Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
20 views10 pages

Report Openvas

This document presents the results of an automatic security scan conducted on the IP address 192.168.0.146, which identified a total of 6 vulnerabilities categorized as high, medium, and low threats. The most critical issue found was a remote code execution vulnerability in Drupal, with recommendations for immediate updates to mitigate the risks. The report details the specific vulnerabilities, their potential impacts, and suggested solutions for each identified issue.

Uploaded by

MohammadAlMaghribi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views10 pages

Report Openvas

This document presents the results of an automatic security scan conducted on the IP address 192.168.0.146, which identified a total of 6 vulnerabilities categorized as high, medium, and low threats. The most critical issue found was a remote code execution vulnerability in Drupal, with recommendations for immediate updates to mitigate the risks. The report details the specific vulnerabilities, their potential impacts, and suggested solutions for each identified issue.

Uploaded by

MohammadAlMaghribi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Scan Report

June 17, 2025

Summary
This document reports on the results of an automatic security scan. All dates are dis-
played using the timezone Coordinated Universal Time, which is abbreviated UTC. The
task was Immediate scan of IP 192.168.0.146. The scan started at Tue Jun 17 17:44:29
2025 UTC and ended at Tue Jun 17 17:56:40 2025 UTC. The report rst summarises the
results found. Then, for each host, the report describes every issue found. Please consider
the advice given in each description, in order to rectify the issue.

Contents

1 Result Overview 2
2 Results per Host 2
2.1 192.168.0.146 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.1 High 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.2 Medium 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.3 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1.4 Low general/icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.1.5 Low 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1
1 RESULT OVERVIEW 2

1 Result Overview

Host High Medium Low Log False Positive


192.168.0.146 1 2 3 0 0
Total: 1 1 2 3 0 0

Vendor security updates are not trusted.


Overrides are o. Even when a result has an override, this report uses the actual threat of the
result.
Information on overrides is included in the report.
Notes are included in the report.
This report might not show details of all issues that were found.
Issues with the threat level Log are not shown.
Issues with the threat level Debug are not shown.
Issues with the threat level False Positive are not shown.
Only results with a minimum QoD of 70 are shown.

This report contains all 6 results selected by the ltering described above. Before ltering there
were 111 results.

2 Results per Host


2.1 192.168.0.146

Host scan start Tue Jun 17 17:45:21 2025 UTC


Host scan end Tue Jun 17 17:56:34 2025 UTC

Service (Port) Threat Level


80/tcp High
80/tcp Medium
general/tcp Low
general/icmp Low
22/tcp Low

2.1.1 High 80/tcp

High (CVSS: 9.8)


NVT: Drupal Core Critical RCE Vulnerability (SA-CORE-2018-002) - Active Check

Summary
Drupal is prone to a critical remote code execution (RCE) vulnerability.

Quality of Detection (QoD): 98%


. . . continues on next page . . .
2 RESULTS PER HOST 3

. . . continued from previous page . . .

Vulnerability Detection Result


By doing the following subsequent requests:
Req 1: "HTTP POST" body : form_id=user_pass&_triggering_element_name=name
Req 1: URL : http://192.168.0.146/drupal/?q=user%2Fpassword&name%5B
,→%23post_render%5D%5B%5D=printf&name%5B%23markup%5D=ESbU7peosfjee9pa&name%5B%23
,→typ
Req 2: "HTTP POST" body : form_build_id=form-Zu7IphQwM-wd2iAt_EZPA6FTxKn_vZmqxPY
,→TUWV1CRU
Req 2: URL : http://192.168.0.146/drupal/?q=file%2Fajax%2Fname%2F%2
,→3value%2Fform-Zu7IphQwM-wd2iAt_EZPA6FTxKn_vZmqxPYTUWV1CRU
it was possible to execute the "printf" command to return the data "ESbU7peosfje
,→e9pa".
Result:
ESbU7peosfjee9pa[{"command":"settings","settings":{"basePath":"\/drupal\/","path
,→Prefix":"","ajaxPageState":{"theme":"bartik","theme_token":"6UfZQFqDL1ZjfhMhZb
,→EmMSCtfvuhAsp2YobOE9I6jPI"}},"merge":true},{"command":"insert","method":"repla
,→ceWith","selector":null,"data":"\u003Cdiv class=\u0022messages error\u0022\u00
,→3E
\u003Ch2 class=\u0022element-invisible\u0022\u003EError message\u003C\/h2\u003E
\u003Cul\u003E
\u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C\/em\u00
,→3E: Undefined index: #value in \u003Cem class=\u0022placeholder\u0022\u003Efil
,→e_ajax_upload()\u003C\/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u
,→003E263\u003C\/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003E\/var\/
,→www\/html\/drupal\/modules\/file\/file.module\u003C\/em\u003E).\u003C\/li\u003
,→E
\u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C\/em\u00
,→3E: Undefined index: #suffix in \u003Cem class=\u0022placeholder\u0022\u003Efi
,→le_ajax_upload()\u003C\/em\u003E (line \u003Cem class=\u0022placeholder\u0022\
,→u003E281\u003C\/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003E\/var\
,→/www\/html\/drupal\/modules\/file\/file.module\u003C\/em\u003E).\u003C\/li\u00
,→3E
\u003C\/ul\u003E
\u003C\/div\u003E
16\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settin
,→gs":{"basePath":"\/drupal\/","pathPrefix":"","ajaxPageState":{"theme":"bartik"
,→,"theme_token":"6UfZQFqDL1ZjfhMhZbEmMSCtfvuhAsp2YobOE9I6jPI"}}}]

Impact
Successful exploitation will allow remote attackers to execute arbitrary code and completely
compromise the site.

