til Uni-C StaySolid it-sikkerhedstest Projektnummer: 10285

Transkript

1 RAPPORT til Uni-C StaySolid it-sikkerhedstest Projektnummer: 10285, 14 december version 3 StaySolid - grundig sikkerhedstest

2 Indhold Om denne rapport og FortConsult Overordnet konklusion FortConsults anbefalinger Test scope Prioritering af sårbarheder Statistisk oversigt til sikkerhedsvurdering Sårbarhedsindeks pr. host Ikke-teknisk beskrivelse af sårbarheder med kritisk prioritet English from here Overview of potential vulnerabilities Introduction to CVSS Details of potential vulnerabilities High priority Medium priority Low priority Informative notes System information Discovery results Other observations Test execution information Test methodology Følgende er elektronisk tilgængelig på vores kundeportal: - Sårbarhedsmanagement system - Rapport med oversigten over sårbarheder per host - Rapport med oversigten over sårbarheder per service - XML fil med action listen til intern behandling (kan importeres i Excel) FortConsult, Klar besked om it-sikkerhed Side 2

3 Om denne rapport og FortConsult Om denne rapport Denne rapport er resultatet af den StaySolid it-sikkerhedstest, som FortConsult har udført for Uni-C. Rapporten er inddelt i tre dele. Første del er executive summary indholdsfortegnelsen og denne introduktion. Anden del giver en konklusion på it-sikkerheden på de testede systemer hos Uni-C. Tredje del beskriver i detaljer, hvilke systemer der er testet, og hvilke sårbarheder FortConsult har identificeret på systemerne sammen med anbefalede tiltag for at lukke sikkerhedshullerne. Tredje del er altid på engelsk. Alle sårbarheder, beskrevet i denne rapport, er potentielle sårbarheder. Dvs. de bør holdes op mod Uni-Cs sikkerhedspolitik for at verificere, om de bør betragtes som reelle sårbarheder og for at prioritere de anbefalede tiltag. FortConsult behandler alle testresultater og metodikker med fuld fortrolighed - også efter at leverancen er udført. Rapporten må som udgangspunkt ikke udleveres til tredjepart uden forudgående aftale med FortConsult - ud over til den eksterne revision og de it-leverandører, som skal lukke evt. fundne sikkerhedshuller. FortConsult anvender bl.a. CVSS ( og CVE ( i sårbarhedsdetaljerne. Vi opfylder desuden udvalgte krav i henhold til OSSTMM-standarden. Om FortConsult FortConsults forretningsgrundlag er at hjælpe virksomheder med at opretholde en høj it-sikkerhed. Vi leverer løsninger og ydelser, der effektivt kan bidrage til at vurdere sikkerhedstruslerne og beskytte sig mod dem. FortConsults team af sårbarhedseksperter har udviklet en særdeles grundig testmetodik, som vi kalder StaySolid. Testen kan inkludere både automatiske og manuelle test, inspektion og analyser, og bruger desuden en af de mest omfattende sårbarhedsdatabaser i verden. FortConsult er certificeret af PCI Council til at udføre sikkerhedstjek af virksomheders kritiske betalingssystemer jævnfør PCI-standarden. For yderligere information om FortConsult se Vi kan kontaktes på telefon eller info@fortconsult.net. FortConsult, Klar besked om it-sikkerhed Side 3

