Relyon Softech Limited

Vulnerability Testing of Relyon ESS Application

Platform: Windows Based OS Deployment

Xampp Version: 1.7.0
Apache Version: 2.2

Note: Any changes in the configuration files, apache service needs to be

restarted.
Contents
1.1 Outdated XAMPP Version 1.7.0.......................................................
1.2 SMBv2 Vulnerabilities ....................................................................................................................... 6
1.3 HTTP Dengiours Methods Enabled .................................................................................................... 7
1.4 Slowloris DOS attack................................................................................................................................ 9
1.5 HTTP-Enum Directories ................................................................................................................... 10
1.6 http-phpself-xss............................................................................................................................... 11
1.7 http-server-header Apache/2.2.11.................................................................................................. 13
1.8 http-sql-injection ............................................................................................................................. 14
1.9 ssl-ccs-injection ............................................................................................................................... 15
1.10 ssl-dh-params - Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM
(Logjam) ...................................................................................................................................................... 16
1.11 ssl-poodle ........................................................................................................................................ 18
1.12 sslv2-drown ..................................................................................................................................... 19
1.13 Default IIS page accessible .............................................................................................................. 20
1.14 Phpinfo.php page found .................................................................................................................. 22
1.15 HSTS ................................................................................................................................................ 23
1.16 Directory Listing .............................................................................................................................. 25
1.17 XST(Cross Site Traceing) .................................................................................................................. 29
1.18 Webdav Default Passwords ............................................................................................................. 31
1.19 Arbitrary File Download .................................................................................................................. 33
1.20 Arbitrary xls File Download ............................................................................................................. 35
1.21 Paradox-DB Information disclosure................................................................................................. 36
1.22 Paradox-DB File downloading ......................................................................................................... 37
1.23 X-Content-Type-Options header missing ........................................................................................ 39
1.24 The X-XSS-Protection header is not defined .................................................................................... 40
1.25 Anti-clickjacking X-Frame-Options header is not present ............................................................... 41
1.26 Apache mod_negotiation filename bruteforcing ............................................................................ 42
1.27 Improper Error Handling ................................................................................................................. 43
1.28 WebDAV Test Page is accessbile ..................................................................................................... 45
1.29 OpenSSL/0.9.8i Outdated Version ................................................................................................... 46
1.30 Mod_SSL/2.2.11 Outdated Version ................................................................................................. 48
1.31 Information disclosure .................................................................................................................... 49
1.32 Phpinfo admin credentials Information disclosure ......................................................................... 51
 1.1 SMBv2 Vulnerabilities
SMBv2 Vulnerabilities
Risk Rating: Critical Status: Open Port:445
Finding:
During the assessment, it was observed that The remote SMB server can be abused to execute
code remotely.
Risk Description
The remote Windows host contains a vulnerable SMBv2 implementation with

the following issues :

- A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote,

unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526) -

Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A
remote, unauthenticated attacker can exploit this to take complete control of the system.
(CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR) EDUCATEDSCHOLAR is one of
multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group
known as the Shadow Brokers.
 Recommendation
Please disable smbv2 and use latest smbv3 services.
Please see the references for more information.
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-
smbv1-smbv2-and-smbv3-in-windows-and
Reference:
https://www.tenable.com/plugins/nessus/42106

Solution 1.1:
IT / Admin Team needs to update and protect their server from the above attacks, as this is not related to the Relyon
Products
https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_microsoft_windows_smb2_smb2vali
dateprovidercallback__vulnerability_ms09_050_network_check

https://www.dionach.com/blog/do-you-wannacry-a-taste-of-smb-exploitation
 1.2 HTTP Dengiours Methods Enabled
http dengiours methods enabled
Risk Rating: Critical Status: Open Port: 443
Finding:
During the assessment, it was observed server having dangerous http methods allowed
Risk Description
HTTP offers a number of methods that can be used to perform actions on the web server.
Many of theses methods are designed to aid developers in deploying and testing HTTP
applications. These HTTP methods can be used for nefarious purposes if the web server is
misconfigured. Additionally, Cross Site Tracing (XST), a form of cross site scripting using the
server's HTTP TRACE method, is examined.

