ScanAlert - Report - Thane

Security Report - By Device
Fitness Quest, Inc.
30-MAR-2007 05:44
Confidential Information
The following report contains confidential information. Do not distribute, email, fax or transfer via any electric mechanism unless it has been approved
by your organization's security policy. All copies and backups of this document should be maintained on protected storage at all times. Do not share
any of the information contained within this report with anyone unless you confirm they are authorized to view the information.
Disclaimer
This, or any other, vulnerability audit cannot and does not guarantee security. ScanAlert makes no warranty or claim of any kind, whatsoever, about
the accuracy or usefulness of any information provided herein. By using this information you agree that ScanAlert shall be held harmless in any
event. ScanAlert makes this information available solely under its Terms of Service Agreement published at www.scanalert.com.

Executive Summary
This report was generated by the SDP compliant scanning vendor ScanAlert, under certificate number 3709-01-01 in the framework of the PCI
data security initiative and took into consideration security requirements as expressed in the MasterCard SDP Security Standard.
As a "Qualified Independent Scan Vendor" ScanAlert is accredited by Visa, MasterCard, American Express, Discover Card and JCB to perform
network security audits conforming to the Payment Card Industry (PCI) Data Security Standards.
To earn validation of PCI compliance, network devices being audited must pass tests that probe all of the known methods hackers use to access
private information, in addition to vulnerabilities that would allow malicious software (i.e. viruses and worms) to gain access to or disrupt the
network devices being tested.
NOTE: In order to demonstrate compliance with the PCI Data Security Standard a vulnerability scan must have been completed within the past
90 days with no vulnerabilities listed as URGENT, CRITICAL or HIGH (numerical severity ranking of 3 or higher) present on any device within
this report. Additionally, Visa and MasterCard regulations require that you configure your scanning to include all IP addresses, domain names,
DNS servers, load balancers, firewalls or external routers used by, or assigned to, your company, and that you configure any IDS/IPS to not
block access from the originating IP addresses of our scan servers.
ScanAlert's Certification of Regulatory Compliance
HACKER SAFE sites are tested and certified daily by ScanAlert to meet all U.S. Government requirements for remote vulnerability testing as set
forth by the National Infrastructure Protection Center (NIPC) and are accredited by the SANS Institute to meet the requirements of the SANS/FBI
"Top Twenty Internet Securities Vulnerabilities" test. They are also certified to meet the security scanning requirements of Visa USA's Cardholder
Information Security Program (CISP), Visa International's Account Information Security (AIS) program, MasterCard Internationals's Site Data
Protection (SDP) program, American Express' CID security program, the Discover Card Information Security and Compliance (DISC) program
within the framework of the Payment Card Industry (PCI) Data Security Standard.
Confidential - ScanAlert Security Audit Report
Page 2

Report Overview
Customer Name
Fitness Quest, Inc.
Date Generated 30-MAR-2007 05:44
Report Type
Security - By Device
Devices 5
Report Contents
Vulnerabilities By Severity
Vulnerabilities By Category
Device Overview
Services Detected
All Vulnerabilities Found
Device Detail
Appendix
Device Groups 0
Vulnerabilities 4
Vulnerabilities By Severity - All 5 Devices
Severity
0 Urgent
0 Critical
0 High
2 Medium
7 Low
Vulnerabilities By Category (Top 5) - All 5 Devices
Category
5 Other
4 Web Application
Services Detected - All 5 Devices
Port Protocol Service Devices
25 tcp smtp 1
443 tcp https 1
80 tcp http 1
Confidential - ScanAlert Security Audit Report
Page 3

All Vulnerabilities Found
Name Category Devices
WebApp Cross Site Scripting Web Application 1
Directory Scanner Web Application 1
ICMP TimeStamp Request Other 1
Inconclusive Network Scan Other 1
Confidential - ScanAlert Security Audit Report
Page 4