4 Overordnet konklusion Sikkerhedsniveau: Medium (3) Dette er resultatet af den StaySolid it-sikkerhedstest, som FortConsult har udført for Uni-C. Formålet med testen var at fastslå sikkerhedsniveauet for to Uni-C's web-applikationer. indberetninger.uvm.dk og Testen er udført fra FortConsult's test lab for at simulere et ondsindet angreb fra Internettet og derudover blev testen udført med insider viden, som i dette tilfælde var brugernavn/kodeord til indberetninger.uvm.dk. FortConsult anvender 7 mulige sikkerhedsniveauer, hvor 1 er det laveste og 7 det højeste. Derudover har FortConsult inddelt disse niveauer i kategorierne lavt (1-2), medium (3-4), højt (5-6) og meget højt (7). Sikkerhedsniveauet gælder udelukkende for de testede systemer og applikationer og er baseret på de typer af trusler, FortConsult har testet for. FortConsult vurderer sikkerhedsniveauet til at være: Medium (3) Sikkerhedsniveauet er lidt under det niveau som det FortConsult generelt ser i Uni-C's markedssegment. Fortrolighed: Der er fundet sårbarheder, der gør brud på fortroligheden muligt. Integritet: Der er fundet sårbarheder, der gør brud på integriteten muligt. Tilgængelighed: De testede systemer og applikationer var ikke sårbare overfor Denial-of-Service (DoS) test (brud på tilgængeligheden). Ovenstående betyder, at de testede systemer og applikationer ikke er sikret tilstrækkeligt for at kunne modstå tilfældige og målrettede hackerangreb fra internettet. Se hovedårsagerne herunder. Det er hovedsageligt trækker sikkerhedsniveauet ned er de fundne sårbarheder på indberetninger.uvm.dk. Herunder er sårbarhederne for de to web applikationer overordnet beskrevet. indberetninger.uvm.dk: På serveren findes adskillige standard installations filer vedrørende Oracle applikation serveren. Det var også muligt at se kildekoden på udvalgte filer. Dette indikerer at der ikke er udført hardening af serveren efter endt installation. Disse installationsfiler giver en eventuel hacker detaljeret informationer(version, konfiguration og system detaljer) omkring systemet og alle kendte sårbarheder i eventuelle eksempel filer vil også være let tilgængelige. Den installerede version af Oracle applikation server er også forældet og indeholder dermed kendte sårbarheder. Dette indikerer manglende patch management af serveren. Der tillades login over ukrypteret forbindelser. Det er dog uvidst om disse bruges til noget. Det ukrypteret login gør det muligt, for en hacker med adgang til netværket, at opsnappe brugernavn og kodeord(dette gør brud på fortroligheden muligt). Da disse sendes i klar tekst over netværket. Ved testens start var det muligt at tilgå Barracuda Load balancer admin login side ved at tilgå HTTPS version af Adgangen til denne blev hutigt fjernet af Uni-C. Søge fuktionen på giver adgang til detaljeret informationer vedr. serveren. bl.a. den præcise version af Content-Management-System (CMS), som var forældet og dermed indeholdte kendte sårbarheder. Der tillades også login til dette CMS via ukrypteret forbindelser (dette gør brud på fortroligheden muligt). FortConsult, Klar besked om it-sikkerhed Side 4

5 FortConsults anbefalinger For at kunne hæve sikkerhedsniveauet, anbefaler FortConsult specifikt: Omgående handling: Fjerne alle standard installations filer fra produktions servere, så der ikke gives detaljeret informationer eller utilsigtet adgang gennem applikationen Opdatere Oracle applikations server til seneste version, for at undgå øget angrebsflade pga. allerede kendte sårbarheder Opdatere Sitecore CMS til seneste version, for at undgå øget angrebsflade pga. allerede kendte sårbarheder Sikre at der ikke kan findes utilsigtet data via søgefukntionen på så der ikke utilsigtet gives følsomme informationer om systemet Sikre at alle login foretages over krypteret(https) forbindelser, så muligheden for evt. opsnapning af hacker på samme netværk fjernes Langsigtede handlinger: Opdatere patch management med Oracle applikations server, så denne altid sikre at køre seneste version og alle nye sårbarheder dermed bliver lukket med det samme Opdatere patch management med Content-Management-System, så denne altid sikre at køre seneste version og alle nye sårbarheder dermed bliver lukket med det samme Opdatere hardening procedure, så den også omfatter fjernelse af test filer og standard installations filer, så disse ikke igen bliver "glemt" på produktionsservere Afsnittet "Overview of potential vulnerabilities" giver en oversigt over alle punkter, som kræver handling. FortConsult, Klar besked om it-sikkerhed Side 5

