diff --git a/docs/content/en/integrations/parsers/file/openvas_xml.md b/docs/content/en/integrations/parsers/file/openvas_xml.md new file mode 100644 index 00000000000..c361a1c44b0 --- /dev/null +++ b/docs/content/en/integrations/parsers/file/openvas_xml.md @@ -0,0 +1,5 @@ +--- +title: "OpenVAS XML" +toc_hide: true +--- +Import Greenbone OpenVAS Scan in XML format. Export as XML Results on OpenVAS. diff --git a/dojo/tools/openvas_xml/__init__.py b/dojo/tools/openvas_xml/__init__.py new file mode 100644 index 00000000000..99e8e118c6a --- /dev/null +++ b/dojo/tools/openvas_xml/__init__.py @@ -0,0 +1 @@ +__author__ = "manuel_sommer" diff --git a/dojo/tools/openvas_xml/parser.py b/dojo/tools/openvas_xml/parser.py new file mode 100755 index 00000000000..65449e8c812 --- /dev/null +++ b/dojo/tools/openvas_xml/parser.py @@ -0,0 +1,68 @@ +from xml.dom import NamespaceErr +from defusedxml import ElementTree as ET +from dojo.models import Finding + + +class OpenVASXMLParser(object): + def get_scan_types(self): + return ["OpenVAS XML"] + + def get_label_for_scan_types(self, scan_type): + return scan_type # no custom label for now + + def get_description_for_scan_types(self, scan_type): + return "Import XML output of Greenbone OpenVAS XML report." + + def convert_cvss_score(self, raw_value): + val = float(raw_value) + if val == 0.0: + return "Info" + elif val < 4.0: + return "Low" + elif val < 7.0: + return "Medium" + elif val < 9.0: + return "High" + else: + return "Critical" + + def get_findings(self, file, test): + findings = [] + tree = ET.parse(file) + root = tree.getroot() + if "report" not in root.tag: + raise NamespaceErr( + "This doesn't seem to be a valid Greenbone OpenVAS xml file." + ) + report = root.find("report") + results = report.find("results") + for result in results: + for finding in result: + if finding.tag == "name": + title = finding.text + description = [f"**Name**: {finding.text}"] + if finding.tag == "host": + title = title + "_" + finding.text + description.append(f"**Host**: {finding.text}") + if finding.tag == "port": + title = title + "_" + finding.text + description.append(f"**Port**: {finding.text}") + if finding.tag == "nvt": + description.append(f"**NVT**: {finding.text}") + if finding.tag == "severity": + severity = self.convert_cvss_score(finding.text) + description.append(f"**Severity**: {finding.text}") + if finding.tag == "qod": + description.append(f"**QOD**: {finding.text}") + if finding.tag == "description": + description.append(f"**Description**: {finding.text}") + + finding = Finding( + title=str(title), + description="\n".join(description), + severity=severity, + dynamic_finding=True, + static_finding=False + ) + findings.append(finding) + return findings diff --git a/unittests/scans/openvas_xml/many_vuln.xml b/unittests/scans/openvas_xml/many_vuln.xml new file mode 100644 index 00000000000..855d3008cbe --- /dev/null +++ b/unittests/scans/openvas_xml/many_vuln.xml @@ -0,0 +1,512 @@ +gpsmetasploitable2-scan2023-09-29T11:36:37.717132Z00metasploitable2-scanXML9.0descendingseverityapply_overrides=0 levels=hml rows=-1 min_qod=70 first=1 sort-reverse=severity notes=1 overrides=1nistNVD Vulnerability Severity RatingsNone0.00.0Low0.13.9Medium4.06.9High7.010.0Done1044000metasploitable2-scan0Target100.00Network Source Interfacesource_iface2023-09-26T10:50:34Z2023-09-26T10:50:34ZCoordinated Universal TimeUTC44512/tcp{v1}e2eec5b536a10.0High1524/tcp{v1}e2eec5b536a10.0High8787/tcp{v1}e2eec5b536a10.0Highgeneral/tcp{v1}e2eec5b536a10.0High80/tcp{v1}e2eec5b536a10.0High3632/tcp{v1}e2eec5b536a9.3High5900/tcp{v1}e2eec5b536a9.0High5432/tcp{v1}e2eec5b536a9.0High6667/tcp{v1}e2eec5b536a8.1High6697/tcp{v1}e2eec5b536a8.1High21/tcp{v1}e2eec5b536a7.5High80/tcp{v1}e2eec5b536a7.5High21/tcp{v1}e2eec5b536a7.5High2121/tcp{v1}e2eec5b536a7.5High80/tcp{v1}e2eec5b536a7.5High80/tcp{v1}e2eec5b536a7.5High22/tcp{v1}e2eec5b536a7.5High6200/tcp{v1}e2eec5b536a7.5High5432/tcp{v1}e2eec5b536a7.4High80/tcp{v1}e2eec5b536a6.8Medium21/tcp{v1}e2eec5b536a6.4Medium80/tcp{v1}e2eec5b536a6.1Medium80/tcp{v1}e2eec5b536a6.1Medium80/tcp{v1}e2eec5b536a6.0Medium445/tcp{v1}e2eec5b536a6.0Medium5432/tcp{v1}e2eec5b536a5.9Medium80/tcp{v1}e2eec5b536a5.8Medium22/tcp{v1}e2eec5b536a5.3Medium22/tcp{v1}e2eec5b536a5.3Medium5432/tcp{v1}e2eec5b536a5.0Medium80/tcp{v1}e2eec5b536a5.0Medium5432/tcp{v1}e2eec5b536a5.0Medium80/tcp{v1}e2eec5b536a5.0Medium80/tcp{v1}e2eec5b536a4.8Medium5900/tcp{v1}e2eec5b536a4.8Medium21/tcp{v1}e2eec5b536a4.8Medium2121/tcp{v1}e2eec5b536a4.8Medium5432/tcp{v1}e2eec5b536a4.3Medium80/tcp{v1}e2eec5b536a4.3Medium80/tcp{v1}e2eec5b536a4.3Medium22/tcp{v1}e2eec5b536a4.3Medium80/tcp{v1}e2eec5b536a4.3Medium5432/tcp{v1}e2eec5b536a4.05432/tcp{v1}e2eec5b536a4.0{v1}467e39e554agps2023-09-29T11:36:37.717168Z{v1}e2eec5b536a{v1}b6b9f466d63512/tcpnvtThe rexec service is runningUseless services10.0summary=This remote host is running a rexec service.|insight=rexec (remote execution client for an exec server) has the same + kind of functionality that rsh has: you can execute shell commands on a remote computer. + + The main difference is that rexec authenticate by reading the username and password *unencrypted* + from the socket.|qodType=remote_banner|solution=Disable the rexec service and use alternatives like SSH +instead.|solution_type=Mitigation|impact=|affected=High10.080remote_bannerThe rexec service was detected on the target system. +High5{v1}530765cf437gps2023-09-29T11:36:37.717208Z{v1}e2eec5b536a{v1}b6b9f466d631524/tcpnvtPossible Backdoor: IngreslockGain a shell remotely10.0summary=A backdoor is installed on the remote host.|insight=|qodType=remote_vul|solution=A whole cleanup of the infected system is recommended.|solution_type=Workaround|impact=Attackers can exploit this issue to execute arbitrary commands in the + context of the application. Successful attacks will compromise the affected isystem.|affected=High10.099remote_vulThe service is answering to an 'id;' command with the following response: uid=0(root) gid=0(root) +High5{v1}5f5c7518c92gps2023-09-29T11:36:37.717216Z{v1}e2eec5b536a{v1}b6b9f466d638787/tcpnvtDistributed Ruby (dRuby/DRb) Multiple Remote Code Execution VulnerabilitiesGain a shell remotely10.0summary=Systems using Distributed Ruby (dRuby/DRb), which is available in Ruby versions 1.6 +and later, may permit unauthorized systems to execute distributed commands.