detailed scan report
DESCRIPTION
PentestTRANSCRIPT
NETSPARKER SCAN REPORT SUMMARY
TARGET URL http://www.jhu.edu/
SCAN DATE 1/14/2015 9:15:28 AM
REPORT DATE 1/14/2015 4:40:58 PM
SCAN DURATION 06:38:56
TotalRequests
121476
AverageSpeed
5.07 req/sec.
16identified
4confirmed
0critical
8informational
SCAN SETTINGSENABLEDENGINES
SQL Injection, SQL Injection (Boolean), SQLInjection (Blind), Cross-site Scripting,Command Injection, Command Injection (Blind),Local File Inclusion, Remote File Inclusion,Remote Code Evaluation, HTTP Header Injection,Open Redirection, Expression LanguageInjection, Web App Fingerprint, RoR CodeExecution, WebDAV
Authentication
Scheduled
VULNERABILITIESMEDIUM6 %
LOW
44%INFORMATION
50%
1 / 23
VULNERABILITY SUMMARYURL Parameter Method Vulnerability Confirmed
/ VersionDisclosure(Apache)
No
TRACE/TRACK MethodDetected
No
OPTIONSMethodEnabled
Yes
Out-of-dateVersion(Apache)
No
/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000005)%3C/scRipt%3E
E-mailAddressDisclosure
No
/~homepage/ Programming ErrorMessage
No
/~homepage/_assets/js/hub.widget.js [Possible]InternalPathDisclosure(*nix)
No
/~homepage/main/utils/ DirectoryListing(Apache)
No
/admis/pdf/2009/ ForbiddenResource
Yes
/cgi-bin/cgiwrap/ [Possible]Internal IPAddressDisclosure
No
/cgi-bin/form2.pl InternalServer Error
Yes
/hr/fasap/descriptions/WS_FTP.LOG [Possible]InternalPathDisclosure(Windows)
No
/hr/fasap/questions.html [Possible]Cross-siteRequestForgeryDetected
No
/news/podcasts/ [Possible]Source CodeDisclosure(ColdFusion)
No
/robots.txt Robots.txtDetected
Yes
/sitemap.xml SitemapDetected
No
2 / 23
1 TOTALMEDIUM
1. [Possible] Source Code Disclosure (ColdFusion)Netsparker identified possible source code disclosure (ColdFusion).
An attacker can obtain server-side source code of the web application, which can contain sensitive data - such asdatabase connection strings, usernames and passwords - along with the technical and business logic of the application.
ImpactDepending on the source code, database connection strings, username, and passwords, the internal workings and the business logic of theapplication might be revealed. With such information, an attacker can mount the following types of attacks:
Access the database or other data resources. Depending on the privileges of the account obtained from the source code, it may be possibleto read, update or delete arbitrary data from the database.Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hencegaining full control of the application.Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.
Actions to Take1. Confirm exactly what aspects of the source code are actually disclosed; due to the limitations of these types of vulnerability, it might not
be possible to confirm this in all instances. Confirm this is not an intended functionality.2. If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from
the web server.3. Ensure that the server has all the current security patches applied.4. Remove all temporary and backup files from the web server.
Required Skills for Successful ExploitationThis is dependent on the information obtained from the source code. Uncovering these forms of vulnerabilities does not require high levels ofskills. However, a highly skilled attacker could leverage this form of vulnerability to obtain account information from databases or administrativepanels, ultimately leading to the control of the application or even the host the application resides on.