6 Test scope De(t) inkluderede system(er) er blevet testet for de nedenstående trusselsniveauer, som ikke er streget over og grå. Niveau 1 - Tilfældige og elementære angreb Test for tilfældige og elementære angreb fra amatør hackere, virus og orme omfatter følgende: Sikkerhedstest med automatiserede værktøjer på både infrastruktur-, platform- og applikationsniveau Manuel verifikation og fjernelse af falske positive Niveau 2 - Målrettede angreb Test for Målrettede angreb fra professionelle hackere omfatter følgende: Sikkerhedstest med automatiserede værktøjer på både infrastruktur-, platform- og applikationsniveau (i webapplikationstest, er det kun sidstnævnte, som udføres) Manuel verifikation og fjernelse af falske positive Udnyttelse af såbarheder Check af falske negative Manuelle og kreative test Brugeroprettelse på web sites (hvis der er mulighed for at oprette brugere på web applikationen, vil vi gennemføre denne proces og checke funktionaliteten omkring dette. I niveau 2 testes ikke den applikation, man får adgang til efter man logger ind.) Niveau 3 - Målrettede angreb med insider viden Test for målrettede angreb med insider viden omfatter følgende: Sikkerhedstest med automatiserede værktøjer på både infrastruktur-, platform- og applikationsniveau (i webapplikationstest, er det kun sidstnævnte, som udføres) Manuel verifikation og fjernelse af falske positive Udnyttelse af såbarheder Check af falske negative Manuelle og kreative test Brugeroprettelse på web sites (hvis der er mulighed for at oprette brugere på web applikationen, vil vi gennemføre denne proces og checke funktionaliteten omkring dette. I niveau 2 testes ikke den applikation, man får adgang til efter man logger ind.) Plus én eller flere af de følgende punkter: Web applikation test med login Gennemførsel af købsproces Inspektion af firewall/router regelsæt Sourcekode review af applikationer FortConsult, Klar besked om it-sikkerhed Side 6

7 Nedenstående oversigt viser hvilket trusselsniveau hvert system er blevet testet på. indberetninger.uvm.dk ( ) Niveau 1 Niveau 2 Niveau 3 ( ) FortConsult, Klar besked om it-sikkerhed Side 7

8 FortConsults vurdering af test scopet Som nævnt i den overordnede konklusion, gælder sikkerhedsniveauet de systemer og applikationer, som har været en del af testen (scope). Testens formål Formålet med penetrationstesten var at fastslå sikkerhedsniveauet for: to udvalgte webapplikationer. Scope udtalelse Når man holder de testede systemer og formålet for testen sammen, mener FortConsult, at alle de systemer, som er nødvendige for at fastslå sikkerhedsniveauet, er inkluderet i testen. FortConsult, Klar besked om it-sikkerhed Side 8

9 Prioritering af sårbarheder Proces for hver sårbarhed 1. Tag stilling til om I er enige i FortConsults anbefalede prioritering. Basér jeres vurdering på hvad konsekvensen for jeres forretning er, ved at sårbarheden bliver udnyttet, og hvor kritiske de systemer er, som sårbarheden er fundet på. 2. Planlæg nødvendige actions. Se de anbefalede actions nedenunder og vurdér, om I er enige. Justér actions om nødvendigt. Critical priority Anbefalet action: Omgående rettelse Hvis systemet er i drift, bør det overvejes, om det skal suspenderes indtil sårbarheden er rettet. Gå straks i gang med at rette sårbarheden efter gældende regler i virksomheden. High priority Anbefalet action: Omgående vurdering Beslut om sårbarheden skal rettes omgående eller hvor lang tid det evt. kan vente. Sæt en deadline, hvis der ventes. Medium priority Anbefalet action: Rettes ved næste service vindue Rettelsen skrives op på planen over opgaverne i næste service vindue. Low priority Anbefalet action: Rettes eventuelt ved næste større opdatering Vurdér, om det er muligt og giver mening at rette sårbarheden. Rettelsen skrives op på planen over opgaverne for næste større opdatering. Informative noter Anbefalet action: Ingen Nedenunder finder I en beskrivelse af, hvordan FortConsult kommer frem til den anbefalede prioritet for hver sårbarhed. Prioriteten vurderes baseret på flg. kriterier: Kriterium 1: Sårbarhedens generelle konsekvens (bl.a. baseret på CVSS base score). Kriterium 2: Det trusselsniveau sårbarheden forventes udnyttet i: 1. Elementære angreb (orme og amatørhackere) Stor sandsynlighed for udnyttelse. 2. Målrettede angreb (dygtige hackere) Mindre sandsynlighed for udnyttelse. 3. Målrettede angreb med insider viden (dygtige hackere, medarbejdere, samarbejdspartnere) Lille sandsynlighed for udnyttelse. Kriterium 3: FortConsult's kundespecifikke vurdering af den mulige konsekvens ved at sårbarheden udnyttes. FortConsult, Klar besked om it-sikkerhed Side 9