|insight=|qodType=remote_vul|solution=Administrators of environments that rely on Distributed Ruby should ensure that +appropriate controls are in place. Code-level controls may include: + +- Implementing taint on untrusted input + +- Setting $SAFE levels appropriately (>2 is recommended if untrusted hosts are allowed to submit Ruby commands, and >3 may be appropriate) + +- Including drb/acl.rb to set ACLEntry to restrict access to trusted hosts|solution_type=Mitigation|impact=By default, Distributed Ruby does not impose restrictions on allowed hosts or set the + $SAFE environment variable to prevent privileged activities. If other controls are not in place, especially if the + Distributed Ruby process runs with elevated privileges, an attacker could execute arbitrary system commands or Ruby + scripts on the Distributed Ruby server. An attacker may need to know only the URI of the listening Distributed Ruby + server to submit Ruby commands.|affected=High10.099remote_vulThe service is running in $SAFE >= 1 mode. However it is still possible to run arbitrary syscall commands on the remote host. Sending an invalid syscall the service returned the following response: + +Flo:Errno::ENOSYS:bt["3/usr/lib/ruby/1.8/drb/drb.rb:1555:in `syscall'"0/usr/lib/ruby/1.8/drb/drb.rb:1555:in `send'"4/usr/lib/ruby/1.8/drb/drb.rb:1555:in `__send__'"A/usr/lib/ruby/1.8/drb/drb.rb:1555:in `perform_without_block'"3/usr/lib/ruby/1.8/drb/drb.rb:1515:in `perform'"5/usr/lib/ruby/1.8/drb/drb.rb:1589:in `main_loop'"0/usr/lib/ruby/1.8/drb/drb.rb:1585:in `loop'"5/usr/lib/ruby/1.8/drb/drb.rb:1585:in `main_loop'"1/usr/lib/ruby/1.8/drb/drb.rb:1581:in `start'"5/usr/lib/ruby/1.8/drb/drb.rb:1581:in `main_loop'"//usr/lib/ruby/1.8/drb/drb.rb:1430:in `run'"1/usr/lib/ruby/1.8/drb/drb.rb:1427:in `start'"//usr/lib/ruby/1.8/drb/drb.rb:1427:in `run'"6/usr/lib/ruby/1.8/drb/drb.rb:1347:in `initialize'"//usr/lib/ruby/1.8/drb/drb.rb:1627:in `new'"9/usr/lib/ruby/1.8/drb/drb.rb:1627:in `start_service'"%/usr/sbin/druby_timeserver.rb:12:errnoi+:mesg"Function not implemented +High5{v1}8c49cb44d75gps2023-09-29T11:36:37.717246Z{v1}e2eec5b536a{v1}b6b9f466d63general/tcpnvtOperating System (OS) End of Life (EOL) DetectionGeneral10.0summary=The Operating System (OS) on the remote host has reached the End +of Life (EOL) and should not be used anymore.|insight=|qodType=remote_banner|solution=Upgrade the OS on the remote host to a version which is still +supported and receiving security updates by the vendor.|solution_type=Mitigation|impact=An EOL version of an OS is not receiving any security updates + from the vendor. Unfixed security vulnerabilities might be leveraged by an attacker to compromise + the security of this host.|affected=High10.080remote_bannerThe "Ubuntu" Operating System on the remote host has reached the end of life. + +CPE: cpe:/o:canonical:ubuntu_linux:8.04 +Installed version, +build or SP: 8.04 +EOL date: 2013-05-09 +EOL info: https://wiki.ubuntu.com/Releases +High5{v1}22a938294adgps2023-09-29T11:36:37.717262Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtTWiki XSS and Command Execution VulnerabilitiesWeb application abuses10.0summary=TWiki is prone to Cross-Site Scripting (XSS) and Command Execution Vulnerabilities.|insight=The flaws are due to: + + - %URLPARAM{}% variable is not properly sanitized which lets attackers + conduct cross-site scripting attack. + + - %SEARCH{}% variable is not properly sanitised before being used in an + eval() call which lets the attackers execute perl code through eval + injection attack.|qodType=remote_banner|solution=Upgrade to version 4.2.4 or later.|solution_type=VendorFix|impact=Successful exploitation could allow execution of arbitrary script code or + commands. This could let attackers steal cookie-based authentication credentials or compromise the affected + application.|affected=TWiki, TWiki version prior to 4.2.4.High10.080remote_bannerInstalled version: 01.Feb.2003 +Fixed version: 4.2.4 + +High5{v1}9e2edd735b3gps2023-09-29T11:36:37.717281Z{v1}e2eec5b536a{v1}b6b9f466d633632/tcpnvtDistCC RCE Vulnerability (CVE-2004-2687)Gain a shell remotely9.3summary=DistCC is prone to a remote code execution (RCE) +vulnerability.|insight=DistCC 2.x, as used in XCode 1.5 and others, when not configured + to restrict access to the server port, allows remote attackers to execute arbitrary commands via + compilation jobs, which are executed by the server without authorization checks.|qodType=remote_vul|solution=Vendor updates are available. Please see the references for +more information. + +For more information about DistCC's security see the references.|solution_type=VendorFix|impact=DistCC by default trusts its clients completely that in turn + could allow a malicious client to execute arbitrary commands on the server.|affected=High9.399remote_vulIt was possible to execute the "id" command. + +Result: uid=1(daemon) gid=1(daemon) +High5{v1}0b02451a968gps2023-09-29T11:36:37.717494Z{v1}e2eec5b536a{v1}b6b9f466d635900/tcpnvtVNC Brute Force LoginBrute force attacks9.0summary=Try to log in with given passwords via VNC protocol.|insight=This script tries to authenticate to a VNC server with the + passwords set in the password preference. It will also test and report if no authentication / + password is required at all. + + Note: Some VNC servers have a blacklisting scheme that blocks IP addresses after five unsuccessful + connection attempts for a period of time. The script will abort the brute force attack if it + encounters that it gets blocked. + + Note as well that passwords can be max. 8 characters long.|qodType=remote_active|solution=Change the password to something hard to guess or enable +password protection at all.|solution_type=Mitigation|impact=|affected=High9.095remote_activeIt was possible to connect to the VNC server with the password: password +High5{v1}e93a2434477gps2023-09-29T11:36:37.717503Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtPostgreSQL Default Credentials (PostgreSQL Protocol)Default Accounts9.0summary=It was possible to login into the remote PostgreSQL as user +postgres using weak credentials.|insight=|qodType=remote_vul|solution=Change the password as soon as possible.|solution_type=Mitigation|impact=|affected=High9.099remote_vulIt was possible to login as user postgres with password "postgres". + + +High5{v1}3723bfe0094gps2023-09-29T11:36:37.717511Z{v1}e2eec5b536a{v1}b6b9f466d636667/tcpnvtUnrealIRCd Authentication Spoofing VulnerabilityGeneral8.1summary=UnrealIRCd is prone to authentication spoofing vulnerability.|insight=The flaw exists due to an error in + the 'm_authenticate' function in 'modules/m_sasl.c' script.|qodType=remote_banner|solution=Upgrade to UnrealIRCd 3.2.10.7, +or 4.0.6, or later.|solution_type=VendorFix|impact=Successful exploitation of this vulnerability + will allows remote attackers to spoof certificate fingerprints and consequently + log in as another user.