Nessus Scan Report - Columbia University

More documents

Recommendations

Info

Synopsis:The remote FTP server has a cross-site request forgery vulnerability.Description:The version of FTP running on the remote host has a cross-site requestforgery vulnerability. Long file names are not processed properly,resulting in the execution of arbitrary commands. If a user is logged intothe FTP server via web browser, a remote attacker could exploit this bytricking them into requesting a maliciously crafted web page, resulting inthe execution of arbitrary FTP commands.Risk factor:MediumCVSS Base Score:4.3CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:NSee also:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0283.htmlSee also:http://securityreason.com/achievement_securityalert/84Solution:There is no known solution at this time.Plugin ID:47040BID:40320Other references:OSVDB:64869, Secunia:39856Anonymous FTP EnabledSynopsis:Anonymous logins are allowed on the remote FTP server.Description:This FTP service allows anonymous logins. Any remote user may connectand authenticate without providing a password or unique credentials.This allows a user to access any files made available on the FTP server.Risk factor:MediumCVSS Base Score:5.0CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:NSolution:Disable anonymous FTP if it is not required. Routinely check the FTP
server to ensure sensitive content is not available.Plugin output:The contents of the remote FTP root are : total 80 lrwxrwxrwx 1 0 1 7Dec 31 2009 bin -> usr/bin drwxr-xr-x 2 0 1 512 Jul 13 2004 dev drwxrxr-x2 0 1 512 Jul 13 2004 etc dr-xr-xr-x 21 anonymou 1 512 Jul 122004 pub drwxr-xr-x 5 0 1 512 Jul 12 2004 usrPlugin ID:10079CVE:CVE-1999-0497Other references:OSVDB:69Service DetectionAn FTP server is running on this port.Plugin ID:22964FTP Supports Clear Text AuthenticationSynopsis:Authentication credentials might be intercepted.Description:The remote FTP server allows the user's name and password to betransmitted in clear text, which may be intercepted by a network sniffer,or a man-in-the-middle attack.Risk factor:LowCVSS Base Score:2.6CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:NSolution:Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). Inthe latter case, configure the server such that control connections areencrypted.Plugin output:This FTP server does not support 'AUTH TLS'.Plugin ID:34324Other references:CWE:522, CWE:523FTP Server Detection
Page 1 and 2: List of hosts156.111.5.207156.111.5
Page 3 and 4: Synopsis:An ONC RPC service is runn
Page 5 and 6: Address: reidar@columbia.edu Issuer
Page 7 and 8: SNMP Request Network Interfaces Enu
Page 9 and 10: SUNWvldu SUNWaclg SUNWvolr SUNWgnom
Page 11 and 12: SUNWefcu SUNWerid SUNWcpdas SUNWeuo
Page 13 and 14: devel SUNWjws2 SUNWgnome-config-dev
Page 15 and 16: SUNWkbreg SUNWsbreg SUNWcupdatemgru
Page 17 and 18: Plugin output:Nessus has negotiated
Page 19: Synopsis:An ONC RPC service is runn
Page 23 and 24: Synopsis:A Telnet server is listeni
Page 25 and 26: Plugin output:Here is the banner fr
Page 27 and 28: Risk factor:NoneSolution:n/aPlugin
Page 29 and 30: NoneSolution:n/aPlugin output:The f
Page 31 and 32: NoneSolution:n/aPlugin output:The f
Page 33 and 34: Synopsis:An SMB server is running o
Page 35 and 36: The remote service is an X Window F
Page 37 and 38: Service DetectionA finger daemon is
Page 39: it is set up with stunnel to encryp

Nessus Scan Report - Columbia University

Create successful ePaper yourself

Delete template?

Save as template?