10 Statistisk oversigt til sikkerhedsvurdering Statistik på testudførslen system(er) eller IP-adresse(r) testet potentiel(le) sårbarhed(er) fundet 12 unik(ke) sårbarhed(er) fundet Prioritetsfordeling FortConsult anbefaler en prioritering på hver sårbarhed, der er fundet. Se rapportens appendiks for at se hvordan FortConsult når frem til prioriteterne og hvilke actions vi anbefaler for hver prioritet. Fordelingen er som følgende: 0 Sårbarhed(er) med critical priority Sårbarhed(er) med high priority Sårbarhed(er) med medium priority Sårbarhed(er) med low priority 3 Informativ(e) note(r) Statistisk sammenligning Statistikken er baseret på de unikke sikkerhedstest, som FortConsult har udført i de nævnte segmenter de seneste 2 år. Segment Sikkerhedsniveau All segments (377 tests) Medium (4) Public Sector (34 tests) Medium (4) This test Medium (3) FortConsult, Klar besked om it-sikkerhed Side 10

11 Sårbarhedsindeks pr. host Dette er en indekseret liste over de testede systemer baseret på fundne sårbarheder. Sårbarhedernes prioriteringsniveau er indekseret på følgende måde: - Kritisk prioritet: Høj prioritet: Medium prioritet: 10 - Lav prioritet: 1 For eksempel vil en host med 1 kritisk-, 2 høj-, 3 medium- og 5 lav-prioritet sårbarheder få en indeks på (1x1000) + (2x100) + (3x10) + (5x1) = Segment: Internet Indeks indberetninger.uvm.dk, FortConsult, Klar besked om it-sikkerhed Side 11

12 Ikke-teknisk beskrivelse af sårbarheder med critical priority Der blev ikke fundet nogle sårbarheder med kritisk prioritet FortConsult, Klar besked om it-sikkerhed Side 12

13 Overview of potential vulnerabilities High priority Segment: Internet indberetninger.uvm.dk, Oracle application server version outdated ID: 2 - Page 19 Port: TCP 80 URL: CMS system not latest version ID: 1 - Page 17 Port: TCP 80 URL: Medium priority Segment: Internet indberetninger.uvm.dk, Sample, help or default installation files present on Web server ID: 3 - Page 20 Port: URL: Sample, help or default installation files present on Web server ID: 4 - Page 20 Port: TCP 80 URL: Sample, help or default installation files present on Web server ID: 5 - Page 21 Port: TCP 80 URL: Sample, help or default installation files present on Web server ID: 6 - Page 22 Port: TCP 80 URL: Sample, help or default installation files present on Web server ID: 7 - Page 23 Port: TCP 80 URL: Sample, help or default installation files present on Web server ID: 8 - Page 24 Port: TCP 443 URL: Sample, help or default installation files present on Web server ID: 9 - Page 24 Port: TCP 443 URL: Source code disclosure ID: 11 - Page 26 Port: TCP 80 URL: FortConsult, Klar besked om it-sikkerhed Side 13

14 indberetninger.uvm.dk, Source code disclosure ID: 12 - Page 26 Port: TCP 80 URL: Web server allows unencrypted authentication ID: 13 - Page 28 Port: TCP 80 URL: Web server allows unencrypted authentication ID: 14 - Page 28 Port: TCP 443 URL: Search function includes excessive information ID: 10 - Page 25 Port: TCP 443 URL: Web server allows unencrypted authentication ID: 15 - Page 29 Port: TCP 80 URL: Low priority Segment: Internet indberetninger.uvm.dk, HTTP TRACK and/or TRACE method enabled ID: 17 - Page 32 Port: TCP 80 URL: HTTP TRACK and/or TRACE method enabled ID: 18 - Page 32 Port: TCP 443 URL: Script on untested server ID: 19 - Page 32 Port: TCP 80 URL: Set-Cookie does not use HTTPOnly Keyword ID: 20 - Page 33 Port: TCP 80 URL: SSL Missing Secure Attribute in Encrypted Session Cookie ID: 21 - Page 34 Port: TCP 443 URL: AutoComplete Attribute Not Disabled for Password ID: 16 - Page 31 Port: TCP 80 URL: Unexpected services found ID: 22 - Page 35 Port: TCP 443 URL: FortConsult, Klar besked om it-sikkerhed Side 14

15 Informative notes Segment: Internet indberetninger.uvm.dk, addresses disclosed ID: 23 - Page 36 Port: TCP 443 URL: addresses disclosed ID: 24 - Page 36 Port: TCP 443 URL: addresses disclosed ID: 25 - Page 37 Port: TCP 80 URL: FortConsult, Klar besked om it-sikkerhed Side 15