|affected=UnrealIRCd before 3.2.10.7 and + 4.x before 4.0.6.High8.180remote_bannerInstalled version: 127.0.0.1 +Fixed version: 127.0.0.1 + +High5{v1}3723bfe0094gps2023-09-29T11:36:37.717520Z{v1}e2eec5b536a{v1}b6b9f466d636697/tcpnvtUnrealIRCd Authentication Spoofing VulnerabilityGeneral8.1summary=UnrealIRCd is prone to authentication spoofing vulnerability.|insight=The flaw exists due to an error in + the 'm_authenticate' function in 'modules/m_sasl.c' script.|qodType=remote_banner|solution=Upgrade to UnrealIRCd 3.2.10.7, +or 4.0.6, or later.|solution_type=VendorFix|impact=Successful exploitation of this vulnerability + will allows remote attackers to spoof certificate fingerprints and consequently + log in as another user.|affected=UnrealIRCd before 3.2.10.7 and + 4.x before 4.0.6.High8.180remote_bannerInstalled version: 127.0.0.1 +Fixed version: 127.0.0.1 + +High5{v1}a358693375bgps2023-09-29T11:36:37.717529Z{v1}e2eec5b536a{v1}b6b9f466d6321/tcpnvtFTP Brute Force Logins ReportingBrute force attacks7.5summary=It was possible to login into the remote FTP server using +weak/known credentials.|insight=The following devices are / software is known to be affected: + + - CVE-2001-1594: Codonics printer FTP service as used in GE Healthcare eNTEGRA P&R + + - CVE-2013-7404: GE Healthcare Discovery NM 750b + + - CVE-2018-19063, CVE-2018-19064: Foscam C2 and Opticam i5 devices + + Note: As the VT 'FTP Brute Force Logins' (OID: 1.3.6.1.4.1.25623.1.0.108717) might run into a + timeout the actual reporting of this vulnerability takes place in this VT instead.|qodType=remote_active|solution=Change the password as soon as possible.|solution_type=Mitigation|impact=This issue may be exploited by a remote attacker to e.g. gain + access to sensitive information or modify system configuration.|affected=High7.595remote_activeIt was possible to login with the following credentials <User>:<Password> + +msfadmin:msfadmin +postgres:postgres +service:service +user:user +High5{v1}4ecebea5997gps2023-09-29T11:36:37.717538Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtTest HTTP dangerous methodsWeb Servers7.5summary=Misconfigured web servers allows remote clients to perform +dangerous HTTP methods such as PUT and DELETE.|insight=|qodType=remote_vul|solution=Use access restrictions to these dangerous HTTP methods +or disable them completely.|solution_type=Mitigation|impact=- Enabled PUT method: This might allow an attacker to upload + and run arbitrary code on this web server. + + - Enabled DELETE method: This might allow an attacker to delete additional files on this web + server.|affected=Web servers with enabled PUT and/or DELETE methods.High7.599remote_vulWe could upload the following files via the PUT method at this web server: + +http://127.0.0.1/dav/puttest1462543653.html + +We could delete the following files via the DELETE method at this web server: + +http://127.0.0.1/dav/puttest1462543653.html + + +High5{v1}dcc8491b116gps2023-09-29T11:36:37.717558Z{v1}e2eec5b536a{v1}b6b9f466d6321/tcpnvtvsftpd Compromised Source Packages Backdoor VulnerabilityGain a shell remotely7.5summary=vsftpd is prone to a backdoor vulnerability.|insight=|qodType=remote_vul|solution=The repaired package can be downloaded from +the referenced link. Please validate the package with its signature.|solution_type=VendorFix|impact=Attackers can exploit this issue to execute arbitrary commands in the + context of the application. Successful attacks will compromise the affected application.|affected=The vsftpd 2.3.4 source package is affected.High7.599remote_vulHigh5{v1}a358693375bgps2023-09-29T11:36:37.717575Z{v1}e2eec5b536a{v1}b6b9f466d632121/tcpnvtFTP Brute Force Logins ReportingBrute force attacks7.5summary=It was possible to login into the remote FTP server using +weak/known credentials.|insight=The following devices are / software is known to be affected: + + - CVE-2001-1594: Codonics printer FTP service as used in GE Healthcare eNTEGRA P&R + + - CVE-2013-7404: GE Healthcare Discovery NM 750b + + - CVE-2018-19063, CVE-2018-19064: Foscam C2 and Opticam i5 devices + + Note: As the VT 'FTP Brute Force Logins' (OID: 1.3.6.1.4.1.25623.1.0.108717) might run into a + timeout the actual reporting of this vulnerability takes place in this VT instead.|qodType=remote_active|solution=Change the password as soon as possible.|solution_type=Mitigation|impact=This issue may be exploited by a remote attacker to e.g. gain + access to sensitive information or modify system configuration.|affected=High7.595remote_activeIt was possible to login with the following credentials <User>:<Password> + +user:user +High5{v1}edca4d29119gps2023-09-29T11:36:37.717584Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtphpinfo() output ReportingWeb application abuses7.5summary=Many PHP installation tutorials instruct the user to create +a file called phpinfo.php or similar containing the phpinfo() statement. Such a file is often +left back in the webserver directory.|insight=|qodType=remote_banner|solution=Delete the listed files or restrict access to them.|solution_type=Workaround|impact=Some of the information that can be gathered from this file includes: + + The username of the user running the PHP process, if it is a sudo user, the IP address of the host, the web server + version, the system version (Unix, Linux, Windows, ...), and the root directory of the web server.|affected=High7.580remote_bannerThe following files are calling the function phpinfo() which disclose potentially sensitive information: + +http://127.0.0.1/mutillidae/phpinfo.php +http://127.0.0.1/phpinfo.php +High5{v1}28996b2da9agps2023-09-29T11:36:37.717594Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtPHP-CGI-based setups vulnerability when parsing query string parameters from php files.Web application abuses7.5summary=PHP is prone to an information-disclosure vulnerability.|insight=When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the + php-cgi receives a processed query string parameter as command line arguments which allows command-line + switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose + source code and obtain arbitrary code execution. + + An example of the -s command, allowing an attacker to view the source code of index.php is below: + + http://example.com/index.php?-s|qodType=remote_active|solution=PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. +PHP is recommending that users upgrade to the latest version of PHP.|solution_type=VendorFix|impact=Exploiting this issue allows remote attackers to view the source code of files in the + context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code + on the affected computer. Other attacks are also possible.|affected=High7.595remote_activeBy doing the following HTTP POST request: + +"HTTP POST" body : <?php phpinfo();?