Solution:
Solution type: VendorFix
Update to version 7.58, 8.3.9, 8.4.6, 8.5.1 or later. Please see the referenced links for available
updates.
. . . continues on next page . . .
2 RESULTS PER HOST 4

. . . continued from previous page . . .

Aected Software/OS
Drupal core versions 6.x and prior, 7.x prior to 7.58, 8.2.x and prior, 8.3.x prior to 8.3.9, 8.4.x
prior to 8.4.6 and 8.5.x prior to 8.5.1.

Vulnerability Insight
The aw exists within multiple subsystems of Drupal. This potentially allows attackers to ex-
ploit multiple attack vectors on a Drupal site, which could result in the site being completely
compromised.

Vulnerability Detection Method


Sends a crafted HTTP POST request and checks the response.
Details: Drupal Core Critical RCE Vulnerability (SA-CORE-2018-002) - Active Check
OID:1.3.6.1.4.1.25623.1.0.108438
Version used: 2025-03-18T05:38:50Z

References
cve: CVE-2018-7600
url: https://www.drupal.org/psa-2018-001
url: https://www.drupal.org/sa-core-2018-002
url: https://www.drupal.org/project/drupal/releases/7.58
url: https://www.drupal.org/project/drupal/releases/8.3.9
url: https://www.drupal.org/project/drupal/releases/8.4.6
url: https://www.drupal.org/project/drupal/releases/8.5.1
url: https://research.checkpoint.com/uncovering-drupalgeddon-2/
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
cisa: Known Exploited Vulnerability (KEV) catalog
cert-bund: CB-K18/0548
dfn-cert: DFN-CERT-2019-0393
dfn-cert: DFN-CERT-2018-0594

[ return to 192.168.0.146 ]

2.1.2 Medium 80/tcp

Medium (CVSS: 5.0)


NVT: Sensitive File Disclosure (HTTP)

Summary
The script attempts to identify les containing sensitive data at the remote web server.

Quality of Detection (QoD): 70%


Vulnerability Detection Result
The following files containing sensitive information were identified:
. . . continues on next page . . .
2 RESULTS PER HOST 5

. . . continued from previous page . . .


Description: Microsoft IIS / ASP.NET Core Module web.config file accessible. T
,→his could contain sensitive information about the structure of the application
,→ / web server and shouldn't be accessible.
Match: <configuration>
<system.webServer>
Used regex: ^\s*<(configuration|system\.web(Server)?)>
Extra match 1: </system.webServer>
</configuration>
Used regex: ^\s*</(configuration|system\.web(Server)?)>
URL: http://192.168.0.146/drupal/web.config

Impact
Based on the information provided in these les an attacker might be able to gather additional
info and/or sensitive data like usernames and passwords.

Solution:
Solution type: Mitigation
The sensitive les shouldn't be accessible via a web server. Restrict access to it or remove it
completely.

Vulnerability Insight
Currently the script is checking for les like e.g.:
- Software (Blog, CMS) conguration or log les
- Web / application server conguration / password les (.htaccess, .htpasswd, web.cong,
web.xml, ...)
- Cloud (e.g. AWS) conguration les
- Files containing API keys for services / providers
- Database backup les
- Editor / history les
- SSH or SSL/TLS Private Keys
- CVE-2017-16894: Laravel framework environment/.env les

Vulnerability Detection Method


Enumerate the remote web server and check if sensitive les are accessible.
Details: Sensitive File Disclosure (HTTP)
OID:1.3.6.1.4.1.25623.1.0.107305
Version used: 2025-03-25T05:38:56Z

References
cve: CVE-2017-16894

Medium (CVSS: 4.8)


NVT: Cleartext Transmission of Sensitive Information via HTTP

Summary
. . . continues on next page . . .
2 RESULTS PER HOST 6

. . . continued from previous page . . .


The host / application transmits sensitive information (username, passwords) in cleartext via
HTTP.

Quality of Detection (QoD): 80%


Vulnerability Detection Result
The following input fields were identified (URL:input name):
http://192.168.0.146/drupal/:pass
http://192.168.0.146/drupal/?D=A:pass

Impact
An attacker could use this situation to compromise or eavesdrop on the HTTP communication
between the client and the server using a man-in-the-middle attack to get access to sensitive data
like usernames or passwords.

Solution:
Solution type: Workaround
Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally
make sure the host / application is redirecting all users to the secured SSL/TLS connection
before allowing to input sensitive data into the mentioned functions.

Aected Software/OS
Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted
SSL/TLS connection.