External ReferencesSecureyes - Source Code Disclosure over Http
ClassificationOWASP 2010-A6 OWASP 2013-A5 PCI V1.2-6.5.6 CWE-540 CAPEC-118 WASC-13
1.1. /news/podcasts/http://www.jhu.edu/news/podcasts/
Certainty
RequestGET /news/podcasts/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
3 / 23
Response…/EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
<head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /><cfinclude template="#folderreader#"><cfoutput><title>The Johns Hopkins University - Podcasts</title></cfoutput>
<!-- include meta tags (content, keywords and description) --><meta name="description" …
</ul>
</div> </div><!-- do not mess with above at all, except to add side nav -->
<div id="clearIt"></div> </div><!-- *** contentWrapper div ends here*** -->
<cfset bottomnav="/hits_includes/utils/inc_bottom-navigation.cfm">
<!-- REV 1.16 3/26/10 Be sure to keep this in sync with version at /webapps/jhuniverse/hits_includes/utils/inc_bottom-navigation.cfm -->
<!-- this include file populates the entire footer r…
4 / 23
1 TOTALLOW
CONFIRMED
1
2. Internal Server ErrorNetsparker identified an internal server error.
The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and thebehavior should be analyzed carefully. If Netsparker is able to find a security issue in the same resource, it will report thisas a separate vulnerability.
ImpactThe impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization andwhitelisting. However, there might be a bigger issue, such as SQL injection. If that's the case, Netsparker will check for other possible issues andreport them separately.
RemedyAnalyze this issue and review the application code in order to handle unexpected errors; this should be a generic practice, which does notdisclose further information upon an error. All errors should be handled server-side only.
2.1. /cgi-bin/form2.pl CONFIRMEDhttp://www.jhu.edu/cgi-bin/form2.pl
RequestGET /cgi-bin/form2.pl HTTP/1.1Cache-Control: no-cacheReferer: http://www.jhu.edu/hr/images2/ben_inquire.htmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 500 Internal Server Error
Connection: closeDate: Wed, 14 Jan 2015 02:53:57 GMTServer: Apache/2.2.15 (Red Hat)Vary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 396Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator,[email protected] and inform them of the time the error occurred,and anything you might have done that may havecaused the error.</p><p>More information about this error may be availablein the server error log.</p><hr><address>Apache/2.2.15 (Red Hat) Server at www.jhu.edu Port 80</address></body></html>
5 / 23
1 TOTALLOW
3. Version Disclosure (Apache)Netsparker identified a version disclosure (Apache) in the target web server's HTTP response.
This information might help an attacker gain a greater understanding of the systems in use and potentially developfurther attacks targeted at the specific version of Apache.
ImpactAn attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
RemedyConfigure your web server to prevent information leakage from the SERVER header of its HTTP response.
Remedy ReferencesApache ServerTokens Directive
ClassificationCWE-205 CAPEC-170 WASC-45
3.1. /http://www.jhu.edu/
Extracted Version2.2.15
Certainty
RequestGET / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKConnection: Keep-AliveDate: Wed, 14 Jan 2015 02:15:33 GMTServer: Apache/2.2.15 (Red Hat)
Accept-Ranges: bytesVary: Accept-Encoding,User-AgentKeep-Alive: timeout=15, max=100Content-Encoding: Content-Length: 12868Content-Type: text/html; charset=UTF-8
<!--This is the live home…
6 / 23
1 TOTALLOW
4. Programming Error MessageNetsparker identified a programming error message.
ImpactThe error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge theattack surface. Source code, stack trace, etc. data may be disclosed. Most of these issues will be identified and reported separately byNetsparker.
RemedyDo not provide error messages on production environments. Save error messages with a reference number to a backend storage such as a log,text file or database, then show this number and a static user-friendly error message to the user.
ClassificationOWASP 2010-A6 OWASP 2013-A5 PCI V1.2-6.5.6 PCI V2.0-6.5.5 PCI V3.0-6.5.5 CWE-210 CAPEC-118 WASC-13
4.1. /~homepage/http://www.jhu.edu/~homepage/
Identified Error Message[an error occurred while processing this directive]
Certainty
RequestGET /~homepage/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
Response…tp://www.w3.org/1999/xhtml"> <![endif]--><!--[if gte IE 10]><!--> <html xmlns="http://www.w3.org/1999/xhtml"> <!--<![endif]-->
<head><script type="text/javascript">_udn = ".jhu.edu"; </script> [an error occurred while processing this directive]
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script><!-- mimic Internet Explorer 7 for president's micro-site --><meta http-equiv="X-UA-Compatible" content="IE=Emulate…