> +URL : http://127.0.0.1/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E + +it was possible to execute the "<?php phpinfo();?>" command. + +Result: <title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head> +High5{v1}f209b933bd1gps2023-09-29T11:36:37.717604Z{v1}e2eec5b536a{v1}b6b9f466d6322/tcpnvtRiello NetMan 204 Default Credentials (SSH)Default Accounts7.5summary=The remote Riello NetMan 204 network card is using known default +credentials for the SSH login.|insight=|qodType=exploit|solution=Change the password of the affected account(s).|solution_type=Workaround|impact=This issue may be exploited by a remote attacker to gain access + to sensitive information or modify system configuration.|affected=High7.5100exploitIt was possible to login as user 'user' with password 'user' and to execute 'cat /etc/passwd'. Result: + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +libuuid:x:100:101::/var/lib/libuuid:/bin/sh +dhcp:x:101:102::/nonexistent:/bin/false +syslog:x:102:103::/home/syslog:/bin/false +klog:x:103:104::/home/klog:/bin/false +sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin +msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash +bind:x:105:113::/var/cache/bind:/bin/false +postfix:x:106:115::/var/spool/postfix:/bin/false +ftp:x:107:65534::/home/ftp:/bin/false +postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash +mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false +tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false +distccd:x:111:65534::/:/bin/false +user:x:1001:1001:just a user,111,,:/home/user:/bin/bash +service:x:1002:1002:,,,:/home/service:/bin/bash +telnetd:x:112:120::/nonexistent:/bin/false +proftpd:x:113:65534::/var/run/proftpd:/bin/false +statd:x:114:65534::/var/lib/nfs:/bin/false +High5{v1}dcc8491b116gps2023-09-29T11:36:37.717613Z{v1}e2eec5b536a{v1}b6b9f466d636200/tcpnvtvsftpd Compromised Source Packages Backdoor VulnerabilityGain a shell remotely7.5summary=vsftpd is prone to a backdoor vulnerability.|insight=|qodType=remote_vul|solution=The repaired package can be downloaded from +the referenced link. Please validate the package with its signature.|solution_type=VendorFix|impact=Attackers can exploit this issue to execute arbitrary commands in the + context of the application. Successful attacks will compromise the affected application.|affected=The vsftpd 2.3.4 source package is affected.High7.599remote_vulHigh5{v1}d803f61f444gps2023-09-29T11:36:37.717621Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: OpenSSL CCS Man in the Middle Security Bypass VulnerabilitySSL and TLS7.4summary=OpenSSL is prone to security-bypass vulnerability.|insight=OpenSSL does not properly restrict processing of ChangeCipherSpec + messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in + certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive + information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.|qodType=remote_analysis|solution=Updates are available. Please see the references for more information.|solution_type=VendorFix|impact=Successfully exploiting this issue may allow attackers to obtain + sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.|affected=OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m and 1.0.1 before 1.0.1h.High7.470remote_analysisHigh5{v1}e70046de17fgps2023-09-29T11:36:37.717637Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtTWiki Cross-Site Request Forgery Vulnerability - Sep10Web application abuses6.8summary=TWiki is prone to a cross-site request forgery (CSRF) vulnerability.|insight=Attack can be done by tricking an authenticated TWiki user into visiting + a static HTML page on another side, where a Javascript enabled browser will send an HTTP POST request + to TWiki, which in turn will process the request as the TWiki user.|qodType=remote_banner|solution=Upgrade to TWiki version 4.3.2 or later.|solution_type=VendorFix|impact=Successful exploitation will allow attacker to gain administrative + privileges on the target application and can cause CSRF attack.|affected=TWiki version prior to 4.3.2Medium6.880remote_bannerInstalled version: 01.Feb.2003 +Fixed version: 4.3.2 + +Medium5{v1}944cfcaaf66gps2023-09-29T11:36:37.717645Z{v1}e2eec5b536a{v1}b6b9f466d6321/tcpnvtAnonymous FTP Login ReportingFTP6.4summary=Reports if the remote FTP Server allows anonymous logins.|insight=A host that provides an FTP service may additionally provide + Anonymous FTP access as well. Under this arrangement, users do not strictly need an account on the + host. Instead the user typically enters 'anonymous' or 'ftp' when prompted for username. Although + users are commonly asked to send their email address as their password, little to no verification + is actually performed on the supplied data. + + Remark: NIST don't see 'configuration issues' as software flaws so the referenced CVE has a + severity of 0.0. The severity of this VT has been raised by Greenbone to still report a + configuration issue on the target.|qodType=remote_banner|solution=If you do not want to share files, you should disable anonymous +logins.|solution_type=Mitigation|impact=Based on the files accessible via this anonymous FTP login and + the permissions of this account an attacker might be able to: + + - gain access to sensitive files + + - upload or delete files.|affected=Medium6.480remote_bannerIt was possible to login to the remote FTP service with the following anonymous account(s): + +anonymous:anonymous@example.com +ftp:anonymous@example.com + +Medium5{v1}cc1c4db6d4fgps2023-09-29T11:36:37.717654Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtjQuery < 1.9.0 XSS VulnerabilityWeb application abuses6.1summary=jQuery is prone to a cross-site scripting (XSS) +vulnerability.|insight=The jQuery(strInput) function does not differentiate selectors + from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was + HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility + when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input + to be HTML if it explicitly starts with the '<' character, limiting exploitability only to + attackers who can control the beginning of a string, which is far less common.|qodType=remote_banner|solution=Update to version 1.9.0 or later.|solution_type=VendorFix|impact=|affected=jQuery prior to version 1.9.0.Medium6.180remote_bannerInstalled version: 1.3.2 +Fixed version: 1.9.0 +Installation +path / port: /mutillidae/javascript/ddsmoothmenu/jquery.min.js + +Detection info (see OID: 127.0.0.1.4.1.25127.0.0.1658 for more info): +- Identified file: http://127.0.0.1/mutillidae/javascript/ddsmoothmenu/jquery.min.js +- Referenced at: http://127.0.0.1/mutillidae/ +Medium5{v1}44d224b77c4gps2023-09-29T11:36:37.717662Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtTWiki < 6.1.0 XSS VulnerabilityWeb application abuses6.1summary=bin/statistics in TWiki 6.0.2 allows XSS via the webs parameter.