The PUT method allows an attacker to upload arbitrary web pages on the server. If the server
is configured to support scripts like ASP, JSP, or PHP it will allow the attacker to execute code
with the privileges of the web server.The DELETE method allows an attacker to delete arbitrary
content from the web server.

The HTTP TRACE method is designed for diagnostic purposes. If enabled, the web server will
respond to requests that use the TRACE method by echoing in its response the exact request
that was received.

Recommendation
The TRACE method should be disabled on production web servers.
Reference:
https://stackoverflow.com/questions/12131266/disable-http-options-trace-head-copy-and-
unlock-methods-in-iis
https://www.tenable.com/plugins/nessus/10498
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Solution 1.2:
Relyon Application handles this type of intrusion
Above rest result generated from other applications hosted in Xampp
 1.3 Slowloris DOS attack
Slowloris DOS attack
Risk Rating: Medium Status: Open Port: 81,443
Finding:
During the assessment, it was confirmed that the server is vulnerable to slowlories dos attack
Affected IP Address

Risk Description
Slowloris is a denial-of-service attack program which allows an attacker to overwhelm a
targeted server by opening and maintaining many simultaneous HTTP connections between
the attacker and the target.
Recommendation
http://cagdasulucan.blogspot.com/2013/02/iis-recommendations-against-slow-http.html
https://hexadix.com/slowloris-dos-attack-mitigation-nginx-web-server/
https://www.funtoo.org/Slowloris_DOS_Mitigation_Guide
https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-server/

Solution1.3:
Default Values are available in Updated Xampp version 5.6.12 and above for protection of the above
apache\conf\extra\ httpd-default.conf
https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-server/
 1.4 HTTP-Enum Directories
HTTP-Enum Directories
Risk Rating: Low Status: Open Port: 443
Finding:
During the penetration testing, it was confirmed that the servers is running on weak cipher

Risk Description:
Enumerates directories used by popular web applications and servers. This parses a fingerprint file that's
formatted in a way that's compatible with the Nikto Web application scanner. This script, however, takes it
one step further by building in advanced pattern matching as well as having the ability to identify specific
versions of Web applications. Currently, the database can be found under Nmap's directory in the nselib/data
folder. The file is called http-fingerprints and has a long description of its functionality in the file header. Many
of the finger prints were discovered by me (Ron Bowes), and a number of them are from the Yokoso project,
used with permission from Kevin Johnson (http://seclists.org/nmap- dev/2009/q3/0685.html). Initially, this
script attempts to access two different random files in order to detect servers that don't return a proper 404
Not Found status. In the event that they return 200 OK, the body has any non-static-looking data removed
(URI, time, etc), and saved. If the two random attempts return different results, the script aborts (since a 200-
looking 404 cannot be distinguished from an actual 200). This will prevent most false positives. In addition, if
the root folder returns a 301 Moved Permanently or 401 Authentication Required, this script will also abort. If
the root folder has disappeared or requires authentication, there is little hope of finding anything inside it. By
default, only pages that return 200 OK or 401 Authentication Required are displayed. If the <code >http-
enum.displayall' script argument is set, however, then all results will be displayed (except for 404 Not Found
and the status code returned by the random files). Entries in the http- fingerprints database can specify their
own criteria for accepting a page as valid. SYNTAX: http-enum.basepath: The base path to prepend to each
request. Leading/trailing slashes are ignored. http.pipeline: If set, it represents the number of HTTP requests
that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set
high to test how a server reacts (its chosen max is ignored). http.useragent: The value of the User-Agent header
field sent with requests. By default it is ''Mozilla/5.0 (compatible Nmap Scripting Engine
http://nmap.org/book/nse.html)''. A value of the empty string disables sending the User-Agent header field.
http-enum.category: Set to a category (as defined in the fingerprints file). Some options are 'attacks',
'database', 'general', 'microsoft', 'printer', etc. http-enum.displayall: Set this argument to display all status
codes that may indicate a valid page, not just 200 OK and 401 Authentication Required pages. Although this is
 more likely to find certain hidden folders, it also generates far more false positives. http-max-cache-size: The
maximum memory size (in bytes) of the cache.

