After the scan from ScanAlert there are some issues that has to be fixed for me
to meet the Mandatory PCI Security Standard from Visa and MasterCard.
Description
Your Web server appears to support the TRACE and/or TRACK methods.
It has been shown that servers supporting these methods are subject to
cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing'.
General Solution
Block the TRACE, TRACK, or both methods in your Web server.
_______________________________________________
The remote host appears to have 10 or more open ports.
This is potentially very dangerous and typically indicates that there is no
firewall, or that the firewall has been mis-configured. Given the plethora of
attacks available against many different systems, it is imperative that a good
firewall policy be in place, as it will prevent most exploits from taking
place.
If a firewall is in place, review all open ports and the services running on
them to ensure they are valid. After verifying the ports, you can mark this
vulnerability as resolved.
# Linux:< /b>
# Depending on kernel configuration ipchains or iptables should be enabled and
port filtering configured to allow public access only to ports requiring it.
____________________________________________________
Description
The remote SSH daemon supports connections made using the version 1.33 and/or
1.5 of the SSH protocol.
These protocols are not completely cryptographically safe so they should not be
supported.
General Solution
OpenSSH
Set the option 'Protocol' to '2'
To do this edit the sshd_config file, typically /etc/ssh/sshd_config
Add, uncomment, or change the Protocol to 2.
Restart sshd, typically /etc/rc.d/init.d/sshd restart
SSH.com
Set the option 'Ssh1Compatibility' to 'no'
SSH 1 should never be used in a production environment.
_______________________________________________________
Description
The remote name server appears to allow recursive queries.
This means it allows anyone to use it to resolve third parties names (such as
www.scanalert.com). If you are not an ISP you should not provide public DNS
resolution as this allows hackers to do cache poisoning attacks against this
nameserver.
Note: This may be a "false positive" for one of the following
reasons:
# We were unable to conclusively test for this vulnerability remotely, but
based on this device's fingerprint it is possible that it exists.
# When checking for a specific file or response we received a redirect or other
response that was inconclusive.
We suggest you manually check for its existence by confirming appropriate
patches are installed or file redirections, etc. are proper. Then mark this as
"Resolved" below if the vulnerability does not exist.
General Solution
Restrict recursive queries to only the hosts that should use this nameserver
(such as those of the LAN connected to it).
If you are using bind 8, you can do this by adding the following to your
named.conf file options section:
options {
/* other options in your config */
recursion no;
fetch-glue no;
};
If you are using another name server, consult its documentation.
_____________________________________________________
Description
Oracle Web Listener for NT makes use of various batch files as cgi scripts,
which are stored in the /ows-bin/ directory by default.
Any of these batch files can be used to run arbitrary commands on the server,
simply by appending '?&' and a command to the filename. The command will be
run at the SYSTEM level. The name of a batch file is not even neccessary, as it
will translate the '*' character and apply the appended string to every batch
file in the directory. Moreover, UNC paths can be used to cause the server to
download and execute remote code.
General Solution
Workaround:
Remove the ows-bin virtual directory or verify that there are no batch files in
the directory it points to.
_________________________________________________
Description
The remote DNS server answers to queries for third party domains which do not
have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been
resolved via this name server, and therefore which hosts have been recently
visited.
For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would be able
to use this attack to build a statistical model regarding company usage of
aforementioned financial institution. Of course, the attack can also be used to
find B2B partners, web-surfing patterns, external mail servers, and more...
For a much more detailed discussion of the potential risks of allowing DNS
cache information to be queried anonymously, see the links.
General Solution
Restrict access to your DNS server to local users and child servers.
____________________________________________________
Description
Perl, sh, csh, or other shell interpreters are installed in the cgi-bin
directory on a WWW site, which allows remote attackers to execute arbitrary
commands with the privileges of the HTTP server (usually root, or nobody).
General Solution
Perform one of the following:
Remove the mentioned script from your cgi-bin directory.
Check the script vendor's site for a patched version of the script.
Create an ACL rule to block public access to this url.
___________________________________________________
Description
This test attempts to identify the Operating System type and version by sending
modified ICMP requests using the techniques outlined in Ofir Arkin's paper 'ICMP
Usage In Scanning'.
An attacker may use this technique to try and identify the remote operating
system.
General Solution
Block ICMP requests.
No solution is required as this is a low level vulnerability.
______________________________________________________
Description
We were able to determine which versions of the SSH protocol the remote SSH
daemon supports.
This gives potential attackers additional information about the system they are
attacking.