|insight=|qodType=remote_banner|solution=Update to version 6.1.0 or later.|solution_type=VendorFix|impact=|affected=TWiki version 6.0.2 and probably prior.Medium6.180remote_bannerInstalled version: 01.Feb.2003 +Fixed version: 6.1.0 + +Medium5{v1}e70046de17fgps2023-09-29T11:36:37.717670Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtTWiki Cross-Site Request Forgery VulnerabilityWeb application abuses6.0summary=TWiki is prone to a cross-site request forgery (CSRF) vulnerability.|insight=Remote authenticated user can create a specially crafted image tag that, + when viewed by the target user, will update pages on the target system with the privileges of the target user + via HTTP requests.|qodType=remote_banner|solution=Upgrade to version 4.3.1 or later.|solution_type=VendorFix|impact=Successful exploitation will allow attacker to gain administrative + privileges on the target application and can cause CSRF attack.|affected=TWiki version prior to 4.3.1Medium6.080remote_bannerInstalled version: 01.Feb.2003 +Fixed version: 4.3.1 + +Medium5{v1}71c655fd352gps2023-09-29T11:36:37.717677Z{v1}e2eec5b536a{v1}b6b9f466d63445/tcpnvtSamba MS-RPC Remote Shell Command Execution Vulnerability - Active CheckGain a shell remotely6.0summary=Samba is prone to a vulnerability that allows attackers to +execute arbitrary shell commands because the software fails to sanitize user-supplied input.|insight=|qodType=remote_vul|solution=Updates are available. Please see the referenced vendor advisory.|solution_type=VendorFix|impact=An attacker may leverage this issue to execute arbitrary shell + commands on an affected system with the privileges of the application.|affected=This issue affects Samba 3.0.0 through 3.0.25rc3.Medium6.099remote_vulMedium5{v1}e79b358813fgps2023-09-29T11:36:37.717686Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: Deprecated SSLv2 and SSLv3 Protocol DetectionSSL and TLS5.9summary=It was possible to detect the usage of the deprecated SSLv2 +and/or SSLv3 protocol on this system.|insight=The SSLv2 and SSLv3 protocols contain known cryptographic + flaws like: + + - CVE-2014-3566: Padding Oracle On Downgraded Legacy Encryption (POODLE) + + - CVE-2016-0800: Decrypting RSA with Obsolete and Weakened eNcryption (DROWN)|qodType=remote_app|solution=It is recommended to disable the deprecated SSLv2 and/or SSLv3 +protocols in favor of the TLSv1.2+ protocols. Please see the references for more information.|solution_type=Mitigation|impact=An attacker might be able to use the known cryptographic flaws to + eavesdrop the connection between clients and the service to get access to sensitive data + transferred within the secured connection. + + Furthermore newly uncovered vulnerabilities in this protocols won't receive security updates + anymore.|affected=All services providing an encrypted communication using the + SSLv2 and/or SSLv3 protocols.Medium5.998remote_appIn addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Supported Cipher Suites' (OID: 127.0.0.1.4.1.25127.0.0.1067) VT. +Medium5{v1}75693259c28gps2023-09-29T11:36:37.717697Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtHTTP Debugging Methods (TRACE/TRACK) EnabledWeb Servers5.8summary=The remote web server supports the TRACE and/or TRACK +methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.|insight=It has been shown that web servers supporting this methods + are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in + conjunction with various weaknesses in browsers.|qodType=remote_vul|solution=Disable the TRACE and TRACK methods in your web server +configuration. + +Please see the manual of your web server or the references for more information.|solution_type=Mitigation|impact=An attacker may use this flaw to trick your legitimate web + users to give him their credentials.|affected=Web servers with enabled TRACE and/or TRACK methods.Medium5.899remote_vulThe web server has the following HTTP methods enabled: TRACE +Medium5{v1}316b754124fgps2023-09-29T11:36:37.717709Z{v1}e2eec5b536a{v1}b6b9f466d6322/tcpnvtWeak Key Exchange (KEX) Algorithm(s) Supported (SSH)General5.3summary=The remote SSH server is configured to allow / support weak key +exchange (KEX) algorithm(s).|insight=- 1024-bit MODP group / prime KEX algorithms: + + Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key + exchange. Practitioners believed this was safe as long as new key exchange messages were generated + for every connection. However, the first step in the number field sieve-the most efficient + algorithm for breaking a Diffie-Hellman connection-is dependent only on this prime. + + A nation-state can break a 1024-bit prime.|qodType=remote_banner|solution=Disable the reported weak KEX algorithm(s) + +- 1024-bit MODP group / prime KEX algorithms: + +Alternatively use elliptic-curve Diffie-Hellmann in general, e.g. Curve 25519.|solution_type=Mitigation|impact=An attacker can quickly break individual connections.|affected=Medium5.380remote_bannerThe remote SSH server supports the following weak KEX algorithm(s): + +KEX algorithm | Reason +------------------------------------------------------------------------------------------- +diffie-hellman-group-exchange-sha1 | Using SHA-1 +diffie-hellman-group1-sha1 | Using Oakley Group 2 (a 1024-bit MODP group) and SHA-1 +Medium5{v1}79868c7d9b2gps2023-09-29T11:36:37.717720Z{v1}e2eec5b536a{v1}b6b9f466d6322/tcpnvtWeak Host Key Algorithm(s) (SSH)General5.3summary=The remote SSH server is configured to allow / support weak host +key algorithm(s).|insight=|qodType=remote_banner|solution=Disable the reported weak host key algorithm(s).|solution_type=Mitigation|impact=|affected=Medium5.380remote_bannerThe remote SSH server supports the following weak host key algorithm(s): + +host key algorithm | Description +----------------------------------------------------------------------------------------- +ssh-dss | Digital Signature Algorithm (DSA) / Digital Signature Standard (DSS) +Medium5{v1}e3e389ce2bagps2023-09-29T11:36:37.717728Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: Report Weak Cipher SuitesSSL and TLS5.0summary=This routine reports all Weak SSL/TLS cipher suites accepted +by a service. + +NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port +25/tcp is reported. If too strong cipher suites are configured for this service the alternative +would be to fall back to an even more insecure cleartext communication.