Recommendation:

Is it really such a big problem if attackers can easily figure out the directory structure of your website? Well,
sometimes yes, sometimes no. If you’ve done everything else right (e.g. disabled directory list, removed
unneeded files), it’s less of a risk.
https://www.acunetix.com/vulnerabilities/network/vulnerability/nmap-nse-net-http-enum/
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP -
AT-002)
http://pentestmonkey.net/blog/direnum

Solution 1.4:
Install Xampp Version 5.6.12 – Enum Disabled in this Version
https://excellmedia.dl.sourceforge.net/project/xampp/XAMPP%20Windows/5.6.12/xampp-win32-5.6.12-0-VC11-installer.exe

1.5 http-phpself-xss
http-phpself-xss
Risk Rating: Medium Status: Open Port: 443
Finding:
During the assessment, it was observed server X-Content-Type-Options header missing
Risk Description
_SERVER[‘PHP_SELF’] is dangerous if misused. Especially in HTML forms, where nearly any
arbitrary string can be posted to a website by using $_SERVER[‘PHP_SELF’]. This can be used
by an attacker to perform XSS attacks.

To better explain it, let’s create a xssAttack.php file and add the following HTML form

Recommendation
FILTER_SANITIZE_STRING filter strips away any code that could be injected into PHP by an
intruder.
Reference:
https://www.joe0.com/2016/12/08/cross-site-scripting-xss-and-exploiting-_serverphp_self/
 https://www.webadminblog.com/index.php/2010/02/23/a -xss-vulnerability-in-almost-every-
php-form-ive-ever-written/
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Solution 1.5:
Relyon Products handles the http-php self-xss in all of its web forms.
This test has been extended from other applications
 1.6 http-server-header Apache/2.2.11
http-server-header Apache/2.2.11
Risk Rating: Medium Status: Open Port:443
Finding:
During the assessment, it was observed server that http-server-header Apache/2.2.11
Recommendation
Upgrade latest version
Reference:
https://httpd.apache.org/security/vulnerabilities_22.html
Solution 1.6:
Disable Server Signature from xampp\apache\conf\extra\httpd-default.conf
ServerTokens Prod
ServerSignature Off

1.7 http-sql-injection
http-sql-injection
Risk Rating: High Status: Open Port: 443
Finding:
During the assessment, it was observed server that Http-sql-injection
Risk Description
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection
attack. It also extracts forms from found websites and tries to identify fields that are
vulnerable.

The script spiders an HTTP server looking for URLs containing queries. It then proceeds to
combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are
analyzed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection
but anything more complicated is better suited to a standalone tool.

We may not have access to the target web server's true hostname, which can prevent access
to virtually hosted sites
 Recommendation

Reference:
https://www.acunetix.com/websitesecurity/sql-injection/
https://nmap.org/nsedoc/scripts/http-sql-injection.html

Solution 1.7:
Sql Injection has been handled in Relyon Application, the above test has been done on other applications
 1.8 ssl-ccs-injection
http-sql-injection
Risk Rating: High Status: Open Port: 443
Finding:
During the assessment, it was observed server that Http-sql-injection
Risk Description
In order to exploit the vulnerablity, a MITM attacker would effectively do the following: Wait
for a new TLS connection, followed by the ClientHello ServerHello handshake messages.Issue
a CCS packet in both the directions, which causes the OpenSSL code to use a zero length pre
master secret key. The packet is sent to both ends of the connection. Session Keys are derived
using a zero length pre-master secret key, and future session keys also share this weakness.

Renegotiate the handshake parameters.The attacker is now able to decrypt or even modify
the packets in transit.

The script works by sending a 'ChangeCipherSpec' message out of order and checking whether
the server returns an 'UNEXPECTED_MESSAGE' alert record or not. Since a non-patched server
would simply accept this message, the CCS packet is sent twice, in order to force an alert from
the server. If the alert type is different than 'UNEXPECTED_MESSAGE', we can conclude the
server is vulnerable.

Recommendation
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0
SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users
(client and/or server) should upgrade to 1.0.1h.
Reference:
https://nmap.org/nsedoc/scripts/ssl-ccs-injection.html

Solution 1.8:
Requied SSL Certificate to prevent the vulnarability
Windows Server doesnot get affected by the attack
Relyon Application already handled the case, above case generated from differnet application
http://ccsinjection.lepidum.co.jp/
 1.9 ssl-dh-params - Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers
Downgrade MitM (Logjam)
SSL-dh-params - Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM
(Logjam)
Risk Rating: Info Status: Open Port: 443
Finding:
During the assessment, it was observed server that ssl-dh-params
Risk Description
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.

