Escolar Documentos
Profissional Documentos
Cultura Documentos
5 October, 2015
Developer Report
Scan information
Start time 05/10/2015 18:38:36
Finish time 05/10/2015 18:44:26
Scan time 5 minutes, 50 seconds
Profile Default
Server information
Responsive True
Server banner Apache/2.2.15 (CentOS)
Server OS Unix
Server technologies PHP
Threat level
Acunetix Threat Level 2
One or more medium-severity type vulnerabilities have been discovered by the scanner.
You should investigate each of these vulnerabilities to ensure they will not escalate to
more severe problems.
Alerts distribution
Knowledge base
Top 10 response times
The files listed below had the slowest response times measured during the crawling process. The average response time
for this site was 462,64 ms. These files could be targetted in denial of service attacks.
GET / HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: qtrans_cookie_test=qTranslate+Cookie+Test
Host: dreamhack.es
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63
Safari/537.36
Accept: */*
List of files with inputs
These files have at least one input (GET or POST).
- / - 1 inputs
Acunetix Website Audit 2
Alerts summary
Severity Medium
Type Configuration
Reported by module Scripting (Version_Check.script)
Description
A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache
HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and
with a modest number of requests can cause very significant memory and CPU usage on the server.
This alert was generated using only banner information. It may be a false positive.
Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).
Impact
Remote Denial of Service
Recommendation
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project
Web site.
References
CVE-2011-3192
Apache httpd Remote Denial of Service (memory exhaustion)
Apache HTTP Server 2.2.20 Released
Apache HTTPD Security ADVISORY
CVE-2011-3192
Affected items
Web Server
Details
Current version is : 2.2.15
Severity Medium
Type Configuration
Reported by module Scripting (Version_Check.script)
Description
This alert was generated using only banner information. It may be a false positive.
Affected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17
Impact
Denial of service attack
Recommendation
Upgrade PHP to the latest version.
References
CVE-2010-4645
PHP Homepage
PHP Hangs On Numeric Value 2.2250738585072011e-308
Affected items
Web Server
Details
Current version is : PHP/5.3.3
Severity Medium
Type Configuration
Reported by module Slow_HTTP_DOS
Description
Your web server is vulnerable to Slow HTTP DoS (Denial of Service) attacks.
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be
completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is
very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources
busy, this creates a denial of service.
Impact
A single machine can take down another machine's web server with minimal bandwidth and side effects on unrelated
services and ports.
Recommendation
Consult Web references for information about protecting your web server against this type of attack.
References
Protect Apache Against Slowloris Attack
Slowloris DOS Mitigation Guide
Slowloris HTTP DoS
Affected items
Web Server
Details
Time difference between connections: 10000 ms
Severity Low
Type Informational
Reported by module Crawler
Description
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser
that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection
for session cookies.
Impact
None
Recommendation
If possible, you should set the HTTPOnly flag for this cookie.
Affected items
/
Details
Cookie name: "qtrans_cookie_test"
Cookie domain: "dreamhack.es"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: qtrans_cookie_test=qTranslate+Cookie+Test
Host: dreamhack.es
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Severity Low
Type Informational
Reported by module Crawler
Description
This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the
cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.
Impact
None
Recommendation
If possible, you should set the Secure flag for this cookie.
Affected items
/
Details
Cookie name: "qtrans_cookie_test"
Cookie domain: "dreamhack.es"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: qtrans_cookie_test=qTranslate+Cookie+Test
Host: dreamhack.es
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Severity Low
Type Validation
Reported by module Scripting (Track_Trace_Server_Methods.script)
Description
HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web
browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.
Impact
Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and
authentication data.
Recommendation
Disable TRACE Method on the web server.
References
Cross-site tracing (XST)
US-CERT VU#867593
W3C - RFC 2616
Affected items
Web Server
Details
No details are available.
Request headers
TRACE /gBWMukdfI3 HTTP/1.1
Cookie: qtrans_cookie_test=qTranslate+Cookie+Test
Host: dreamhack.es
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Input scheme 1
Input name Input type
Host HTTP Header