Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6, MileSCAN ParosPro Report
Report generated at 2011.09.24, Sat, at 04:44:11 CDT.
RHEL6 Linux Report via Acunetix 7, Report via Burp Suite Pro 1.4.1, RHEL6 Target Analysis for CPanel Report for Windows ServerSummary of Alerts
| Host/IP | High | Medium | Low | Info |
| Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6 ( port 8443 ) | 1 | 5 | 1 | 1 |
| Alert Detail | Click here to hide all alerts |
| Hide the alert |
| High (Suspicious) | SQL Injection |
|
Description
| SQL injection maybe possible. User parameters submitted will be formulated into a SQL query for database processing. If the query is built by simple 'string concatenation', it is possible to modify the meaning of the query by carefully crafting the parameters. Depending on the access right and type of database used, tampered query can be used to retrieve sensitive information from the database or execute arbitrary code. MS SQL and PostGreSQL, which supports multiple statements, may be exploited if the database access right is more powerful. This can occur in URL query strings, POST paramters or even cookies. Currently check on cookie is not supported by us. You should check SQL injection manually as well as some blind SQL injection areas cannot be discovered by this check. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Parameter | POST parameter: contacts[contactsSection][companyName]=1 AND 1=1 |
| Other information | The alert may be invalid if the return page contains random changing contents. If it is the case, you may need to perform the check manually for verification. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Parameter | POST parameter: contacts[contactsSection][zip]=1 OR 1=1 |
| Other information | The alert may be invalid if the return page contains random changing contents. If it is the case, you may need to perform the check manually for verification. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address/index |
| Parameter | POST parameter: autoResponder[autoResponderSection][contentType]=text%2Fhtml" OR "1"="1 |
| Other information | The alert may be invalid if the return page contains random changing contents. If it is the case, you may need to perform the check manually for verification. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address/index |
| Parameter | POST parameter: autoResponder[autoResponderSection][forwardAddress]=1' OR '1'='1 |
| Other information | The alert may be invalid if the return page contains random changing contents. If it is the case, you may need to perform the check manually for verification. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address/index |
| Parameter | POST parameter: redirect[redirectSection][subscribers]=" OR "1"="1 |
| Other information | The alert may be invalid if the return page contains random changing contents. If it is the case, you may need to perform the check manually for verification. |
|
Solution
| Do not trust client side input even if there is client side validation. In general, - If the input string is numeric, type-check it. - If the application used JDBC, use PreparedStatement or CallableStatement with parameters passed by '?' - If the application used ASP, use ADO Command Objects with strong type checking and parameterized query. - If stored procedure or bind variables can be used, use it for parameter passing into query. Do not just concatenate string into query in the stored procedure! - Do not create dynamic SQL query by simple string concatentation. - Use minimum database user privilege for the application. This does not eliminate SQL injection but minimize its damage. e.g., if the application require reading one table only, grant such access to the application. Avoid using 'sa' or 'db-owner'. |
|
Reference
|
- The OWASP guide at http://www.owasp.org/documentation/guide
- http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 - http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf - For Oracle database, refer to http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectionAttacks.pdf |
| Hide the alert |
| Medium (Warning) | Joomla! Core Design Scriptegrator Local File Inclusion Vulnerability |
|
Description
| The Core Design Scriptegrator component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. Attackers can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. This affects Core Design Scriptegrator 1.4.1; other versions may also be affected. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address/edit/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address/edit/id/1/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/externals/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/scripts/components/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/scripts/components/forms/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/user/list/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/user/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/user/details/ |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/user/details/id/ |
|
Solution
| The vendor has released an update to address this issue. Update Core Design Scriptegrator to version 1.4.2 or above. |
|
Reference
|
http://www.securityfocus.com/bid/38296
|
| Hide the alert |
| Medium (Warning) | Secure page browser cache |
|
Description
| Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/javascript/jsw.js?1301570611 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/skins/default/css/common/base.css?1297230722 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/skins/default/css/common/btns.css?1297230722 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/skins/default/css/common/ie.css?1297230722 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/skins/default/css/customer/custom.css?1297230722 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/skins/default/css/customer/main.css?1297230722 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/externals/prototype.js?1301570628 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/scripts/admin-home.js?1301570628 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/scripts/smb.js?1301570628 |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/scripts/components/forms/emailaddress.js?1301570628 |
|
Solution
| The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. Alternatively, this can be set in the HTML header by: <META HTTP-EQUIV='Pragma' CONTENT='no-cache'> <META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'> but some browsers may have problem using this method. |
|
Reference
|
How to prevent caching in Internet Explorer:
- http://support.microsoft.com/default.aspx?kbid=234067 Note that "Pragma: No-cache" tag may not prevent web pages from being cached: - http://support.microsoft.com/default.aspx?kbid=222064 |
| Hide the alert |
| Medium (Warning) | Password Autocomplete in browser |
|
Description
| AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Other information | The html tags that allow password autocomplete: <input type="password" name="general[account][password]" id="general-account-password" value="" class="input-text" /> |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Other information | The html tags that allow password autocomplete: <input type="password" name="general[account][passwordConfirmation]" id="general-account-passwordConfirmation" value="" class="input-text" /> |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Other information | The html tags that allow password autocomplete: <input type="password" name="general[account][password]" id="general-account-password" value="" class="input-text" /> |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Other information | The html tags that allow password autocomplete: <input type="password" name="general[account][passwordConfirmation]" id="general-account-passwordConfirmation" value="" class="input-text" /> |
|
Solution
| Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF' |
|
Reference
|
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp
|
| Hide the alert |
| Medium (Suspicious) | IBM WebSphere default files |
|
Description
| IBM WebSphere 4.0/5.0 example files are found. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/admin/logon.jsp |
|
Solution
| Remove example files. |
|
Reference
|
Nil
|
| Hide the alert |
| Medium (Suspicious) | BEA WebLogic example files |
|
Description
| BEA WebLogic server 8.1 example files are found |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/admin/login.do |
|
Solution
| Remove example files. |
|
Reference
|
Nil
|
| Hide the alert |
| Low (Warning) | Obsolete file |
|
Description
| Miscellenous include files, backup, unused or obsolete files exist as indicated. If these files contain program source, information such as server logic or ODBC/JDBC user ID and passwords may be revealed since these file extension may not be processed by the web server. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/admin-home |
| Other information | The obsolete files that may be in the server: admin-home.old, admin-home.old, admin-home.bak, admin-home.bak, admin-home.inc, admin-home.inc |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address |
| Other information | The obsolete files that may be in the server: email-address.old, email-address.old, email-address.bak, email-address.bak, email-address.inc, email-address.inc |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Other information | The obsolete files that may be in the server: my-profile.old, my-profile.old, my-profile.bak, my-profile.bak, my-profile.inc, my-profile.inc |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/my-profile |
| Other information | The obsolete files that may be in the server: my-profile.old, my-profile.old, my-profile.bak, my-profile.bak, my-profile.inc, my-profile.inc |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/email-address |
| Other information | The obsolete files that may be in the server: email-address.old, email-address.old, email-address.bak, email-address.bak, email-address.inc, email-address.inc |
|
Solution
| Remove backup, unused or obsolete files. For include files, carefully choose the suffix to prevent information disclosure. |
|
Reference
|
Nil
|
| Hide the alert |
| Informational (Warning) | Server banner disclosure |
|
Description
| Server banner found. |
| URL | https://Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6:8443/smb/admin-home |
| Other information | Server Banner: sw-cp-server |
|
Solution
| Try to hide the version number if there is any. |
|
Reference
|
Nil
|