7 / 23
1 TOTALLOW
5. TRACE/TRACK Method DetectedNetsparker detected the TRACE/TRACK method is allowed.
ImpactIt is possible to bypass the HttpOnly cookie limitation and read the cookies in a cross-site scripting attack by using the TRACE/TRACK methodwithin an XmlHttpRequest. This is not possible with modern browsers, so the vulnerability can only be used when targeting users with unpatchedand old browsers.
RemedyDisable this method in all production systems. Even though the application is not vulnerable to cross-site scripting, a debugging feature such asTRACE/TRACK should not be required in a production system and therefore should be disabled.
External ReferencesCross Site TracingUS-CERT VU#867593
ClassificationOWASP 2010-A6 OWASP 2013-A5 CWE-16 CAPEC-107 WASC-14
5.1. /http://www.jhu.edu/
Certainty
RequestTRACE / HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)X-NS: NST717CheckAccept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Wed, 14 Jan 2015 02:15:48 GMTServer: Apache/2.2.15 (Red Hat)Vary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 449Content-Type: message/http
TRACE / HTTP/1.1
Host: www.jhu.eduAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)X-NS: NST717CheckCache-Control: no-cacheAccept-Language: en-us,en;q=0.5X-Scanner: NetsparkerAccept-Encoding: gzip, deflateSM_TRANSACTIONID: 00000000000000000000000010c0b50a-3ef7-54b5d152-b7f2b700-7de439a38077SM_CLIENT_IP: 202.62.17.105SM_SDOMAIN: .jhu.eduSM_AUTHTYPE: Not ProtectedSM_USER: SM_USERDN: X-Forwarded-For: 202.62.17.105X-Forwarded-Host: www.jhu.eduX-Forwarded-Server: www.jhu.eduConnection: Keep-Alive
8 / 23
1 TOTALLOW
CONFIRMED
1
6. OPTIONS Method EnabledNetsparker detected that OPTIONS method is allowed. This issue is reported as extra information.
ImpactInformation disclosed from this page can be used to gain additional information about the target system.
RemedyDisable OPTIONS method in all production systems.
External ReferencesTesting for HTTP Methods and XST (OWASP-CM-008)HTTP/1.1: Method Definitions
ClassificationOWASP 2010-A6 OWASP 2013-A5 CWE-16 CAPEC-107 WASC-14
6.1. / CONFIRMEDhttp://www.jhu.edu/
ParametersParameter Type Value
URI-BASED Full URL
Raw Post Body
Allowed methodsGET,HEAD,POST,OPTIONS,TRACE
RequestOPTIONS / HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Wed, 14 Jan 2015 02:16:08 GMTServer: Apache/2.2.15 (Red Hat)Vary: Accept-Encoding,User-AgentAllow: GET,HEAD,POST,OPTIONS,TRACEContent-Encoding: Content-Length: 20Content-Type: text/html; charset=UTF-8
9 / 23
1 TOTALLOW
7. [Possible] Cross-site Request Forgery DetectedNetsparker identified a possible Cross-Site Request Forgery.
CSRF is a very common vulnerability. It's an attack which forces a user to execute unwanted actions on a web applicationin which the user is currently authenticated.
ImpactDepending on the application, an attacker can mount any of the actions that can be done by the user such as adding a user, modifying content,deleting data. All the functionality that’s available to the victim can be used by the attacker. Only exception to this rule is a page that requiresextra information that only the legitimate user can know (such as user’s password).