This script simulates SSL/TLS handshakes using ciphersuites that have ephemeral Diffie-
Hellman as the key exchange algorithm.

Diffie-Hellman MODP group parameters are extracted and analyzed for vulnerability to Logjam
(CVE 2015-4000) and other weaknesses.

Opportunistic STARTTLS sessions are established on services that support them.

Recommendation
OpenSSL is affected when compiled in FIPS mode. To resolve this issue,either upgrade to
OpenSSL 1.0.0, disable FIPS mode or configure the ciphersuite used by the server to not include
any Diffie-Hellman key exchanges.
PolarSSL is affected. To resolve this issue, upgrade to version 0.99-pre3 / 0.14.2 or higher.
If using any other SSL implementation, configure the ciphersuite used by the server to not
include any Diffie-Hellman key exchanges or contact your vendor for a patch.
Reference:
https://nmap.org/nsedoc/scripts/ssl-ccs-injection.html
https://www.tenable.com/plugins/nessus/53360
https://www.openssl.org/news/secadv/20160301.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
 Solution 1.9:
To disable support for insecure renegotiation, you need to install patch MS10-049. Then go to
key HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel in Registry Editor and
create a new DWORD value (if it doesn't already exist) named AllowInsecureRenegoClients and
set the value to 0. Whilst you're there, create another DWORD
named DisableRenegoOnServer and set the value to 1.

Unfortunately, Microsoft has chosen to use weak Diffie-Hellman key exchange parameters in
order to support older Java clients. The only workaround for this that I know of is to disable all
Diffie-Hellman cipher suites, leaving Elliptic Curve Diffie-Hellman to take care of forward secrecy,
which is something you should really be doing anyway.
Alternate way for this is to disable TLSfrom xampp
Xampp/sendmail/sendmail.ini
Enable the folowing lines
 1.10 ssl-poodle
Ssl-poodle
Risk Rating: Medium Status: Open Port: 443
Finding:
During the assessment, it was observed server that ssl Poodle
Risk Description
The POODLE attack can be used against any system or application that supports SSL 3.0 with
CBC mode ciphers. This affects most current browsers and websites, but also includes any
software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the
SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an
attacker can gain access to sensitive data passed within the encrypted web session, such as
passwords, cookies and other authentication tokens that can then be used to gain more
complete access to a website (impersonating that user, accessing database content, etc.)

Recommendation
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the
protocol; however, disabling SSL 3.0 support in system/application configurations is the most
viable solution currently available.
Some of the same researchers that discovered the vulnerability also developed a fix for one of
the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM
attackers from being able to force a protocol downgrade. OpenSSL has added support for
TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [5]
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.
Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor
for details. Additional vendor information may be available in the National Vulnerability
Database (NVD) entry for CVE-2014-3566 [6] or in CERT Vulnerability Note VU#577193.

Vulnerable TLS implementations need to be updated. CVE ID assignments and vendor

information are also available in the NVD.
Contact the vendor for an update.
Reference:
https://www.accuwebhosting.com/blog/fix-poodle-vulnerability-ssl-v3-windows/
https://www.tenable.com/plugins/nessus/80035
http://www.nessus.org/u?3bcd20bf
Solution 1.10:
Required to remove SSL verison 3.0 from client browser side follow the settings from the link
https://www.howtogeek.com/199035/what-is-the-poodle-vulnerability-and-how-can-you-protect-
yourself/
 1.11 Sslv2-drown
sslv2-drown
Risk Rating: Medium Status: Open Port: 443
Finding:
During the assessment, it was observed server that sslv2-drown
Risk Description
The remote host supports SSLv2 and therefore may be affected by a vulnerability that allows
a cross-protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with
Obsolete and Weakened eNcryption). This vulnerability exists due to a flaw in the Secure
Sockets Layer Version 2 (SSLv2) implementation, and it allows captured TLS traffic to by
decrypted. A man-in-the-middle attacker can exploit this to decrypt the TLS connection by
utilizing previously captured traffic and weak cryptography along with a series of specially
crafted connections to an SSLv2 server that uses the same private key.