16 Introduction to CVSS Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilites, so efforts can be prioritized. The score is based on a series of measurements (called metrics) based on expert assessment. For more information refer to: Base metrics 1. Is the vulnerability exploitable remotely? 2. How complex must an attack be to exploit the vulnerability? 3. Is authentication required to attack? 4. Does the vulnerabilty expose confidential data? 5. Can attacking the vulnerability damage the integrity of the system? 6. Does it impact availability of the system? Temporal metrics 1. Is there a functional exploit? 2. Does a fix, work-around etc. exist? 3. How certain is the vulnerability's existence. Environmental metrics 1. Potential to cause collateral damage. 2. How many systems (or how much of a system) does the vulnerability impact. NOTE: Currently FortConsult does not utilize the environmental metric. FortConsult, Klar besked om it-sikkerhed Side 16

17 Details of potential vulnerabilities High priority CMS system not latest version 1. General Description The CMS system used is not running the latest version released by the vendor. This version contain several vulnerabilities. 2. Corrective actions Update the CMS system to the latest version. Threat information Suggested priority: High priority CVSS Base Score: 10 CVSS Temporal Score: 8,3 Threat level: Targeted attacks (level 2) Vector: AV:N/AC:L/AU:N/C:C/I:C/A:C Vector: E:F/RL:OF/RC:C Other information CVE: Category: CVE Unknown Custom Web application Detailed information Host: on Internet Port: tcp 80 URL: ID: 1 FortConsult, Klar besked om it-sikkerhed Side 17

18 CMS system not latest version Installed version: (Released October 3, 2011) (fingerprintet via search function) Latest version: rev (Released November 12, 2012) Fixed vulnerabilities in release Sitecore CMS and DMS rev (6.6.0 Update-1). Link: V5/Sitecore CMS 6/ReleaseNotes/ChangeLog/Release History SC66.aspx Potential security vulnerabilities The Sitecore login page did not prevent search engines from indexing the content of the login page. This could allow people to identify solutions running Sitecore. To prevent this, the Sitecore login page now contains a meta tag to prevent robots from indexing the contents. (373127) Also mentioned later in this report Fixed vulnerabilities in release Sitecore CMS rev (6.5.0 Update-6) and DMS rev Link: V5/Sitecore CMS 6/ReleaseNotes/ChangeLog/Release History SC65.aspx Potential security vulnerabilities By using specially crafted requests, an unauthenticated user would be able to determine the existence of local files on the server if they knew the path to the files. The likelihood of this issue being exploited is however considered unlikely, as it requires a significant degree of technical skills and the issue did not appear to permit the retrieval of the contents of files on the server. (361214) The Upload Wizard that can be opened from the Install Wizard could be used to upload non-zip files to the /packages folder. The wizard now checks that files have a.zip extension. (366007) In the Engagement Automation Supervisor, the "Add from CSV File" wizard could be used to upload non- CSV files to the /temp folder. The wizard now checks that files have a.csv extension and will store the uploaded file under a random name in the /temp folder. (363051) A potential JavaScript injection vulnerability has been fixed in the Page Editor ribbon. (364151) A potential cross-site scripting vulnerability has been fixed in the Engagement Analytics report runner. (363059) Unauthenticated users could get access to see a number of configuration parameters for the Executive Dashboard if they knew the correct URLs. (363091) Unauthenticated users could get access to a number of applications and dialogs in Sitecore if they knew the URL of the applications. (363051) Fixed vulnerabilities in release Sitecore CMS rev (6.4.1 Update-6). Link: V5/Sitecore CMS 6/ReleaseNotes/ChangeLog/Release History SC64.aspx Potential security vulnerabilities Unauthenticated users could download unpublished media files from the Sitecore media library by appending a "sc_mode=preview" query string parameter to the media URL. This vulnerability could only be exploited if the Sitecore solution was connected to the "master" database and if outside users knew or were able to guess the URL to one or more media files. This issue has been fixed. (353347) A potential URL redirection vulnerability in the LoginUsers XAML control has been fixed. The control no longer allows redirects to external, possibly malicious, websites. (346109) Authenticated users that did not normally have sufficient permissions could create user accounts by opening the CreateNewUser.aspx directly in their browser. The created user accounts would however not have any role assignments, and could therefore not be used to log in to Sitecore or to escalate user permissions. (352997) In case of a username/password mismatch, the Change Password page would prefix the username with the domain name of the user account if the user name existed. This could potentially be used to enumerate user names and/or as part of a brute force attack on one or more accounts. The Change Password page will no longer change the text in the user name field in such cases. (352344) A potential cross-site scripting vulnerability has been fixed in the Set Password XAML control. (351452) A potential cross-site scripting vulnerability has been fixed in the Template Builder. (351093) A potential cross-site scripting vulnerability has been fixed in the Rich Text Editor. As described in the "Important Changes" section above, the Rich Text Editor is now configured to remove script tags from rich text field values before saving. (350967, , ) Oracle application server version outdated FortConsult, Klar besked om it-sikkerhed Side 18