|insight=These rules are applied for the evaluation of the cryptographic + strength: + + - RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808) + + - Ciphers using 64 bit or less are considered to be vulnerable to brute force methods + and therefore considered as weak (CVE-2015-4000) + + - 1024 bit RSA authentication is considered to be insecure and therefore as weak + + - Any cipher considered to be secure for only the next 10 years is considered as medium + + - Any other cipher is considered as strong|qodType=remote_app|solution=The configuration of this services should be changed so +that it does not accept the listed weak cipher suites anymore. + +Please see the references for more resources supporting you with this task.|solution_type=Mitigation|impact=|affected=Medium5.098remote_app'Weak' cipher suites accepted by this service via the SSLv3 protocol: + +TLS_RSA_WITH_RC4_128_SHA + +'Weak' cipher suites accepted by this service via the TLSv1.0 protocol: + +TLS_RSA_WITH_RC4_128_SHA + + +Medium5{v1}66ec0c4c6a4gps2023-09-29T11:36:37.717749Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvt/doc directory browsableWeb application abuses5.0summary=The /doc directory is browsable. +/doc shows the content of the /usr/doc directory and therefore it shows which programs and - important! - the version of the installed programs.|insight=|qodType=remote_banner|solution=Use access restrictions for the /doc directory. +If you use Apache you might use this in your access.conf: + +<Directory /usr/doc> +AllowOverride None +order deny, allow +deny from all +allow from localhost +</Directory>|solution_type=Mitigation|impact=|affected=Medium5.080remote_bannerVulnerable URL: http://127.0.0.1/doc/ +Medium5{v1}fec842e796egps2023-09-29T11:36:37.717762Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: Certificate ExpiredSSL and TLS5.0summary=The remote server's SSL/TLS certificate has already expired.|insight=This script checks expiry dates of certificates associated with + SSL/TLS-enabled services on the target and reports whether any have already expired.|qodType=remote_vul|solution=Replace the SSL/TLS certificate by a new one.|solution_type=Mitigation|impact=|affected=Medium5.099remote_vulThe certificate of the remote service expired on 2010-04-16 14:07:45. + +Certificate details: +fingerprint (SHA-1) | ED093088706603BFD5DC237399B498DA2D4D31C6 +fingerprint (SHA-256) | E7A7FA0D63E457C7C4A59B38B70849C6A70BDA6F830C7AF1E32DEE436DE813CC +issued by | 127.0.0.1127.0.0.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX +public key size (bits) | 1024 +serial | 00FAF93A4C7FB6B9CC +signature algorithm | sha1WithRSAEncryption +subject | 127.0.0.1127.0.0.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX +subject alternative names (SAN) | None +valid from | 2010-03-17 14:07:45 UTC +valid until | 2010-04-16 14:07:45 UTC +Medium5{v1}bccd1cd5b97gps2023-09-29T11:36:37.717769Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtawiki <= 20100125 Multiple LFI Vulnerabilities - Active CheckWeb application abuses5.0summary=awiki is prone to multiple local file include (LFI) +vulnerabilities because it fails to properly sanitize user-supplied input.|insight=|qodType=remote_vul|solution=No known solution was made available for at least one year +since the disclosure of this vulnerability. Likely none will be provided anymore. General +solution options are to upgrade to a newer release, disable respective features, remove the +product or replace the product by another one.|solution_type=WillNotFix|impact=An attacker can exploit this vulnerability to obtain potentially + sensitive information and execute arbitrary local scripts in the context of the webserver + process. This may allow the attacker to compromise the application and the host.|affected=awiki version 20100125 and prior.Medium5.099remote_vulVulnerable URL: http://127.0.0.1/mutillidae/index.php?page=/etc/passwd +Medium5{v1}68aaba31879gps2023-09-29T11:36:37.717783Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtCleartext Transmission of Sensitive Information via HTTPWeb application abuses4.8summary=The host / application transmits sensitive information (username, passwords) in +cleartext via HTTP.|insight=|qodType=remote_banner|solution=Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. +Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before +allowing to input sensitive data into the mentioned functions.|solution_type=Workaround|impact=An attacker could use this situation to compromise or eavesdrop on the + HTTP communication between the client and the server using a man-in-the-middle attack to get access to + sensitive data like usernames or passwords.|affected=Hosts / applications which doesn't enforce the transmission of sensitive data via an + encrypted SSL/TLS connection.Medium4.880remote_bannerThe following input fields were identified (URL:input name): + +http://127.0.0.1/dvwa/login.php:password +http://127.0.0.1/phpMyAdmin/:pma_password +http://127.0.0.1/phpMyAdmin/?D=A:pma_password +http://127.0.0.1/tikiwiki/tiki-install.php:pass +http://127.0.0.1/twiki/bin/view/TWiki/TWikiUserAuthentication:oldpassword +Medium5{v1}4406907af6bgps2023-09-29T11:36:37.717794Z{v1}e2eec5b536a{v1}b6b9f466d635900/tcpnvtVNC Server Unencrypted Data TransmissionGeneral4.8summary=The remote host is running a VNC server providing one or more insecure or +cryptographically weak Security Type(s) not intended for use on untrusted networks.|insight=|qodType=remote_analysis|solution=Run the session over an encrypted channel provided by IPsec [RFC4301] or SSH [RFC4254]. +Some VNC server vendors are also providing more secure Security Types within their products.|solution_type=Mitigation|impact=An attacker can uncover sensitive data by sniffing traffic to the + VNC server.|affected=Medium4.870remote_analysisThe VNC server provides the following insecure or cryptographically weak Security Type(s): + +2 (VNC authentication) +Medium5{v1}1fa3ebb87ecgps2023-09-29T11:36:37.717806Z{v1}e2eec5b536a{v1}b6b9f466d6321/tcpnvtFTP Unencrypted Cleartext LoginGeneral4.8summary=The remote host is running a FTP service that allows cleartext logins over +unencrypted connections.|insight=|qodType=remote_analysis|solution=Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see +the manual of the FTP service for more information.|solution_type=Mitigation|impact=An attacker can uncover login names and passwords by sniffing traffic to the + FTP service.|affected=Medium4.870remote_analysisThe remote FTP service accepts logins without a previous sent 'AUTH TLS' command. Response(s): + +Non-anonymous sessions: 331 Please specify the password. +Anonymous sessions: 331 Please specify the password. +Medium5{v1}1fa3ebb87ecgps2023-09-29T11:36:37.717816Z{v1}e2eec5b536a{v1}b6b9f466d632121/tcpnvtFTP Unencrypted Cleartext LoginGeneral4.8summary=The remote host is running a FTP service that allows cleartext logins over +unencrypted connections.