RemedySend additional information in each HTTP request that can be used to determine whether the request came from an authorized source.This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missinga validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites fromsending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
For native XMLHttpRequest (XHR) object in JavaScript;
xhr = new XMLHttpRequest();xhr.setRequestHeader('custom-header', 'value');
For JQuery, if you want to add a custom header (or set of headers) to
a. individual request
$.ajax({ url: 'foo/bar', headers: { 'x-my-custom-header': 'some value' }});
b. every request
$.ajaxSetup({ headers: { 'x-my-custom-header': 'some value' }});
OR
$.ajaxSetup({ beforeSend: function(xhr) { xhr.setRequestHeader('x-my-custom-header', 'some value'); }});
External ReferencesOWASP Cross-Site Request Forgery (CSRF)
Remedy ReferencesOWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
ClassificationOWASP 2010-A5 OWASP 2013-A8 PCI V1.2-6.5.5 PCI V2.0-6.5.9 PCI V3.0-6.5.9 CWE-352 CAPEC-62 WASC-09
7.1. /hr/fasap/questions.htmlhttp://www.jhu.edu/hr/fasap/questions.html
Certainty
10 / 23
RequestGET /hr/fasap/questions.html HTTP/1.1Cache-Control: no-cacheReferer: http://www.jhu.edu/sitemap.xmlAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Wed, 14 Jan 2015 02:30:33 GMTServer: Apache/2.2.15 (Red Hat)ETag: "7e037c-fc3-49064d3d62a00"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 1833Content-Type: text/html; charset=UTF-8Last-Modified: Thu, 16 Sep 2010 18:43:52 GMT
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><meta name="GENERATOR" content="Mozilla/4.73 [en] (Win95; U) [Netscape]"><title>Questions for a FASAP Clinician form</title></head><body text="#000000" bgcolor="#FFFFFF" link="#333399" vlink="#006666" alink="#6666CC"> <center><table BORDER=0 ><tr><td ALIGN=CENTER><img SRC="inst_logo.GIF" ALT="Johns Hopkins Institutions Logo" BORDER=0 height=42 width=247 align=CENTER></td></tr>
<tr><td ALIGN=CENTER VALIGN=BOTTOM HEIGHT="55"><img SRC="fasap.GIF" ></td></tr></table></center>
<center><p><font face="Times New Roman"><font color="#333399"><font size=+1>QUESTIONSFOR A FASAP CLINICIAN FORM</font></font></font></center>
<hr size = 1><p><blink><b><font color="#FF6666"><font size=+2>PLEASE NOTE:</font></font></b></blink><p><b><i>This website</i> and <i>the forms submitted</i> via the internetare <font color="#FF6666">NOT SECURED.</font> Thus, we strongly suggestthat <i><font color="#FF6666">you should not submit any confidential information</font><font size=+1></font></i>using these forms or email.</b><p><b>Keeping this in mind however, <i>if you would like a personal reply</i>to your feedback form, <i>you must provide</i> your name and either a phonenumber, an email address, or an office address, as <i>these forms do notidentify from whom or where the form is sent</i>.</b><p><b>Furthermore, because <i><font color="#FF6666">we cannot guaranteea timely response</font></i> to your inquiry, all emergencies and time-sensitiveissues should be processed throu…
11 / 23
1 TOTALLOW
8. [Possible] Internal IP Address DisclosureNetsparker identified a possible internal IP address disclosure in the page.
It was not determined if the IP address was that of the system itself or that of an internal network.
ImpactThere is no direct impact; however, this information can help an attacker identify other vulnerabilities or help during the exploitation of otheridentified vulnerabilities.
RemedyFirst, ensure this is not a false positive. Due to the nature of the issue, Netsparker could not confirm that this IP address was actually the realinternal IP address of the target web server or internal network. If it is, consider removing it.
ClassificationPCI V1.2-6.5.6 CWE-200
8.1. /cgi-bin/cgiwrap/http://www.jhu.edu/cgi-bin/cgiwrap/
Extracted IP Address(es)10.181.192.16
Certainty
RequestGET /cgi-bin/cgiwrap/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Wed, 14 Jan 2015 02:22:21 GMTServer: Apache/2.2.15 (Red Hat)Vary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 444Content-Type: text/html; charset=iso-8859-1
<HTML><HEAD><TITLE>CGIWrap Error: User not found</TITLE><CENTER><H2>CGIWrap Error: User not found</H2></CENTER><HR><p></HEAD><BODY>CGIWrap was unable to find the user '' in thepassword file on this server.