19 Oracle application server version outdated 1. General Description The Oracle application server version is outdated. This version possibly contains various serious security problems and should not be used. See vulnerabilities for different versions here: Server.html 2. Corrective actions Upgrade the Oracle Application server to latest version. Threat information Suggested priority: High priority CVSS Base Score: 10 Vector: AV:N/AC:L/AU:N/C:C/I:C/A:C CVSS Temporal Score: 8,3 Vector: E:F/RL:OF/RC:C Threat level: Elementary/Coincidental attacks (level 1) Other information CVE: Category: CAN CAN CAN CAN Databases Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: ID: 2 Server fingerprintet as: Oracle-Application-Server-10g/ (Released in 2005) The following vulnerabilities is some of the publily known in the installed version, but because of many later releases it contains a lot more: FortConsult has not been able to obtain an wokring exploit. Oracle has released 29 Critical Patch Updates since the installed release date! FortConsult, Klar besked om it-sikkerhed Side 19

20 Medium priority Sample, help or default installation files present on Web server 1. General Description Sample, help or default installation files are found on the web server. These files often include functionality not intended for a production website such as excessive system information or programs which are not secure. Default installations and sample file are often vulnerable for buffer overflows, Cross-Site Scripting, SQL injection etc., due to lack of input validation. 2. Corrective actions Delete the sample files and ensure that a minimum security baseline has been applied to the system to ensure a basic level of hardening. On Microsoft IIS, make sure that the following is removed: iissamples, iisadmin, iishelp, printers On Apache, remove the directory called "manual" from the web root. Threat information Suggested priority: Medium priority CVSS Base Score: 6,4 Vector: AV:N/AC:L/AU:N/C:P/I:P/A:N CVSS Temporal Score: 5,6 Vector: E:H/RL:OF/RC:C Threat level: Elementary/Coincidental attacks (level 1) Other information CVE: Category: CVE Unknown Not categorized Detailed information Host: indberetninger.uvm.dk, on Internet Port: URL: ID: 3 See examples for for HTTP. Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: ID: 4 FortConsult, Klar besked om it-sikkerhed Side 20

21 Sample, help or default installation files present on Web server URL: ID: 5 FortConsult, Klar besked om it-sikkerhed Side 21

22 Sample, help or default installation files present on Web server URL: ID: 6 FortConsult, Klar besked om it-sikkerhed Side 22

23 Sample, help or default installation files present on Web server URL: ID: 7 FortConsult, Klar besked om it-sikkerhed Side 23

24 Sample, help or default installation files present on Web server Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 443 URL: ID: 8 See examples for for HTTP. URL: ID: 9 See examples for for HTTP. Search function includes excessive information 1. General Description A search function on the web site includes and returns excessive information not relevant to the web pages e.g. java classes, source code and product documentation. 2. Corrective actions Remove this type of files from the website itself or the search function. Threat information Suggested priority: Medium priority CVSS Base Score: 5 Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N CVSS Temporal Score: 4,1 Vector: E:F/RL:OF/RC:C Threat level: Elementary/Coincidental attacks (level 1) Other information CVE: CVE Unknown FortConsult, Klar besked om it-sikkerhed Side 24

25 Search function includes excessive information Category: Custom Web application Detailed information Host: on Internet Port: tcp 443 URL: ID: 10 This in general vulnerability in the CMS, Sitecore has fixed this vulnerability in the release: Sitecore CMS and DMS rev (6.6.0 Update-1). Source code disclosure FortConsult, Klar besked om it-sikkerhed Side 25