|insight=|qodType=remote_analysis|solution=Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see +the manual of the FTP service for more information.|solution_type=Mitigation|impact=An attacker can uncover login names and passwords by sniffing traffic to the + FTP service.|affected=Medium4.870remote_analysisThe remote FTP service accepts logins without a previous sent 'AUTH TLS' command. Response(s): + +Non-anonymous sessions: 331 Password required for openvasvt +Anonymous sessions: 331 Password required for anonymous +Medium5{v1}e79b358813fgps2023-09-29T11:36:37.717825Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol DetectionSSL and TLS4.3summary=It was possible to detect the usage of the deprecated TLSv1.0 +and/or TLSv1.1 protocol on this system.|insight=The TLSv1.0 and TLSv1.1 protocols contain known cryptographic + flaws like: + + - CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST) + + - CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded Legacy + Encryption (FREAK)|qodType=remote_app|solution=It is recommended to disable the deprecated TLSv1.0 and/or +TLSv1.1 protocols in favor of the TLSv1.2+ protocols. Please see the references for more +information.|solution_type=Mitigation|impact=An attacker might be able to use the known cryptographic flaws + to eavesdrop the connection between clients and the service to get access to sensitive data + transferred within the secured connection. + + Furthermore newly uncovered vulnerabilities in this protocols won't receive security updates + anymore.|affected=All services providing an encrypted communication using the + TLSv1.0 and/or TLSv1.1 protocols.Medium4.398remote_appThe service is only providing the deprecated TLSv1.0 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Supported Cipher Suites' (OID: 127.0.0.1.4.1.25127.0.0.1067) VT. +Medium5{v1}9c322581ba5gps2023-09-29T11:36:37.717836Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtphpMyAdmin 'error.php' Cross Site Scripting VulnerabilityWeb application abuses4.3summary=phpMyAdmin is prone to a cross-site scripting (XSS) vulnerability.|insight=The flaw is caused by input validation errors in the 'error.php' +script when processing crafted BBcode tags containing '@' characters, which +could allow attackers to inject arbitrary HTML code within the error page +and conduct phishing attacks.|qodType=remote_vul|solution=No known solution was made available for at least one year since the disclosure +of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer +release, disable respective features, remove the product or replace the product by another one.|solution_type=WillNotFix|impact=Successful exploitation will allow attackers to inject arbitrary +HTML code within the error page and conduct phishing attacks.|affected=phpMyAdmin version 3.3.8.1 and prior.Medium4.399remote_vulMedium5{v1}2b0831858b0gps2023-09-29T11:36:37.717847Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtjQuery < 1.6.3 XSS VulnerabilityWeb application abuses4.3summary=jQuery is prone to a cross-site scripting (XSS) +vulnerability.|insight=Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, + when using location.hash to select elements, allows remote attackers to inject arbitrary web + script or HTML via a crafted tag.|qodType=remote_banner|solution=Update to version 1.6.3 or later.|solution_type=VendorFix|impact=|affected=jQuery prior to version 1.6.3.Medium4.380remote_bannerInstalled version: 1.3.2 +Fixed version: 1.6.3 +Installation +path / port: /mutillidae/javascript/ddsmoothmenu/jquery.min.js + +Detection info (see OID: 127.0.0.1.4.1.25127.0.0.1658 for more info): +- Identified file: http://127.0.0.1/mutillidae/javascript/ddsmoothmenu/jquery.min.js +- Referenced at: http://127.0.0.1/mutillidae/ +Medium5{v1}55390940921gps2023-09-29T11:36:37.717855Z{v1}e2eec5b536a{v1}b6b9f466d6322/tcpnvtWeak Encryption Algorithm(s) Supported (SSH)General4.3summary=The remote SSH server is configured to allow / support weak +encryption algorithm(s).|insight=- The 'arcfour' cipher is the Arcfour stream cipher with 128-bit + keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour + (and RC4) has problems with weak keys, and should not be used anymore. + + - The 'none' algorithm specifies that no encryption is to be done. Note that this method provides + no confidentiality protection, and it is NOT RECOMMENDED to use it. + + - A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to + recover plaintext from a block of ciphertext.|qodType=remote_active|solution=Disable the reported weak encryption algorithm(s).|solution_type=Mitigation|impact=|affected=Medium4.395remote_activeThe remote SSH server supports the following weak client-to-server encryption algorithm(s): + +3des-cbc +aes128-cbc +aes192-cbc +aes256-cbc +arcfour +arcfour128 +arcfour256 +blowfish-cbc +cast128-cbc +rijndael-cbc@lysator.liu.se + + +The remote SSH server supports the following weak server-to-client encryption algorithm(s): + +3des-cbc +aes128-cbc +aes192-cbc +aes256-cbc +arcfour +arcfour128 +arcfour256 +blowfish-cbc +cast128-cbc +rijndael-cbc@lysator.liu.se +Medium5{v1}1fe916ed11dgps2023-09-29T11:36:37.717864Z{v1}e2eec5b536a{v1}b6b9f466d6380/tcpnvtTWiki 'organization' Cross-Site Scripting VulnerabilityWeb application abuses4.3summary=TWiki is prone to a cross-site scripting (XSS) vulnerability.|insight=The flaw is due to an improper validation of user-supplied input + to the 'organization' field when registering or editing a user, which allows attackers to execute + arbitrary HTML and script code in a user's browser session in the context of an affected site.|qodType=remote_analysis|solution=No known solution was made available for at least one year +since the disclosure of this vulnerability. Likely none will be provided anymore. General solution +options are to upgrade to a newer release, disable respective features, remove the product or +replace the product by another one.|solution_type=WillNotFix|impact=Successful exploitation will allow remote attackers to insert + arbitrary HTML and script code, which will be executed in a user's browser + session in the context of an affected site.|affected=TWiki version 5.1.1 and priorMedium4.370remote_analysisVulnerable URL: http://127.0.0.1/twiki/bin/view/Main/CccCcc +Medium5{v1}101c559718cgps2023-09-29T11:36:37.717875Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength VulnerabilitySSL and TLS4.0summary=The SSL/TLS service uses Diffie-Hellman groups with insufficient strength +(key size < 2048).