reportmessageInternal Server
ErrordescriptionThe server encountered an internal error that prevented it from
fulfilling this request.exception
<pre>java.lang.IllegalStateException</pre>note The full stack traces of the
exception and its root causes are available in the GlassFish Server Open Source Edition 4.1
logs.<hr/><h3>GlassFish
Request headers Server Open Source Edition 4.1 </h3></body></html>[/ ... (line
GET /bea_wls_internal/classes/ HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.1.67:8080/bea_wls_internal/classes
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/css
Details
GET /css/ HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/css/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/fonts
Details
GET /fonts/ HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/fonts/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/images
Details
GET /images/ HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/images/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/js
Details
GET /js/ HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/js/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Slow HTTP Denial of Service Attack
Severity Medium
Type Configuration
Reported by Slow_HTTP_DOS
module
Description
Your web server is vulnerable to Slow HTTP DoS (Denial of Service) attacks.
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires
requests to be completely received by the server before they are processed. If an HTTP request is not
complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the
data. If the server keeps too many resources busy, this creates a denial of service.
Impact
A single machine can take down another machine's web server with minimal bandwidth and side effects
on unrelated services and ports.
Recommendation
Consult Web references for information about protecting your web server against this type of attack.
References
Protect Apache Against Slowloris Attack
Slowloris DOS Mitigation Guide
Slowloris HTTP DoS
Affected items
Web Server
Details
Time difference between connections: 10000 ms
User credentials are sent in clear text
Severity Medium
Type Configuration
Reported by Crawler
module
Description
User credentials are transmitted over an unencrypted channel. This information should always be
transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server
over an encrypted connection (HTTPS).
Affected items
/
Details
Form name: loginForm
Form action: http://192.168.1.67:8080/faces/pages/login.xhtml
Form method: POST
Form inputs:
- loginForm [Hidden]
- somefakename [Text]
- loginForm:username [Text]
- anotherfakename [Password]
- loginForm:password [Password]
- loginForm:ajax [Submit]
- javax.faces.ViewState [Hidden]
Request headers
GET / HTTP/1.1
Pragma: no-cache
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Broken links
Severity Informational
Type Informational
Reported by Crawler
module
Description
A broken link refers to any link that should take you to a document, image or webpage, that actually
results in an error. This page was linked from the website but it is inaccessible.
Impact
Problems navigating the site.
Recommendation
Remove the links to this file or make it accessible.
Affected items
/faces/javax.faces.resource/components.css
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as
"Not Found") > select Referrers Tab from the bottom of the Information pane.
Request headers
GET /faces/javax.faces.resource/components.css HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/components.js
Details
Request headers
GET /faces/javax.faces.resource/components.js HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/core.js
Details
Request headers
GET /faces/javax.faces.resource/core.js HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/jquery/jquery.js
Details
Request headers
GET /faces/javax.faces.resource/jquery/jquery.js HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/jquery/jquery-plugins.js
Details
Request headers
GET /faces/javax.faces.resource/jquery/jquery-plugins.js HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/jsf.js
Details
Request headers
GET /faces/javax.faces.resource/jsf.js HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/theme.css
Details
Request headers
GET /faces/javax.faces.resource/theme.css HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/watermark/watermark.css
Details
Request headers
GET /faces/javax.faces.resource/watermark/watermark.css HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/faces/javax.faces.resource/watermark/watermark.js
Details
Request headers
GET /faces/javax.faces.resource/watermark/watermark.js HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Possible username or password disclosure
Severity Informational
Type Informational
Reported by Scripting (Text_Search_File.script)
module
Description
A username and/or password was found in this file. This information could be sensitive.
This alert may be a false positive, manual confirmation is required.

Impact
Possible sensitive information disclosure.
Recommendation
Remove this file from your website or change its permissions to remove access.
Affected items
/css/font-awesome.min.css
Details
Pattern found: pass:before
Request headers
GET /css/font-awesome.min.css HTTP/1.1
Pragma: no-cache
Referer: http://192.168.1.67:8080/
Host: 192.168.1.67:8080
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Scanned items (coverage report)
Scanned 31 URLs. Found 16 vulnerable.