<P>Check the URL and try again.<P><DL><DT><B>Server Data:</B><P><DD><B>Server Administrator/Contact</B>: [email protected]<DD><B>Server Name</B>: www.jhu.edu<DD><B>Server Port</B>: 80<DD><B>Server Protocol</B>: HTTP/1.1<DD><B>Virtual Host</B>: www.jhu.edu</DL><P><DL><DT><B>Request Data:</B><P><DD><B>User Agent/Browser</B>: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)<DD><B>Request Method</B>: GET<DD><B>Remote Address</B>: 10.181.192.16<DD><B>Remote Port</B>: 40934<DD><B>Extra Path Info</B>: /</DL>
</BODY></HTML>
12 / 23
1 TOTALINFORMATION
CONFIRMED
1
9. Forbidden ResourceNetsparker identified a forbidden resource.
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here forinformational purposes.
ImpactThis issue is reported as additional information only. There is no direct impact arising from this issue.
9.1. /admis/pdf/2009/ CONFIRMEDhttp://www.jhu.edu/admis/pdf/2009/
RequestGET /admis/pdf/2009/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 403 Forbidden
Date: Wed, 14 Jan 2015 02:19:23 GMTServer: Apache/2.2.15 (Red Hat)Vary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 245Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /admis/pdf/2009/on this server.</p><hr><address>Apache/2.2.15 (Red Hat) Server at www.jhu.edu Port 80</address></body></html>
13 / 23
1 TOTALINFORMATION
10. Directory Listing (Apache)Netsparker identified a directory listing (Apache).
The web server responded with a list of files located in the target directory.
ImpactAn attacker can see the files located in the directory and could potentially access files which disclose sensitive information.
Actions to Take1. Change your httpd.conf file. A secure configuration for the requested directory should be similar to the following:
<Directory /{YOUR DIRECTORY}> Options FollowSymLinks </Directory>
Remove the Indexes option from configuration. Do not forget to remove MultiViews, as well.2. Configure the web server to disallow directory listing requests.3. Ensure that the latest security patches have been applied to the web server and the current stable version of the software is in use.
External ReferencesWASC - Directory IndexingApache Directory Listing Vulnerability
ClassificationOWASP 2010-A6 OWASP 2013-A5 PCI V1.2-6.5.6 CWE-548 CAPEC-127 WASC-16
10.1. /~homepage/main/utils/http://www.jhu.edu/~homepage/main/utils/
Certainty
RequestGET /~homepage/main/utils/ HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
Response…Red Hat)Vary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 1057Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html><head><title>Index of /~homepage/main/utils</title></head><body><h1>Index of /~homepage/main/utils</h1><table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A"…
14 / 23
1 TOTALINFORMATION
11. E-mail Address DisclosureNetsparker identified an e-mail address disclosure.
ImpactE-mail addresses discovered within the application can be used by both spam email engines and also brute-force tools. Furthermore, valid emailaddresses may lead to social engineering attacks.
RemedyUse generic email addresses such as contact@ or info@ for general communications and remove user/people-specific e-mail addresses from thewebsite; should this be required, use submission forms for this purpose.