|insight=The Diffie-Hellman group are some big numbers that are used as base for + the DH computations. They can be, and often are, fixed. The security of the final secret depends on the size + of these parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really + powerful attackers like governments.|qodType=remote_banner|solution=Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use +a 2048-bit or stronger Diffie-Hellman group (see the references). + +For Apache Web Servers: +Beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits.|solution_type=Workaround|impact=An attacker might be able to decrypt the SSL/TLS communication offline.|affected=4.080remote_bannerServer Temporary Key Size: 1024 bits + +5{v1}fec842e796egps2023-09-29T11:36:37.717887Z{v1}e2eec5b536a{v1}b6b9f466d635432/tcpnvtSSL/TLS: Certificate Signed Using A Weak Signature AlgorithmSSL and TLS4.0summary=The remote service is using a SSL/TLS certificate in the certificate chain that has been signed using a +cryptographically weak hashing algorithm.|insight=The following hashing algorithms used for signing SSL/TLS certificates are considered cryptographically weak + and not secure enough for ongoing use: + + - Secure Hash Algorithm 1 (SHA-1) + + - Message Digest 5 (MD5) + + - Message Digest 4 (MD4) + + - Message Digest 2 (MD2) + + Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when visiting + web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates. + + NOTE: The script preference allows to set one or more custom SHA-1 fingerprints of CA certificates which are trusted by this routine. The fingerprints + needs to be passed comma-separated and case-insensitive: + + Fingerprint1 + + or + + fingerprint1, Fingerprint2|qodType=remote_banner|solution=Servers that use SSL/TLS certificates signed with a weak SHA-1, MD5, MD4 or MD2 hashing algorithm will need to obtain new +SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings.|solution_type=Mitigation|impact=|affected=4.080remote_bannerThe following certificates are part of the certificate chain but using insecure signature algorithms: + +Subject: 127.0.0.1127.0.0.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX +Signature Algorithm: sha1WithRSAEncryption + + +500000000000000000{v1}e2eec5b536a2023-09-26T10:50:34Z2023-09-26T13:04:00Z444201923002023-09-26T13:04:00Z \ No newline at end of file diff --git a/unittests/scans/openvas_xml/no_vuln.xml b/unittests/scans/openvas_xml/no_vuln.xml new file mode 100644 index 00000000000..7f0ea2e69c9 --- /dev/null +++ b/unittests/scans/openvas_xml/no_vuln.xml @@ -0,0 +1 @@ +gpsHP-scan2023-10-04T21:34:09.251181Z00HP-scanXML9.0descendingseverityapply_overrides=0 levels=hml rows=-1 min_qod=70 first=1 sort-reverse=severity notes=1 overrides=1nistNVD Vulnerability Severity RatingsNone0.00.0Low0.13.9Medium4.06.9High7.010.0Done000000HP-scan0Target100.00Network Source Interfacesource_iface2023-09-25T10:46:09Z2023-09-25T10:46:09ZCoordinated Universal TimeUTC0000000000000000002023-09-25T10:54:26Z \ No newline at end of file diff --git a/unittests/scans/openvas_xml/one_vuln.xml b/unittests/scans/openvas_xml/one_vuln.xml new file mode 100644 index 00000000000..7a22e01825c --- /dev/null +++ b/unittests/scans/openvas_xml/one_vuln.xml @@ -0,0 +1,34 @@ +gpsdc01-testlab-scan2023-10-04T21:40:07.211438Z00dc01-testlab-scanXML9.0descendingseverityapply_overrides=0 levels=hml rows=-1 min_qod=70 first=1 sort-reverse=severity notes=1 overrides=1nistNVD Vulnerability Severity RatingsNone0.00.0Low0.13.9Medium4.06.9High7.010.0Done101000dc01-testlab-scan0Target100.00Network Source Interfacesource_iface2023-09-28T14:48:02Z2023-09-28T14:48:02ZCoordinated Universal TimeUTC1general/tcp10.0.101.210.0HighMozilla Firefox Security Update (mfsa_2023-32_2023-36) - Windowsgps2023-10-04T21:40:07.211472Z10.0.101.2general/tcpnvtMozilla Firefox Security Update (mfsa_2023-32_2023-36) - WindowsGeneral10.0summary=Mozilla Firefox is prone to multiple vulnerabilities.|insight=Multiple flaws exist due to, + + - Memory corruption in IPC CanvasTranslator. + + - Memory corruption in IPC ColorPickerShownCallback. + + - Memory corruption in IPC FilePickerShownCallback. + + - Integer Overflow in RecordedSourceSurfaceCreation. + + - Memory corruption in JIT UpdateRegExpStatics. + + - Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception. + + - Persisted search terms were formatted as URLs. + + - Push notifications saved to disk unencrypted. + + - XLL file extensions were downloadable without warnings. + + - Browsing Context potentially not cleared when closing Private Window. + + - Memory safety bugs.|qodType=registry|solution=Upgrade to version 117 or later, +Please see the references for more information.|solution_type=VendorFix|impact=Successful exploitation will allow + attackers to run arbitrary code, cause denial of service and disclose + sensitive information on affected systems.|affected=Mozilla Firefox version before + 117 on Windows.High10.097registryInstalled version: 116.0.3 +Fixed version: 117 +Installation +path / port: C:\Program Files\Mozilla Firefox + +High5 + +0000000000000000010.0.101.22023-09-28T14:48:02Z2023-09-28T16:12:15Z11000002023-09-28T16:12:15Z \ No newline at end of file diff --git a/unittests/tools/test_openvas_xml_parser.py b/unittests/tools/test_openvas_xml_parser.py new file mode 100644 index 00000000000..40004d6e0b2 --- /dev/null +++ b/unittests/tools/test_openvas_xml_parser.py @@ -0,0 +1,43 @@ +from ..dojo_test_case import DojoTestCase +from dojo.tools.openvas_xml.parser import OpenVASXMLParser +from dojo.models import Test, Engagement, Product + + +class TestOpenVASUploadXMLParser(DojoTestCase): + + def test_openvas_xml_no_vuln(self): + with open("unittests/scans/openvas_xml/no_vuln.xml") as f: + test = Test() + test.engagement = Engagement() + test.engagement.product = Product() + parser = OpenVASXMLParser() + findings = parser.get_findings(f, test) + self.assertEqual(0, len(findings)) + + def test_openvas_xml_one_vuln(self): + with open("unittests/scans/openvas_xml/one_vuln.xml") as f: + test = Test() + test.engagement = Engagement() + test.engagement.product = Product() + parser = OpenVASXMLParser() + findings = parser.get_findings(f, test) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(1, len(findings)) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("Mozilla Firefox Security Update (mfsa_2023-32_2023-36) - Windows_10.0.101.2_general/tcp", finding.title) + self.assertEqual("Critical", finding.severity) + + def test_openvas_xml_many_vuln(self): + with open("unittests/scans/openvas_xml/many_vuln.xml") as f: + test = Test() + test.engagement = Engagement() + test.engagement.product = Product() + parser = OpenVASXMLParser() + findings = parser.get_findings(f, test) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(44, len(findings))