26 Source code disclosure 1. General Description Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application. 2. Corrective actions Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening. Threat information Suggested priority: Medium priority CVSS Base Score: 5 Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N CVSS Temporal Score: N/A Vector: N/A Threat level: Targeted attacks with insider knowledge (level 3) Other information CVE: Category: CVE Unknown Not categorized Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: ID: 11 URL: ID: 12 FortConsult, Klar besked om it-sikkerhed Side 26

27 Source code disclosure Web server allows unencrypted authentication 1. General Description Using clear text usernames/passwords to protect web resources and data gives a very minimal user authentication. The authentication information can be captured by anyone between the browser and the web server and misused. The availability to enter username and password encourages password guessing attacks and should be avoided whenever possible. 2. Corrective actions Use SSL and/or HTTPS to enhance the user authentication and provide better user protection. Threat information Suggested priority: Medium priority CVSS Base Score: 4,3 CVSS Temporal Score: 3,7 Threat level: Targeted attacks (level 2) Vector: AV:N/AC:M/AU:N/C:P/I:N/A:N Vector: E:ND/RL:OF/RC:C Other information CVE: CVE Unknown FortConsult, Klar besked om it-sikkerhed Side 27

28 Web server allows unencrypted authentication Category: Web server Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: ID: 13 Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 443 URL: ID: 14 FortConsult, Klar besked om it-sikkerhed Side 28

29 Web server allows unencrypted authentication From source code> <form name ="loginform" action=" method="post" AutoComplete="off"> <input name="site2pstoretoken" type="hidden" value =""> <input name="password" type="hidden" value =""> <table> Detailed information Host: on Internet Port: tcp 80 URL: ID: 15 FortConsult, Klar besked om it-sikkerhed Side 29

30 Web server allows unencrypted authentication FortConsult, Klar besked om it-sikkerhed Side 30

31 Low priority AutoComplete Attribute Not Disabled for Password 1. General Description The Web server allows form based authentication without disabling the AutoComplete feature for the password field. The passwords entered by one user could be stored by the browser and retrieved for another user using the browser. 2. Corrective actions Disable AutoComplete on your login forms by adding the autocomplete='off' attribute in the application's source code. The AutoComplete attribute should be disabled for both the user ID and password fields. Threat information Suggested priority: Low priority CVSS Base Score: N/A CVSS Temporal Score: N/A Threat level: Targeted attacks (level 2) Vector: N/A Vector: N/A Other information CVE: Category: CVE Unknown Custom Web application Detailed information Host: on Internet Port: tcp 80 URL: ID: 16 From source code: <input name="main_0$contentcontext_0$loginbox$password" type="password" id="main_0_contentcontext_0_loginbox_password" /> HTTP TRACK and/or TRACE method enabled 1. General Description TRACE is a HTTP method available in version 1.1 of HTTP. This method is usually available by default on HTTP servers. The purpose of this method is to echo client requests. Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. This method can be used to retrieve information sent by the client in the HTTP headers. As browsers do not support methods other than GET and POST, special techniques are required to exploit the vulnerability like the use of ActiveX. Note that this vulnerability depends on a browser behaving in a way it normally doesn't. Consequently, this is not considered a serious issue, while "normal" Cross-Site Scripting is a serious issue. 2. Corrective actions Disable these methods. For Apache, use the mod_rewrite module available from to deny TRACE use the following: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule.* - [F] For Microsoft IIS, use URL Scan for instance. This tool is available at Threat information FortConsult, Klar besked om it-sikkerhed Side 31

32 HTTP TRACK and/or TRACE method enabled Suggested priority: Low priority CVSS Base Score: 2,6 Vector: AV:N/AC:H/AU:N/C:P/I:N/A:N CVSS Temporal Score: 2,1 Vector: E:F/RL:OF/RC:C Threat level: Elementary/Coincidental attacks (level 1) Other information CVE: Category: CVE Web server Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: ID: 17 Request: TRACE / HTTP/1.0 Host: indberetninger.uvm.dk Cookie: ed77397a6697a543 Response: HTTP/ OK Content-Type: message/http Connection: Close Server: Oracle-Application-Server-10 Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 443 URL: ID: 18 Same as previous. Script on untested server 1. General Description When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user. If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application. 2. Corrective actions You should make sure that the script is run on a security tested server or optionally move it to your own server. Threat information Suggested priority: Low priority CVSS Base Score: N/A Vector: N/A CVSS Temporal Score: N/A Vector: N/A Threat level: Elementary/Coincidental attacks (level 1) Other information CVE: Category: CVE Unknown Not categorized Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: FortConsult, Klar besked om it-sikkerhed Side 32