External ReferencesWikipedia - E-Mail Spam
ClassificationPCI V1.2-6.5.6 CWE-200 CAPEC-118 WASC-13
11.1. /'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000005)%3C/scRipt%3Ehttp://www.jhu.edu/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000005)%3C/scRipt%3E
ParametersParameter Type Value
URI-BASED Full URL '"--></style></scRipt><scRipt>netsparker(0x000005)</scRipt>
Found [email protected]
Certainty
RequestGET /'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x000005)%3C/scRipt%3E HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
Response…schools.jhu.edu">try this section</A>.</li>
<li>The JHU undergraduate admissions site <a href="http://apply.jhu.edu">is here</A>.</li>
<li>Still stuck? We're happy to help. Please <A href="mailto:[email protected]">e-mail us</A> and we'll do our best to get you pointed in the right direction.</li>
</ul>
<!-- do not mess with this at all, except to add side nav --><P><EM><FONT COLOR="808080">The mission of …
15 / 23
1 TOTALINFORMATION
12. Sitemap DetectedNetsparker detected a sitemap file on the target website.
ImpactThis issue is reported as additional information only. There is no direct impact arising from this issue.
12.1. /sitemap.xmlhttp://www.jhu.edu/sitemap.xml
Certainty
RequestGET /sitemap.xml HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
Response…esVary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 31347Content-Type: text/xmlLast-Modified: Wed, 03 Feb 2010 15:57:26 GMT
<?xml version="1.0" encoding="UTF-8"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"><!--XML Sitemap created by RAGE Sitemap Automator 2.2.3 http://www.ragesw.com--><url><loc>http://www.jhu.edu</loc><priority>0.5</priority></url><url><loc>http://www.jhu.edu/seniorvp/<…
16 / 23
1 TOTALINFORMATION
CONFIRMED
1
13. Robots.txt DetectedNetsparker detected a Robots.txt file with potentially sensitive content.
ImpactDepending on the content of the file, an attacker might discover hidden directories. Ensure you have nothing sensitiveexposed within this folder, such as the path of the administration panel.
RemedyIf disallowed paths are sensitive, do not write them in the robots.txt, and ensure they are correctly protected by means of authentication.
13.1. /robots.txt CONFIRMEDhttp://www.jhu.edu/robots.txt
Interesting Robots.txt EntriesDisallow: /hopkinsone/Secure_PrivateDisallow: /wwwdevDisallow: /webdavDisallow: /~wwwdevDisallow: /studacct/images
RequestGET /robots.txt HTTP/1.1Cache-Control: no-cacheAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKDate: Wed, 14 Jan 2015 02:15:58 GMTServer: Apache/2.2.15 (Red Hat)ETag: "3f9-b8-4f4f924aa3c8e"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 123Content-Type: text/plain; charset=UTF-8Last-Modified: Wed, 19 Mar 2014 17:40:06 GMT
#User-agent: GooglebotUser-agent: *Disallow: /hopkinsone/Secure_PrivateDisallow: /wwwdevDisallow: /webdavDisallow: /~wwwdevDisallow: /studacct/imagesDisaloow: /~studacct/images
17 / 23
1 TOTALINFORMATION
14. Out-of-date Version (Apache)Netsparker identified you are using an out-of-date version of Apache.
ImpactSince this is an old version of the software, it may be vulnerable to attacks.
RemedyPlease upgrade your installation of Apache to the latest stable version.
Remedy ReferencesDownloading the Apache HTTP Server
Known Vulnerabilities in this Version
Apache mod_cache and mod_dav Request Handling Denial of Service VulnerabilityThe mod_cache and mod_dav modules in the Apache HTTP Server allow remote attackers to cause a denial of service (process crash) via arequest that lacks a path.
External References
CVE-2010-1452
Apache APR-util apr_brigade_split_line() Denial of Service VulnerabilityMemory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util), as usedin the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memoryconsumption) via unspecified vectors related to the destruction of an APR bucket.
External References
CVE-2010-1623
Apache APR apr_fnmatch() Denial of Service VulnerabilityStack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 andthe Apache HTTP Server before 2.2.18, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *?sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.
External References
CVE-2011-0419
Exploit
http://www.securityfocus.com/data/vulnerabilities/exploits/47820.txt
Apache HTTP Server CVE-2011-3192 Denial Of Service VulnerabilityThe byterange filter in the Apache HTTP Server allows remote attackers to cause a denial of service (memory and CPU consumption) via a Rangeheader that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
External References
CVE-2011-3192
Exploit
http://www.securityfocus.com//data/vulnerabilities/exploits/49303.chttp://www.securityfocus.com/data/vulnerabilities/exploits/49303-2.c
18 / 23
Apache HTTP Server 'mod_proxy' Reverse Proxy Information Disclosure VulnerabilityThe mod_proxy module in the Apache HTTP Server does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch patternmatches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containingan initial @ (at sign) character.
