Menu
▾
▴
webadmin-list
|
From: Georgi L. <g....@we...> - 2005-10-08 09:41:08
|
Hey, all Yesterday I did a thorough nessus scan on a second box of mine, running Debian 3.0 with the latest updates and Webmin 1.230 (I installed some older version through apt-get first, then updated it through the webmin interface.) This is what nessus found: --- Vulnerability snet-sensor-mgmt (10000/tcp)=20 The remote web server crashes when it receives a too long URL. It might be possible to make it execute arbitrary code through this flaw. Solution : Contact your vendor for a patch Risk factor : High Solution : Upgrade your web server. CVE : CVE-2000-0002, CVE-2000-0065, CAN-2001-1250, CAN-2003-0833 BID : 2979, 1423, 6994, 7067, 7280, 8726, 889 Nessus ID : 10320 --- Vulnerability snet-sensor-mgmt (10000/tcp)=20 The remote web server seems to be vulnerable to a format string attack on HTTP 1.0 header value. An attacker might use this flaw to make it crash or even execute=20 arbitrary code on this host. Solution : upgrade your software or contact your vendor and inform him of this vulnerability Risk factor : High Nessus ID : 15642 --- Vulnerability snet-sensor-mgmt (10000/tcp)=20 The remote web server seems to be vulnerable to a format string attack on the URI. An attacker might use this flaw to make it crash or even execute=20 arbitrary code on this host. Solution : upgrade your software or contact your vendor and inform him of this vulnerability Risk factor : High Nessus ID : 15640 --- Warning snet-sensor-mgmt (10000/tcp)=20 The remote host appears to be running a version of Apache 2.x which is older than 2.0.46 This version is vulnerable to various flaws : - There is a denial of service vulnerability which may allow an attacker to disable basic authentication on this host - There is a denial of service vulnerability in the mod_dav module which may allow an attacker to crash this service remotely Solution : Upgrade to version 2.0.46 See also : http://www.apache.org/dist/httpd/CHANGES_2.0 Risk factor : Medium CVE : CAN-2003-0245, CAN-2003-0189 BID : 7723, 7725 Other references : RHSA:RHSA-2003:186-01 Nessus ID : 11665 ----------------------------------------------- Can anyone confirm this? Regards Georgi Lipov |
|
From: Craig W. <cra...@az...> - 2005-10-08 12:58:15
|
On Sat, 2005-10-08 at 11:40 +0200, Georgi Lipov wrote: > Hey, all > > Yesterday I did a thorough nessus scan on a second box of mine, running > Debian 3.0 with the latest updates and Webmin 1.230 (I installed some > older version through apt-get first, then updated it through the webmin > interface.) This is what nessus found: > > > Can anyone confirm this? ---- according to IANA the webmin default port 10000 got registered to the people that make the netapp filer. http://www.iana.org/assignments/port-numbers This isn't the same as Webmin so Nessus isn't really identifying Webmin as running on port 10000 - which is made all the more obvious by it's thinking that it is running Apache web server < 2.0.46 (which itself seems a little old unless it's RHEL 3 backported patches ad infinitum) Not sure what you wish confirmed - that nessus didn't identify webmin? That it's running Apache web server 2.0.46 or greater (it's not running apache web server at all) or that long URL's are gonna crash it (don't think so - Jamie?) Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: Georgi L. <g....@we...> - 2005-10-08 17:24:38
|
On Sat, 2005-10-08 at 05:57 -0700, Craig White wrote: > according to IANA the webmin default port 10000 got registered to the > people that make the netapp filer. >=20 > http://www.iana.org/assignments/port-numbers >=20 > This isn't the same as Webmin so Nessus isn't really identifying > Webmin > as running on port 10000 Things probably would have been clearer if I had pasted the whole log (which I'm doing now - see below for the second half). Actually Nessus is identifying Webmin correctly as well as MiniServ and it is also going a little further in trying to determine the type of service than just looking at a list of well known ports (using plugins for system fingerprinting, protocol analysis, etc.). So basically the fingerprinting plugin confuses miniserv's with apache's behaviour, while the one looking at the server header gets it right. However I don't think this influences the plugins that reported the vulnerabilities, the way I see it they run independently from the web server type/version. On Sat, 2005-10-08 at 23:56 +1000, Jamie Cameron wrote:=20 > Hi Georgi, > Nessus has always reported a bunch of incorrect vulnerabilities when scan= ning Webmin. To my understanding, it assumes that because Webmin does not r= espond with a normal HTTP error to certain requests that it uses to check f= or vulnerabilties, that those vulnerabilties exist. >=20 > In reality, Webmin doesn't have any of the security problems that nessus = reports - they are all only relevant to other programs.=20 >=20 > - Jamie >=20 If you're sure about that, I guess it might be a good idea to drop the Nessus guys a mail, so they can look into the respective plugins. Georgi ---------------------------------------------------------------------- Informational snet-sensor-mgmt (10000/tcp) Nmap has identified this service as Webmin httpd Nessus ID : 14259 --- Informational snet-sensor-mgmt (10000/tcp) A SSLv2 server answered on this port Nessus ID : 10330 --- Informational snet-sensor-mgmt (10000/tcp) A web server is running on this port through SSL Nessus ID : 10330 --- Informational snet-sensor-mgmt (10000/tcp) The remote web server type is : MiniServ/0.01=20 Solution : We recommend that you configure (if possible) your web server to return a bogus Server header in order to not leak information. Nessus ID : 10107 --- Informational snet-sensor-mgmt (10000/tcp) Here is the SSLv2 server certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: O=3DWebmin Software, CN=3D* Validity Not Before: Jan 3 10:34:50 1998 GMT Not After : Oct 3 10:34:50 2007 GMT Subject: O=3DWebmin Software, CN=3D* Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:d6:91:05:5e:d7:e8:35:94:6d:39:bc:28:18:e3: 1f:1e:02:00:75:52:40:29:9e:8b:c4:08:c2:bb:95: 3e:78:30:3a:41:21:b2:0c:df:21:3d:48:63:a8:f2: 63:74:0c:e9:ae:00:4a:5e:f1:a2:4a:32:e5:4e:10: 67:c1:3f:ab:8d Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 14:2a:18:78:b9:56:70:29:69:bf:6b:12:73:bc:c8:72:1b:0c: 47:70:ca:78:7f:ce:d5:9b:5f:11:ec:f3:91:aa:27:ad:ee:fc: 1d:e6:15:c1:24:2f:ba:85:65:79:be:c0:e3:de:d3:15:c4:81: eb:e1:4e:37:a6:b3:a1:5a:8f:c9 Here is the list of available SSLv2 ciphers: RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 RC4-64-MD5 The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a=20 limited protection against a brute force attack Solution: disable those ciphers and upgrade your client software if necessary. See http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;216482 or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite This SSLv2 server also accepts SSLv3 connections. This SSLv2 server also accepts TLSv1 connections. Nessus ID : 10863 --- Informational snet-sensor-mgmt (10000/tcp) The SSL certificate of the remote service is not valid before 980103103450Z! Nessus ID : 15901 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X