33 Script on untested server ID: 19 The response dynamically includes the following script from another domain: Set-Cookie does not use HTTPOnly Keyword 1. General Description The web application does not utilize HTTP only cookies. This is a security feature introduced by Microsoft to decrease the risk of a successful cross-site scripting attack by not allowing cookies with the HTTP only attribute to be accessed via client-side scripts. Using the HTTPOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). If the HTTPOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party. If a browser does not support HTTPOnly and a website attempts to set an HTTPOnly cookie, the HTTPOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. More information: 2. Corrective actions Recommendations include adopting a development policy that includes the utilization of HTTP only cookies, and performing other actions such as ensuring proper filtration of user-supplied data, utilizing client-side validation of user supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed. More information: Threat information Suggested priority: Low priority CVSS Base Score: 4,3 CVSS Temporal Score: 3,6 Threat level: Targeted attacks (level 2) Vector: AV:N/AC:M/AU:N/C:N/I:P/A:N Vector: E:F/RL:OF/RC:C Other information CVE: Category: CVE Unknown Custom Web application Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 80 URL: ID: 20 The following cookies were issued by the application and do not have the HttpOnly flag set: ORA_WX_SESSION=B28BBABF9EA3A6BC62C4928C847176CA40AC600D-0#1-1#2; path=/ JSESSIONID= 8c4a7af67e c690fbb522104b72464f0f83c3c2c6da2c5f52be1c3807f.e34Oa30Mb3iSc40NbxeRb NiPchb0n6jAmljGr5XDqQLvpAe; path=/discoverer; secure disconsu=619f4a345bcfb37fa59891c0c0d e9b08cd0e0dc2d75de24149ee6deb2913c9fc6e ; expires=wed, 13-Nov :03:03 GMT; path=/discoverer The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. SSL Missing Secure Attribute in Encrypted Session Cookie FortConsult, Klar besked om it-sikkerhed Side 33

34 SSL Missing Secure Attribute in Encrypted Session Cookie 1. General Description It was detected that the tested web application set a cookie without the "secure" attribute, during an encrypted session. Since this cookie does not contain the "secure" attribute, it might also be sent to the site during an unencrypted session. Any information such as cookies, session tokens or user credentials that are sent to the server as clear text, may be stolen and used later for identity theft or user impersonation. In addition, several privacy regulations state that sensitive information such as user credentials will always be sent encrypted to the web site. More information: 2. Corrective actions Make sure that sensitive cookies, which are sent over an encrypted connection to the server, are set with the "secure" attribute. Threat information Suggested priority: Low priority CVSS Base Score: 4,3 CVSS Temporal Score: 3,6 Threat level: Targeted attacks (level 2) Vector: AV:N/AC:M/AU:N/C:P/I:N/A:N Vector: E:F/RL:OF/RC:C Other information CVE: Category: CVE Unknown Custom Web application Detailed information Host: indberetninger.uvm.dk, on Internet Port: tcp 443 URL: ID: 21 The following cookie was issued by the application and does not have the secure flag set: ORA_WX_SESSION=B28BBABF9EA3A6BC62C4928C847176CA40AC600D-0#1-1#2; path=/ The cookie appears to contain a session token, which may increase the risk associated with this issue. Response: HTTP/ OK Cache-Control: no-store Content-Type: text/html Set-Cookie: ORA_WX_SESSION=B28BBABF9EA3A6BC62C4928C847176CA40AC600D-0#1-1#2; path=/ Unexpected services found 1. General Description Unexpected services were found on the host. A port scan has revealed services which were not expected in relation to the documented functions or services on the host, or a service was found which is not normally used on hosts connected to the Internet. An attacker could use the unexpected services to gain unauthorized access to the system. 2. Corrective actions Disable all services that are not absolutely necessary. Threat information Suggested priority: Low priority CVSS Base Score: N/A CVSS Temporal Score: N/A Threat level: N/A Vector: N/A Vector: N/A FortConsult, Klar besked om it-sikkerhed Side 34

35 Unexpected services found Other information CVE: Category: CVE Unknown General remote services Detailed information Host: on Internet Port: tcp 443 URL: ID: 22 Barracuda load balancer was accessable via this url. NB! Uni-C has during the test removed access to this. FortConsult, Klar besked om it-sikkerhed Side 35