External References
CVE-2011-3368
Exploit
http://www.securityfocus.com//data/vulnerabilities/exploits/49957.py
Apache HTTP Server Scoreboard Local Security Bypass Vulnerabilityscoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown)or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid callto the free function.
External References
CVE-2012-0031
Apache HTTP Server 'mod_proxy' Reverse Proxy Information Disclosure VulnerabilityThe mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of areverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a: (colon) character in invalid positions.
External References
CVE-2011-4317
Apache HTTP Server CVE-2011-3348 Denial Of Service VulnerabilityThe mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allowsremote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.
External References
CVE-2011-3348
mod_proxy_ajp DoS VulnerabilityThe mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a longrequest-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
External References
CVE-2012-4557
Apache Multiple XSS VulnerabilityMultiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in themod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitraryweb script or HTML via a crafted string.
External References
CVE-2012-4558
19 / 23
Apache Code Execution Vulnerabilitymod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printablecharacters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for aterminal emulator.
External References
CVE-2013-1862
Apache Denial of Service Vulnerabillitymod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remoteattackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svnmodule, but a certain href attribute in XML data refers to a non-DAV URI.
External References
CVE-2013-1896
ClassificationOWASP 2010-A6 OWASP 2013-A9 PCI V1.2-6.1 PCI V2.0-6.1 PCI V3.0-6.1 CAPEC-310
14.1. /http://www.jhu.edu/
Identified Version2.2.15
Latest Version2.4.7
Vulnerability DatabaseResult is based on 1/21/2014 vulnerability database content.
Certainty
RequestGET / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OKConnection: Keep-AliveDate: Wed, 14 Jan 2015 02:15:33 GMTServer: Apache/2.2.15 (Red Hat)
Accept-Ranges: bytesVary: Accept-Encoding,User-AgentKeep-Alive: timeout=15, max=100Content-Encoding: Content-Length: 12868Content-Type: text/html; charset=UTF-8
<!--This is the live home…
20 / 23
1 TOTALINFORMATION
15. [Possible] Internal Path Disclosure (*nix)Netsparker identified a possible internal path disclosure (*nix) in the document.
ImpactThere is no direct impact; however, this information can help an attacker identify other vulnerabilities or help during the exploitation of otheridentified vulnerabilities.
RemedyFirst, ensure this is not a false positive. Due to the nature of the issue, Netsparker could not confirm that this file path was actually the real filepath of the target web server.
Error messages should be disabled.Remove this kind of sensitive data from the output.
External ReferencesOWASP - Full Path Disclosure
ClassificationPCI V1.2-6.5.6 CWE-200 CAPEC-118 WASC-13
15.1. /~homepage/_assets/js/hub.widget.jshttp://www.jhu.edu/~homepage/_assets/js/hub.widget.js
Identified Internal Path(s)/lib/WidgetCreator
Certainty
RequestGET /~homepage/_assets/js/hub.widget.js HTTP/1.1Cache-Control: no-cacheReferer: http://www.jhu.edu/~homepage/_assets/js/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerAccept-Encoding: gzip, deflateHost: www.jhu.edu
Response…e[s][1][t];return a(r?r:t)},h,h.exports,t,e,r,i)}return r[s].exports}for(var n="function"==typeof require&&require,s=0;s<i.length;s++)a(i[s]);return a}({1:[function(t){vare=t("./shims/jquery"),r=t("./lib/WidgetCreator");e(function(){new r(e(".hub-widget"))})},{"./lib/WidgetCreator":3,"./shims/jquery":6}],2:[function(t,e){varr=t("../shims/jquery"),i=t("./api"),a=t("./date-formatter"),n=function(t){this.widget=r(t),this.api=new i({key:this.widget.attr("data-key"),v:this.widget.…
21 / 23
1 TOTALINFORMATION
16. [Possible] Internal Path Disclosure (Windows)Netsparker identified a possible Internal Path Disclosure (Windows) in the document.