Recommendation
Disable SSLv2 and export grade cryptography cipher suites. Ensure that private keys are not
used anywhere with server sofware that supports SSLv2 connections.
Reference:
https://drownattack.com/
https://drownattack.com/drown-attack-paper.pdf
https://www.openssl.org/news/secadv/20160301.txt

Solution 1.11 : Manually Disable SSL 2.0 and SSL 3.0

In order to manually disable SSL 2.0 and SSL 3.0 and make sure that the stronger TLS protocols are used,
follow these instructions:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
5. Enter Enabled as the name and hit Enter.
6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click
and select Modify and enter 0 as the Value data.
7. Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the
new folder Server.
8. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
9. Enter Enabled as the name and hit Enter.
10. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click
and select Modify and enter 0 as the Value data.
11. Restart the computer.
12. Verify that no SSL 2.0 or SSL 3.0 ciphers are available at ServerSniff.net or the Public SSL Server
Database

Note: This process is essentially the same on an IIS 6 (Windows Server 2003) machine. Normally, the Server
key under SSL 2.0 will already be created so you will just need to create a new DWORD value under it and
name it Enabled.
1.12 Default IIS page accessible
Default IIS page accessible
Risk Rating: info Status: Open Port: 80
Finding:
During the assessment, it was observed that server is running Microsoft IIS Webserver and is
prone to information disclosure vulnerability.
Risk Description

Recommendation
disable the default IIS page respective features, remove the product or replace the product by
custom page.
Reference:
http://www.valencynetworks.com/kb/web-server-default-welcome-page.html
Solution 1.12: Disable IIS Service, But this will affect if any other IIS appplication is running

Relyon Application does not run on IIS Service

 1.13 Phpinfo.php page found
Phpinfo.php page found
Risk Rating: Medium Status: Open Port: 80
Finding:
During the assessment, it was observed that sever is disclosing the phpinfo.php file
Risk Description
This script is using phpinfo() function. This function outputs a large amount of information
about the current state of PHP. This includes information about PHP compilation options and
extensions, the PHP version, server information and environment (if compiled as a module),
the PHP environment, OS version information, paths, master and local values of configuration
options, HTTP headers, and the PHP License.

Recommendation
Remove the file from production systems.
Reference:

Solution 1.13: Delete or comment the content inside phpinfo.php pages from all locations inside Xampp application
Removed from Xampp application,
xampp/phpmyadmin/phpinfo.php
xampp/htdocs/dashboard/phpinfo.php
xampp/htdocs/relyonapp/troubleshoot/phpinfo.php
 1.14 HSTS
HSTS
Risk Rating: Medium Status: Open Port: 80
Finding:

During the penetration testing, it was observed that the SSL server does not enforce HTTP
Strict Transport Security which could allow the attacker to gain advantage over the existing
security controls.
Risk Description
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). The lack of
HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.
 Recommendation
It is recommended to Enforce HSTS header by the SSL server.
Reference: https://tools.ietf.org/html/rfc6797#section-6.1

Solution 1.14: Required SSL Certificate

 1.15 Directory Listing
Directory Listing
Risk Rating: Medium Status: Open Port: 81

Finding:
During the security assessment, it was determined that an attacker can get directory listing
which allows an attacker to map out the server's directory structure and identify potentially
vulnerable files and sample applications.

External URL:

Risk Description:

With a system vulnerable to Directory Traversal, an attacker can make use of this vulnerability
to step out of the root directory and access other parts of the file system. This might give the
attacker the ability to view restricted files, or even more dangerous, allowing the attacker to
execute powerful commands on the web server which can lead to a full compromise of the
system.
Recommendation:
Obtaining directory lists gives an attacker useful information when planning attacks against your
server or your application. Follow these guidelines to prevent unintended information disclosure:

• Examine your applications and if the directory list was obtained by exploiting a known bug
or vulnerability, contact the vendor or maintainer for a patch.
• If the directory listing is exploitable in a custom application then review the code and
prevent malformed strings or tricked URI's from bypassing the filters or input validation
you are applying to directory GET requests.
• Locate the default servlet's configuration. Open your application's deployment descriptor (e.g.
web.xml), and locate the default servlet's configuration. If the default servlet is present, it is
mapped to the root directory of your application. Example:
<servlet>
<servlet-name>default_servlet</servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>default_servlet</servlet-name>
 <url-pattern>/</url-pattern>
</servlet-mapping>
• Deny directory browsing in the default servlet's configuration. Initialize the default servlet with
the parameter listings set to false. Example:
<servlet>
<servlet-name>default_servlet</servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>default_servlet</servlet-name> <url-pattern>/</url-pattern>
Solution 1.15:
Directory Access changed to Relyon Folder in httpd.conf
Default Access URI through IP changed to relyonappfolder in htdocs/index.php
Relyon Application has protection of .htaccess, which will not allow directory listing
Above result is from another application hosten on same server
 1.16 XST(Cross Site Traceing)
XST(Cross Site Traceing)
Risk Rating: High Status: Open Port: 443
Finding:

During the penetration testing, it was observed that cross-site tracing (XST).
Risk Description
Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass
security countermeasures already put in place to protect against XSS. This new form of attack
allows an intruder to obtain cookies and other authentication data using simple client-side
script.
Recommendation
To prevent this type of attack, it's essential that the PUT, DELETE, CONNECT and TRACE
methods are disabled on your Web server as they all pose a potential security risk
Reference:
https://www.owasp.org/index.php/Cross_Site_Tracing
https://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-
vulnerability/
Solution 1.16:
Change the statement in httpd.conf as TraceEnable Off
 1.17 Webdav Default Passwords
Webdav default Passwords
Risk Rating: Medium Status: Open Port: 80
Finding:

During the penetration testing, it was observed that webdav running on default credentials
Risk Description
The WebDAV plugin for the Apache server included with XAMPP version 1.7.3 or lower is
enabled by default.
Since WebDAV is an often overlooked/underutilized functionality of the server, the default
credentials associated with the WebDAV account are most likely left unchanged by the server
admin.
The security setup page for the XAMPP server does not mention that WebDAV is enabled by
default or ask the server admin to change the default username & password. This poor
design choice leads many instances of XAMPP to keep the default credentials and be
vulnerable to remote attacks.
Recommendation
To fix the WebDAV default credentials vulnerability you can upgrade to the latest version of
XAMPP, change the WebDAV username/password, or use a different hosting solution.
This design vulnerability was addressed in XAMPP v1.7.4, so that the WebDAV account is not
enabled by default and the default password is randomized.
Reference:
http://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html
http://arulgobi.blogspot.com/2011/01/xampp-webdav-vulnerability.html
Solution 1.17:
1. Remove or change content of Web Dav folder in Xampp
2. Disable Web_dav module from httpd.conf
 1.18 Arbitrary File Download
Arbitrary File Download
Risk Rating: High Status: Open Port: 443
Finding:

During the penetration testing, it was observed that Arbitrary file download vulnerability
Risk Description
Some websites may provide file viewing or download functionality because of business
needs. If you do not limit user from viewing or downloading files, a malicious user may
attempt to view or download any file from your server.
Attackers may construct malicious requests to download sensitive files from the server, and
further embed website webshell files to control the website server host.
Recommendation
• Update the CMS or plug-in you are using to the latest version.
• Delete the file with the vulnerability if it is no longer being used.
Reference:
https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-
enhancer-1-3-9-2/
https://resources.infosecinstitute.com/arbitrary-file-download-breaking-into-the-
system/#gref

1.19 Arbitrary xls File Download

Arbitrary File Download
Risk Rating: High Status: Open Port: 80
 Finding:

During the penetration testing, it was observed that Arbitrary file download vulnerability
Risk Description
Some websites may provide file viewing or download functionality because of business
needs. If you do not limit user from viewing or downloading files, a malicious user may
attempt to view or download any file from your server.
Attackers may construct malicious requests to download sensitive files from the server, and
further embed website webshell files to control the website server host.
Recommendation
• Update the CMS or plug-in you are using to the latest version.
• Delete the file with the vulnerability if it is no longer being used.
Reference:
https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-
enhancer-1-3-9-2/
https://resources.infosecinstitute.com/arbitrary-file-download-breaking-into-the-
system/#gref

