The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Nikto Scan on WHM: Outdated software

Discussion in 'Security' started by sOliver, Nov 28, 2010.

  1. sOliver

    sOliver Active Member

    Joined:
    Oct 25, 2010
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I did a few scans on some WHM servers and noticed that it lists quite a lot of vulnerabilities on a default install. The most important are that Apache and OpenSSL are out of date.

    Apache 2.2.15 has some vulnerabilities that allow attackers to crash a server.

    Is there any document or guide to update apache on WHM to httpd-2.2.3-43.el5.centos.3 ? I know it's not supported, just wondering.

    I also was wondering how it is possible that nikto finds software on a server like phpnuke, solaris, etc. although those files shouldn't even be accessible? Keep in mind, it was a default WHM installation.

    You all should run a nikto test, that tool finds some pretty interesting stuff on WHM servers.

    Thanks,
    Oliver
     
  2. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,
    It is possible to upgrade apache to 2.2.17 with easy apache. Also you can upgrade openssl from the source , if you going to do so , make sure to do the following , upgrade openssh , bind , curl , apache , etc,.

    There are a lot of packages need openssl , I hope you are scanning for PCI DSS
     
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    10
    Trophy Points:
    18
    Hi Oliver,

    Apache 2.2.17 is currently available in EasyApache.

    In regards to OpenSSL, it may be that Nikto is looking only at the version number (such as 0.9.8e-12.el5_4.6) but not taking into consideration that some vendors backport patches without increasing the main version number. In other words, OpenSSL 0.9.8e-12.el5_4.6 in CentOS is not the same as 0.9.8e from openssl.org. You can see this by going here [openssl.org] and observing the date:

    Code:
    3341665 [b]Feb 23 13:58:19 2007[/b] openssl-0.9.8e.tar.gz (MD5) (SHA1) (PGP sign)
    while comparing with the last time OpenSSL was updated on your server:

    Code:
    # rpm -q --last openssl
    openssl-0.9.8e-12.el5_4.6                     [b]Fri 01 Oct 2010[/b] 01:26:28 PM EDT
    
    You can also see which CVEs have been fixed in the OpenSSL package you have installed by using this command:

    Code:
    # rpm -q --changelog openssl | less

    Those are false positives. In other words, Nikto erroneously thinks that it has found phpnuke and other things that don't exist on a default installation of cPanel. This can be verified by doing the following:

    In one terminal, as root, log all TCP traffic on the loopback interface on port 80 to a file called nikto.scan:

    Code:
    # tcpdump -Annvvs 1500 -i lo port 80 >> nikto.scan
    Then, in another terminal as a regular user, run Nikto against localhost:

    Code:
    $ ./nikto.pl -host 127.0.0.1
    Note: when the scan finishes, hit ctrl+c to stop tcpdump from logging.

    In the terminal where Nikto was ran, you may see a line like this:

    Code:
    + /search.php?searchfor=\"><script>alert('Vulnerable');</script>: Siteframe 2.2.4 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
    If you search the nikto.scan log for this:

    Code:
    search.php?searchfor=
    you can see the request that Nikto sent:

    Code:
    [b]GET /search.php?searchfor=\"><script>alert('Vulnerable');</script> HTTP/1.1[/b]
    User-Agent: Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:000798)
    Connection: Keep-Alive
    Host: localhost.localdomain
    
    and just below it you can see the reply:

    Code:
    [b]HTTP/1.1 404 Not Found[/b]
    Date: Tue, 30 Nov 2010 05:07:01 GMT
    Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_jk/1.2.30
    Accept-Ranges: bytes
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
    
    1
    
    
    1
    
    
    95
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
      <head>
        <title>
    
    (extra output intentionally omitted for brevity)
    
    

    Note the "404 Not Found" near the top of the response, indicating that the file "search.php" does not exist. Therefore the request is invalid. I'm not sure why Nikto flags this as an issue. If in doubt, just browse to the following URL:

    http://example.com/search.php?searchfor=\"><script>alert('Vulnerable');</script>

    Note: replace "example.com" with the hostname or IP address of your server.

    My server displays the following message:

    Code:
    [b]Not Found[/b]
    
    The requested URL /search.php was not found on this server.
    
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
    Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_jk/1.2.30 Server at example.com Port 80
    
    This is also the case for the other php and asp files Nikto believes exists, such as:


    • /phpimageview.php
    • /myphpnuke/links.php
    • /modules.php
    • /members.asp
    • /forum_members.asp
     
    Infopro likes this.
Loading...

Share This Page