Device Overview
Name
Urgent Critical High Medium Low
Open Ports
63.109.13.1 0 0 0 0 1 0
63.109.13.3 0 0 0 0 0 0
63.109.13.5 0 0 0 0 1 0
ashe.fitnessquest.com 0 0 0 0 2 1
www.fitnessquest.com 0 0 0 2 3 2
Confidential - ScanAlert Security Audit Report
Page 5

Overview - 63.109.13.1
Last Audit Date
Urgent Critical High Medium Low
Total
29-MAR-2007 08:34 0 0 0 0 1 1
Open Ports - 63.109.13.1
Port Protocol Service Banner
None
Vulnerabilities - 63.109.13.1
None
Information Disclosures - 63.109.13.1
ICMP TimeStamp Request
Port First Detected Category
0 05-OCT-2006 14:34 Other
Protocol Fix Difficulty Impact
ICMP Medium Information Disclosure
Description
The remote host appears to answer to an ICMP timestamp request.
This allows an attacker to obtain date and local time information set on your machine. This information could be useful in finding a way to
circumvent your time based authentication protocols.
Solution
Filter out the ICMP timestamp requests (ICMP type 13), and the outgoing ICMP timestamp replies (ICMP type 14).
BlackICE firewall: This option is not available in all versions; see Links for details. The following lines can be added to the firewall.ini file
under the [MANUAL ICMP...] section:
REJECT, 13:0, ICMP TIMESTAMP, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
REJECT, 17:0, ICMP MASKREQ, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
Result
None
Links
BlackIce Admin Guide
BlackIce Block ICMP
Related
CVE CVE-1999-0524
Resolved Items - 63.109.13.1
Date 22-MAR-2007 12:43
Vulnerability
Resolved By
Incomplete Port Scan
John Pittinger
Port 0
Reason
The 63.109.13.1 is a router and will not be allowing port scans to be allowed. other than my DMZ port -80 443- 63.109.13.3 is
my PIX Device responsible for NAT xlation of my intranet devices. Neither device is a Web server. Thanks
Confidential - ScanAlert Security Audit Report
Page 6

Overview - 63.109.13.3
Last Audit Date
Urgent Critical High Medium Low
Total
29-MAR-2007 07:43 0 0 0 0 0 0
Open Ports - 63.109.13.3
Port Protocol Service Banner
None
Vulnerabilities - 63.109.13.3
None
Information Disclosures - 63.109.13.3
None
Resolved Items - 63.109.13.3
Date 22-MAR-2007 12:43
Vulnerability
Resolved By
Incomplete Port Scan
John Pittinger
Port 0
Reason
The 63.109.13.1 is a router and will not be allowing port scans to be allowed. other than my DMZ port -80 443- 63.109.13.3 is
my PIX Device responsible for NAT xlation of my intranet devices. Neither device is a Web server. Thanks
Confidential - ScanAlert Security Audit Report
Page 7

Overview - 63.109.13.5
Last Audit Date
Urgent Critical High Medium Low
Total
29-MAR-2007 15:42 0 0 0 0 1 1
Open Ports - 63.109.13.5
Port Protocol Service Banner
None
Vulnerabilities - 63.109.13.5
None
Information Disclosures - 63.109.13.5
ICMP TimeStamp Request
Port First Detected Category
0 26-JAN-2006 11:12 Other
Protocol Fix Difficulty Impact
ICMP Medium Information Disclosure
Description
The remote host appears to answer to an ICMP timestamp request.
This allows an attacker to obtain date and local time information set on your machine. This information could be useful in finding a way to
circumvent your time based authentication protocols.
Solution
Filter out the ICMP timestamp requests (ICMP type 13), and the outgoing ICMP timestamp replies (ICMP type 14).
BlackICE firewall: This option is not available in all versions; see Links for details. The following lines can be added to the firewall.ini file
under the [MANUAL ICMP...] section:
REJECT, 13:0, ICMP TIMESTAMP, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
REJECT, 17:0, ICMP MASKREQ, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
Result
None
Links
BlackIce Admin Guide
BlackIce Block ICMP
Related
CVE CVE-1999-0524
Resolved Items - 63.109.13.5
Date 05-OCT-2006 12:48
Vulnerability
Resolved By
Incomplete Port Scan
John Pittinger
Port 0
Reason
this is a router not allowing ports to be scanned.
Confidential - ScanAlert Security Audit Report
Page 8