ImpactThere is no direct impact, however this information can help an attacker identify other vulnerabilities or help during theexploitation of other identified vulnerabilities.
RemedyEnsure this is not a false positive. Due to the nature of the issue, Netsparker could not confirm that this file path was actually the real file path ofthe target web server.
Error messages should be disabled.Remove this kind of sensitive data from the output.
External ReferencesOWASP - Full Path Disclosure
ClassificationPCI V1.2-6.5.6 CWE-200 CAPEC-118 WASC-13
16.1. /hr/fasap/descriptions/WS_FTP.LOGhttp://www.jhu.edu/hr/fasap/descriptions/WS_FTP.LOG
Identified Internal Path(s)C:\My Documents\public_html\fasap\descriptions\alcohol.htmlC:\My Documents\public_html\fasap\descriptions\emotional.htmlC:\My Documents\public_html\fasap\descriptions\physical.htmlC:\My Documents\public_html\fasap\descriptions\self.htmlC:\My Documents\public_html\fasap\descriptions\violence.htmlc:\My Documents\Public_html\fasap\descriptions\WS_FTP.LOG
Certainty
RequestGET /hr/fasap/descriptions/WS_FTP.LOG HTTP/1.1Cache-Control: no-cacheReferer: http://www.jhu.edu/hr/fasap/descriptions/Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Netsparker)Accept-Language: en-us,en;q=0.5X-Scanner: NetsparkerHost: www.jhu.eduAccept-Encoding: gzip, deflate
22 / 23
Response…pt-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: Content-Length: 330Content-Type: text/plain; charset=UTF-8Last-Modified: Thu, 05 Feb 2009 14:03:37 GMT
100.09.28 11:28 B C:\My Documents\public_html\fasap\descriptions\alcohol.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions alcohol.html100.09.28 11:28 B C:\My Documents\public_html\fasap\descriptions\emotional.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions emotional.html100.09.28 11:28 B C:\My Documents\public_html\fasap\descriptions\physical.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions physical.html100.09.28 11:28 B C:\My Documents\public_html\fasap\descriptions\self.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions self.html100.09.28 11:28 B C:\My Documents\public_html\fasap\descriptions\violence.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions violence.html101.04.23 09:32 B c:\My Documents\public_html\fasap\descriptions\alcohol.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions alcohol.html101.04.23 09:32 B c:\My Documents\public_html\fasap\descriptions\emotional.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions emotional.html101.04.23 09:32 B c:\My Documents\public_html\fasap\descriptions\physical.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions physical.html101.04.23 09:32 B c:\My Documents\public_html\fasap\descriptions\self.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions self.html101.04.23 09:32 B c:\My Documents\public_html\fasap\descriptions\violence.html <-- HR website /data/people/.hr1/public_html/fasap/descriptions violence.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\alcohol.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions alcohol.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\emotional.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions emotional.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\physical.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions physical.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\self.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions self.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\violence.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions violence.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\WS_FTP.LOG --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions WS_FTP.LOG101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\alcohol.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions alcohol.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\emotional.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions emotional.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\physical.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions physical.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\self.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions self.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\violence.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions violence.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\WS_FTP.LOG --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions WS_FTP.LOG101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\alcohol.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions alcohol.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\emotional.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions emotional.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\physical.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions physical.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\self.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions self.html101.04.23 10:08 B c:\My Documents\Public_html\fasap\descriptions\violence.html --> jhuniverse.hcf.jhu.edu /data/people/.hr1/public_html/fasap/descriptions violence.html
23 / 23