Solution to 1.18, 1.19:

Relyon Application folder are encrypted with .htaccess file
Without proper login file download is not possible
 1.20 Paradox-DB Information disclosure
Paradox-DB Information disclosure
Risk Rating: Low Status: Open Port: 80
Finding:

During the penetration testing, it was observed that Paradox DB files, which can allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable system
Risk Description
By causing an application to process a specially-crafted file with the Oracle Outside In library,
a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges
of the vulnerable application. Depending on what application is using Outside In, this may
happen as the result of some user interaction, such as single-clicking on a file, or it may
happen with no user interaction at all.
Recommendation
Patch Update Advisory
Reference:
https://www.kb.cert.org/vuls/id/916896/
 1.21 Paradox-DB File downloading
Paradox-DB Information disclosure
Risk Rating: Critical Status: Open Port:81
Finding:

During the penetration testing, it was observed that Paradox DB files, which can allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable system

Risk Description
By causing an application to process a specially-crafted file with the Oracle Outside In library,
a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges
of the vulnerable application. Depending on what application is using Outside In, this may
happen as the result of some user interaction, such as single-clicking on a file, or it may
happen with no user interaction at all.
Recommendation
Patch Update Advisory
Reference:
https://www.kb.cert.org/vuls/id/916896/

Solution 1.20, 1.21:

Mentioned Version of Xampp 5.6.12, does not have paradox folder. Install the version to avoid the above.
 1.22 X-Content-Type-Options header missing
X-Content-Type-Options header missing
Risk Rating: Info Status: Open Port:80
Finding:
During the assessment, it was observed server X-Content-Type-Options header missing
Risk Description
The doesn't have a header setting for X-Content-Type Options which means it is vulnerable to
MIME sniffing. The only defined value, "no sniff", prevents Internet Explorer and Google
Chrome from MIME-sniffing a response away from the declared content-type. This also applies
to Google Chrome when downloading extensions. This reduces exposure to drive-by download
attacks and sites serving user uploaded content that by clever naming could be treated by MSIE
as executable or dynamic HTML files.

Recommendation
Reference:
https://hackerone.com/reports/12613
https://www.keycdn.com/support/x-content-type-options
 1.23 The X-XSS-Protection header is not defined
The X-XSS-Protection header is not defined
Risk Rating: Info Status: Open Port: 80
Finding:
During the assessment, it was observed server the X-XSS-Protection header is not defined

192.168.1.99
Risk Description
The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into
modern web browsers. This is usually enabled by default but using it will enforce it. It is
supported by Internet Explorer 8+, Chrome, and Safari. The recommended configuration is to
set this header to the following value, which will enable the XSS protection and instruct the
browser to block the response in the event that a malicious script has been inserted from user
input, instead of sanitizing.

Recommendation
Reference:
https://www.keycdn.com/blog/x-xss-protection
 1.24 Anti-clickjacking X-Frame-Options header is not present
Anti-clickjacking X-Frame-Options header is not present
Risk Rating: Info Status: Open Port: 80
Finding:
During the assessment, it was observed server anti-clickjacking X-Frame-Options header is not
present
Risk Description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious
technique of tricking a Web user into clicking on something different from what the user
perceives they are clicking on, thus potentially revealing confidential information or taking
control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be
at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to
indicate whether a browser should be allowed to render a page inside a frame or iframe. Sites
can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into
other sites.

Recommendation
Configure your web server to include an X-Frame-Options header. Consult Web references for
more information about the possible values for this header.
Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://www.owasp.org/index.php/Clickjacking
Solution to section 1.22, 1.23, 1.24:
Enable Header module & Add the above 3 requied header content in httpd.conf
<IfModule headers_module>
RequestHeader unset DNT env=bad_DNT
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "sameorigin"
</IfModule>
 1.25 Apache mod_negotiation filename bruteforcing
Apache mod_negotiation filename bruteforcing
Risk Rating: Medium Status: Open Port: 80
Finding:

During the penetration testing, it was observed that Apache mod_negotiation filename
bruteforcing
Risk Description
mod_negotiation is an Apache module responsible for selecting the document that best matches the
clients capabilities, from one of several available documents. If the client provides an invalid Accept
header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing.
This behaviour can help an attacker to learn more about his target, for example, generate a list of
base names, generate a list of interesting extensions, look for backup files and so on.
Possible information disclosure: directory listing, filename bruteforcing, backup files.
Recommendation
Disable the MultiViews directive from Apache's configuration file and restart Apache.
You can disable MultiViews by creating a .htaccess file containing
Reference:
https://hackerone.com/reports/25382

Solution 1.25:
Disable mod_negociation from httpd.conf use # for disabling
 1.26 Improper Error Handling
Paradox-DB Information disclosure
Risk Rating: Low Status: Open Port: 80
Finding:

During the penetration testing, it was observed that Improper Error Handling
Risk Description
Improper handling of errors can introduce a variety of security problems for a web site. The
most common problem is when detailed internal error messages such as stack traces,
database dumps, and error codes are displayed to the user (hacker). These messages reveal
implementation details that should never be revealed. Such details can provide hackers
important clues on potential flaws in the site and such messages are also disturbing to
normal users.
Recommendation
A specific policy for how to handle errors should be documented, including the types of
errors to be handled and for each, what information is going to be reported back to the user,
and what information is going to be logged. All developers need to understand the policy and
ensure that their code follows it.

Reference:
https://www.owasp.org/index.php/Improper_Error_Handling
https://www.acunetix.com/vulnerabilities/web/application-error-message/

Solution 1.26:
Tuen off the folliwng in php.ini
display_errors=Off
display_startup_errors=Off
 1.27 WebDAV Test Page is accessbile
WebDAV Test Page is accessbile
Risk Rating: Info Status: Open Port:80
Finding:

During the penetration testing, it was observed that WebDAV test page is accessbile
Risk Description
Vital Information on This Issue
Vulnerabilities in WebDAV Detection is a Medium risk vulnerability that is one of the most
frequently found on networks around the world. This issue has been around since at least
1990 but has proven either difficult to detect, difficult to resolve or prone to being
overlooked entirely.
Recommendation
Reference:
https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_webdav_detection

Solution 1.27:
Disable Web Dav from httpd
Solution given above in web-dav description
 1.28 OpenSSL/0.9.8i Outdated Version
OpenSSl/0.9.8i Outdate Version
Risk Rating: High Status: Open Port: 80
Finding:

During the penetration testing, it was observed that OpenSSL/0.9.8i

Recommendation
Update latest Version 1.0.0o

Reference:
Solution 1.28:
Upgrade Xampp version
 1.29 Mod_SSL/2.2.11 Outdated Version
Mod_SSL/2.2.11 Outdate Version
Risk Rating: High Status: Open Port: 80
Finding:

During the penetration testing, it was observed that Mod_SSL/2.2.11

Recommendation
Update latest Version

Solution 1.29;
Upgrade xampp version
 1.30 Information disclosure
Information Disclosure
Risk Rating: Info Status: Open Port:
Finding:

During the penetration testing, it was observed that Information disclosure

Risk Description
Information disclosure is when an application fails to properly protect sensitive information
from parties that are not supposed to have access to such information in normal
circumstances. These type of issues are not exploitable in most cases, but are considered as
web application security issues because they allows attackers to gather information which
can be used later in the attack lifecycle, in order to achieve more than they could if they
didn’t get access to such information.
Recommendation
Reference:
https://www.netsparker.com/blog/web-security/information-disclosure-issues-attacks/

1.31 phpinfo admin credentials Information disclosure

Phpinfo admin credentials Information disclosure
Risk Rating: Info Status: Open Port:81
Finding:

During the penetration testing, it was observed that Phpinfo admin credentials Information
disclosure
Risk Description
Information disclosure is when an application fails to properly protect sensitive information
from parties that are not supposed to have access to such information in normal
circumstances. These type of issues are not exploitable in most cases, but are considered as
web application security issues because they allows attackers to gather information which
can be used later in the attack lifecycle, in order to achieve more than they could if they
didn’t get access to such information.

Recommendation
Reference:
https://www.netsparker.com/blog/web-security/information-disclosure-issues-attacks/

Solution
1.30 – not available in updated xampp
1.31 – disabling the phpinfo in earlier cases wil reoslve this,
for further disbale the line server admin in httpd.conf (put #
in line start)