Overview - ashe.fitnessquest.com
Last Audit Date
Urgent Critical High Medium Low
Total
29-MAR-2007 03:24 0 0 0 0 2 2
Open Ports - ashe.fitnessquest.com
Port Protocol Service Banner
25 tcp smtp
Vulnerabilities - ashe.fitnessquest.com
Information Disclosures - ashe.fitnessquest.com
Inconclusive Network Scan
Port First Detected Category
0 23-MAR-2007 18:29 Other
Protocol Fix Difficulty Impact
Other Medium Other
Description
This vulnerability is triggered when: The target has open ports > 0 and all ports have a null banner.
In practice, this will occur when the target is offline, there is a problem with network, or the scan engine has an internal problem.
Solution
If this device has no publicly available services or is IP restricted, this vulnerability can be manually resolved.
Otherwise, begin by rescanning the device. The issue may have been a temporary connectivity or communication error. If subsequent
scans are still inconclusive, ensure that all IDS/IPS devices are configured to accept scans from ScanAlert.
The list of ScanAlert's source IP address can be found here: http://www.scanalert.com/help/ScanIps.sa
If scans continue to be inconclusive, please contact customer support for additional help in troubleshooting.
Result
None
Links
None
Related
None
ICMP TimeStamp Request
Port First Detected Category
0 05-OCT-2006 14:25 Other
Protocol Fix Difficulty Impact
ICMP Medium Information Disclosure
Description
The remote host appears to answer to an ICMP timestamp request.
This allows an attacker to obtain date and local time information set on your machine. This information could be useful in finding a way to
circumvent your time based authentication protocols.
Solution
Filter out the ICMP timestamp requests (ICMP type 13), and the outgoing ICMP timestamp replies (ICMP type 14).
BlackICE firewall: This option is not available in all versions; see Links for details. The following lines can be added to the firewall.ini file
under the [MANUAL ICMP...] section:
REJECT, 13:0, ICMP TIMESTAMP, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
REJECT, 17:0, ICMP MASKREQ, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
Confidential - ScanAlert Security Audit Report
Page 9

Result
None
Links
BlackIce Admin Guide
BlackIce Block ICMP
Related
CVE CVE-1999-0524
Resolved Items - ashe.fitnessquest.com
None
Confidential - ScanAlert Security Audit Report
Page 10

Overview - www.fitnessquest.com
Last Audit Date
Urgent Critical High Medium Low
Total
29-MAR-2007 15:19 0 0 0 2 3 5
Open Ports - www.fitnessquest.com
Port Protocol Service Banner
80 tcp http http
443 tcp https https
Vulnerabilities - www.fitnessquest.com
Information Disclosures - www.fitnessquest.com
WebApp Cross Site Scripting
Port First Detected Category
443 27-MAR-2007 11:34 Web Application
Protocol Fix Difficulty Impact
HTTP Medium Cross Site Scripting (XSS)
Description
The remote web application appears to be vulnerable to cross site scripting (XSS).
The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is
vulnerable if it displays user-submitted content without checking for malicious script tags.
The target of cross-site scripting attacks is not the server itself, but the user files on the server, such as forms and other dynamic content. All
a malicious attacker needs to do is find a page that does not properly sanitize user input, but returns the scripting code verbatim to the
browser of a visitor to that website. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt
browser sessions.
The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload
onto their computer via browser.
The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.
Solution
Ensure you turn the > and < into their HTML equivalents before sending it back to the browser.
Ensure that parameters and user input are stripped of HTML tags before using.
Remove : input = replace( input, ">", "" ) Remove ' : input = replace( input, "'", "" )
Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating
them to their encoded equivalents.
Result
Method POST Protocol https Port 443 Demo
Path /scripts/cgiip.exe/WService=fq/warranty.html
product=4319f684-0c89-4edc-9d8a-c56752eb905f
serial=
packageid=4319f684-0c89-4edc-9d8a-c56752eb905f
amonth=4319f684-0c89-4edc-9d8a-c56752eb905f
aday=4319f684-0c89-4edc-9d8a-c56752eb905f
ayear=4319f684-0c89-4edc-9d8a-c56752eb905f
firstname=4319f684-0c89-4edc-9d8a-c56752eb905f
lastname=4319f684-0c89-4edc-9d8a-c56752eb905f
address=4319f684-0c89-4edc-9d8a-c56752eb905f
city=4319f684-0c89-4edc-9d8a-c56752eb905f
state=4319f684-0c89-4edc-9d8a-c56752eb905f
zip=4319f684-0c89-4edc-9d8a-c56752eb905f
areacode=4319f684-0c89-4edc-9d8a-c56752eb905f
prefix=4319f684-0c89-4edc-9d8a-c56752eb905f
last4=4319f684-0c89-4edc-9d8a-c56752eb905f
email=4319f684-0c89-4edc-9d8a-c56752eb905f
sex=A
sex=B
married=A
married=B
Post
purchased=A
Confidential - ScanAlert Security Audit Report
Page 11