Vulnerability Detection Method


Evaluate previous collected information and check if the host / application is not enforcing the
transmission of sensitive data via an encrypted SSL/TLS connection.
The script is currently checking the following:
- HTTP Basic Authentication (Basic Auth)
- HTTP Forms (e.g. Login) with input eld of type 'password'
Details: Cleartext Transmission of Sensitive Information via HTTP
OID:1.3.6.1.4.1.25623.1.0.108440
Version used: 2023-09-07T05:05:21Z

References
url: https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Se
,→ssion_Management
url: https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
url: https://cwe.mitre.org/data/definitions/319.html

[ return to 192.168.0.146 ]

2.1.3 Low general/tcp


2 RESULTS PER HOST 7

Low (CVSS: 2.6)


NVT: TCP Timestamps Information Disclosure

Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.

Quality of Detection (QoD): 80%


Vulnerability Detection Result
It was detected that the host implements RFC1323/RFC7323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1818424
Packet 2: 1818690

Impact
A side eect of this feature is that the uptime of the remote host can sometimes be computed.

Solution:
Solution type: Mitigation
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See the references for more information.

Aected Software/OS
TCP implementations that implement RFC1323/RFC7323.

Vulnerability Insight
The remote host implements TCP timestamps, as dened by RFC1323/RFC7323.

Vulnerability Detection Method


Special IP packets are forged and sent with a little delay in between to the target IP. The
responses are searched for a timestamps. If found, the timestamps are reported.
Details: TCP Timestamps Information Disclosure
OID:1.3.6.1.4.1.25623.1.0.80091
Version used: 2023-12-15T16:10:08Z

References
url: https://datatracker.ietf.org/doc/html/rfc1323
url: https://datatracker.ietf.org/doc/html/rfc7323
url: https://web.archive.org/web/20151213072445/http://www.microsoft.com/en-us/d
,→ownload/details.aspx?id=9152
url: https://www.fortiguard.com/psirt/FG-IR-16-090
2 RESULTS PER HOST 8

[ return to 192.168.0.146 ]

2.1.4 Low general/icmp

Low (CVSS: 2.1)


NVT: ICMP Timestamp Reply Information Disclosure

Summary
The remote host responded to an ICMP timestamp request.

Quality of Detection (QoD): 80%


Vulnerability Detection Result
The following response / ICMP packet has been received:
- ICMP Type: 14
- ICMP Code: 0

Impact
This information could theoretically be used to exploit weak time-based random number gener-
ators in other services.

Solution:
Solution type: Mitigation
Various mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a rewall, and block ICMP packets passing through the rewall in
either direction (either completely or only for untrusted networks)

Vulnerability Insight
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists
of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp
and a transmit timestamp.

Vulnerability Detection Method


Sends an ICMP Timestamp (Type 13) request and checks if a Timestamp Reply (Type 14) is
received.
Details: ICMP Timestamp Reply Information Disclosure
OID:1.3.6.1.4.1.25623.1.0.103190
Version used: 2025-01-21T05:37:33Z

References
cve: CVE-1999-0524
url: https://datatracker.ietf.org/doc/html/rfc792
url: https://datatracker.ietf.org/doc/html/rfc2780
cert-bund: CB-K15/1514
cert-bund: CB-K14/0632
. . . continues on next page . . .
2 RESULTS PER HOST 9

. . . continued from previous page . . .


dfn-cert: DFN-CERT-2014-0658

[ return to 192.168.0.146 ]

2.1.5 Low 22/tcp

Low (CVSS: 2.6)


NVT: Weak MAC Algorithm(s) Supported (SSH)

Product detection result


cpe:/a:ietf:secure_shell_protocol
Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
,→)

Summary
The remote SSH server is congured to allow / support weak MAC algorithm(s).

Quality of Detection (QoD): 80%


Vulnerability Detection Result
The remote SSH server supports the following weak client-to-server MAC algorithm
,→(s):
[email protected]
[email protected]
The remote SSH server supports the following weak server-to-client MAC algorithm
,→(s):
[email protected]
[email protected]

Solution:
Solution type: Mitigation
Disable the reported weak MAC algorithm(s).

Vulnerability Detection Method


Checks the supported MAC algorithms (client-to-server and server-to-client) of the remote SSH
server.
Currently weak MAC algorithms are dened as the following:
- MD5 based algorithms
- 96-bit based algorithms
- 64-bit based algorithms
- 'none' algorithm
Details: Weak MAC Algorithm(s) Supported (SSH)
OID:1.3.6.1.4.1.25623.1.0.105610
. . . continues on next page . . .
2 RESULTS PER HOST 10

. . . continued from previous page . . .


Version used: 2024-06-14T05:05:48Z

Product Detection Result


Product: cpe:/a:ietf:secure_shell_protocol
Method: SSH Protocol Algorithms Supported
OID: 1.3.6.1.4.1.25623.1.0.105565)

References
url: https://www.rfc-editor.org/rfc/rfc6668
url: https://www.rfc-editor.org/rfc/rfc4253#section-6.4

[ return to 192.168.0.146 ]

This le was automatically generated.

You might also like