URL: http://192.168.1.67:8080/
Vulnerabilities have been identified for this URL
6 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
/ Path Fragment (suffix /)
Input scheme 2
/ Path Fragment
/ Path Fragment
Input scheme 3
Input scheme 4
Host HTTP Header
URL: http://192.168.1.67:8080/faces
No vulnerabilities have been identified for this URL
No input(s) found for this URL
URL: http://192.168.1.67:8080/faces/pages
URL: http://192.168.1.67:8080/faces/pages/login.xhtml
Inputs
Input scheme 1
URL encoded POST
anotherfakename URL encoded POST
javax.faces.ViewState URL encoded POST
loginForm URL encoded POST
loginForm:password URL encoded POST
loginForm:username URL encoded POST
somefakename URL encoded POST
URL: http://192.168.1.67:8080/faces/javax.faces.resource
URL: http://192.168.1.67:8080/faces/javax.faces.resource/theme.css
URL: http://192.168.1.67:8080/faces/javax.faces.resource/components.css
URL: http://192.168.1.67:8080/faces/javax.faces.resource/watermark
URL: http://192.168.1.67:8080/faces/javax.faces.resource/watermark/watermark.css
URL: http://192.168.1.67:8080/faces/javax.faces.resource/watermark/watermark.js
URL: http://192.168.1.67:8080/faces/javax.faces.resource/jsf.js
URL: http://192.168.1.67:8080/faces/javax.faces.resource/jquery
URL: http://192.168.1.67:8080/faces/javax.faces.resource/jquery/jquery.js
URL: http://192.168.1.67:8080/faces/javax.faces.resource/jquery/jquery-plugins.js
URL: http://192.168.1.67:8080/faces/javax.faces.resource/core.js
URL: http://192.168.1.67:8080/faces/javax.faces.resource/components.js
URL: http://192.168.1.67:8080/images/
URL: http://192.168.1.67:8080/css/
URL: http://192.168.1.67:8080/css/mainStyler.css
URL: http://192.168.1.67:8080/css/font-awesome.min.css
URL: http://192.168.1.67:8080/js/
URL: http://192.168.1.67:8080/js/jquery.validate.js
URL: http://192.168.1.67:8080/js/form.validator.js
URL: http://192.168.1.67:8080/fonts/
URL: http://192.168.1.67:8080/fonts/fontawesome-webfont.woff2
Inputs
Input scheme 1
v URL encoded GET
URL: http://192.168.1.67:8080/META-INF/
URL: http://192.168.1.67:8080/WEB-INF/
URL: http://192.168.1.67:8080/bea_wls_internal
URL: http://192.168.1.67:8080/bea_wls_internal/classes/
URL: http://192.168.1.67:8080/j_security_check
URL: http://192.168.1.67:8080/index.jsp

Acunetix Audit Finds Directory Traversal and Cleartext Credentials

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Acunetix Audit Finds Directory Traversal and Cleartext Credentials

Hochgeladen von

Copyright:

Verfügbare Formate

Acunetix Website Audit

Generated by Acunetix WVS Reporter (v10.5 Build 20160217)

- xhtml => 1 file(s)

- Access Vector: Network

- Attack Vector: Network

Apache JServ protocol service

- Access Vector: Network

Error message on page

- Access Vector: Network

- Attack Vector: Network

Slow HTTP Denial of Service Attack

- Attack Vector: Network

User credentials are sent in clear text

- Access Vector: Network

- Attack Vector: Network

- Access Vector: Network

Acunetix Website Audit 5

Possible username or password disclosure

- Access Vector: Network

- Attack Vector: Network

Apache JServ protocol service

Error message on page

Slow HTTP Denial of Service Attack

Acunetix Website Audit 19

User credentials are sent in clear text

Acunetix Website Audit 20

Acunetix Website Audit 21

Possible username or password disclosure

This alert may be a false positive, manual confirmation is required.

Scanned items (coverage report)

Scanned 31 URLs. Found 16 vulnerable.

Acunetix Website Audit 26

Acunetix Website Audit 27

Acunetix Website Audit 28

Das könnte Ihnen auch gefallen