purchased=B
purchased=C
purchased=D
purchased=E
dobmonth=0
dobday=0
dobyear=0
education=4319f684-0c89-4edc-9d8a-c56752eb905f
goal=4319f684-0c89-4edc-9d8a-c56752eb905f
equip1=A
equip2=A
equip3=A
equip4=A
equip5=A
equip6=A
people=4319f684-0c89-4edc-9d8a-c56752eb905f
room=4319f684-0c89-4edc-9d8a-c56752eb905f
enter=SUBMIT
reset=CLEAR
Headers Content-Type=application%2Fx-www-form-urlencoded
Links
Top sites vulnerable to hackers
The Cross Site Scripting FAQ
An Oldie but Goodie: The Cross-Site Scripting Vulnerability
www.cgisecurity.com/articles/xss-faq.shtml
www.developer.com/lang/article.php/947041
www.vnunet.com/vnunet/news/2116667/top-sites-vulnerable-hackers
Apache: Cross Site Scripting Info
Apache: ???
The Cross-Site Scripting Vulnerability
Top sites vulnerable to hackers
Related
CERT CA-2000-02
WebApp Cross Site Scripting
Port First Detected Category
80 27-FEB-2007 09:33 Web Application
Protocol Fix Difficulty Impact
HTTP Medium Cross Site Scripting (XSS)
Description
The remote web application appears to be vulnerable to cross site scripting (XSS).
The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is
vulnerable if it displays user-submitted content without checking for malicious script tags.
The target of cross-site scripting attacks is not the server itself, but the user files on the server, such as forms and other dynamic content. All
a malicious attacker needs to do is find a page that does not properly sanitize user input, but returns the scripting code verbatim to the
browser of a visitor to that website. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt
browser sessions.
The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload
onto their computer via browser.
The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.
Solution
Ensure you turn the > and < into their HTML equivalents before sending it back to the browser.
Ensure that parameters and user input are stripped of HTML tags before using.
Remove : input = replace( input, ">", "" ) Remove ' : input = replace( input, "'", "" )
Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating
them to their encoded equivalents.
Result
Method POST Protocol http Port 80 Demo
Path /scripts/cgiip.exe/WService=fq/warranty.html
product=4319f684-0c89-4edc-9d8a-c56752eb905f
serial=
packageid=80000002
amonth=x';
aday=x';
ayear=80000002
firstname=x';
lastname=x';
address=80000002
Confidential - ScanAlert Security Audit Report
Page 12

city=80000002
state=80000002
zip=80000002
areacode=x';
prefix=`80
last4=0
email=80000002
sex=A
sex=B
married=A
married=B
Post
purchased=A
purchased=B
purchased=C
purchased=D
purchased=E
dobmonth=0
dobday=0
dobyear=0
education=4319f684-0c89-4edc-9d8a-c56752eb905f
goal=4319f684-0c89-4edc-9d8a-c56752eb905f
equip1=A
equip2=A
equip3=A
equip4=A
equip5=A
equip6=A
people=4319f684-0c89-4edc-9d8a-c56752eb905f
room=4319f684-0c89-4edc-9d8a-c56752eb905f
enter=SUBMIT
reset=CLEAR
Headers Content-Type=application%2Fx-www-form-urlencoded
Links
Top sites vulnerable to hackers
The Cross Site Scripting FAQ
An Oldie but Goodie: The Cross-Site Scripting Vulnerability
www.cgisecurity.com/articles/xss-faq.shtml
www.developer.com/lang/article.php/947041
www.vnunet.com/vnunet/news/2116667/top-sites-vulnerable-hackers
Apache: Cross Site Scripting Info
Apache: ???
The Cross-Site Scripting Vulnerability
Top sites vulnerable to hackers
Related
CERT CA-2000-02
Directory Scanner
Port First Detected Category
80 22-OCT-2006 00:29 Web Application
Protocol Fix Difficulty Impact
HTTP Medium Information Disclosure
Description
During an audit common directories are looked for. This may result in non public Web pages being found.
Solution
Make sure that these directories are intented for the public.
Result
Method GET Protocol http Port 80 Demo
Path /images/
Links
None
Related
None
Directory Scanner
Port First Detected Category
443 22-OCT-2006 00:29 Web Application
Confidential - ScanAlert Security Audit Report
Page 13

Protocol Fix Difficulty Impact
HTTP Medium Information Disclosure
Description
During an audit common directories are looked for. This may result in non public Web pages being found.
Solution
Make sure that these directories are intented for the public.
Result
Method GET Protocol https Port 443 Demo
Path /images/
Links
None
Related
None
ICMP TimeStamp Request
Port First Detected Category
0 26-JAN-2006 20:11 Other
Protocol Fix Difficulty Impact
ICMP Medium Information Disclosure
Description
The remote host appears to answer to an ICMP timestamp request.
This allows an attacker to obtain date and local time information set on your machine. This information could be useful in finding a way to
circumvent your time based authentication protocols.
Solution
Filter out the ICMP timestamp requests (ICMP type 13), and the outgoing ICMP timestamp replies (ICMP type 14).
BlackICE firewall: This option is not available in all versions; see Links for details. The following lines can be added to the firewall.ini file
under the [MANUAL ICMP...] section:
REJECT, 13:0, ICMP TIMESTAMP, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
REJECT, 17:0, ICMP MASKREQ, 2001-10-15 00:01:00, PERPETUAL, 1000, MANUAL
Result
None
Links
BlackIce Admin Guide
BlackIce Block ICMP
Related
CVE CVE-1999-0524
Resolved Items - www.fitnessquest.com
None
Confidential - ScanAlert Security Audit Report
Page 14

Vulnerability Levels
Severity Level Description
Urgent
Critical
High
Medium
Low
Intruders can easily gain control of the device being tested, which can lead to the compromise of your entire network
security. Or hackers can use this device to access sensitive information from other devices in your network. Hackers
are often actively scanning for this type of vulnerability.
For example, vulnerabilities at this level may include full read and write access to files or databases, remote
execution of commands, gaining Administrator or Root level access, and the presence of Trojans or backdoors.
Intruders can possibly gain direct control of the device being tested, or there may be potential leakage of highly
sensitive information.
For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the
users hosted on the device.
Intruders may be able to gain access to specific information stored on the device being tested, including security
settings. This could result in potential misuse of, or unauthorized access to the device or information stored on it.
For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the
host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and
unauthorized use of services such as mail-relaying.
Intruders may be able to collect sensitive information from the host, such as the precise version of OS or software
installed or directory structure. While this level of vulnerability is not directly exploitable itself, with this information
intruders can more easily exploit possible vulnerabilities specific to software versions in use.
Intruders can collect general information about the device being tested (open ports, OS or software type, etc.).
Hackers may be able to use this information to find exploitable vulnerabilities.
Confidential - ScanAlert Security Audit Report
Page 15