Local File Inclusion

Description:
During our testing, we noted that local files on web server could be accessed via Local File Inclusion (LFI) vulnerability. 

Risk Level:
High

Implication:
A potential perpetrator could exploit the weakness in the Web function in order to:
(a) View local files containing sensitive information such as password, database connection string;      
(b) View the source codes of the web application; and
(c) Retrieve local file structures.

Recommendation:
(a) Validate whether the value supplied as a query parameter matches the expected business logic e.g. the parameter should accept only a filename containing no special characters; and
(b) Restrict access to local files and paths to a certain user

Manual Verification:
During the verification, we're using Fimap which you can find in the Kali Linux. Let talk a little about Fimap. Fimap is a Python tool that can use to verify local and remote file Inclusion (LFI and RFI) bugs in web applications.

Fimap can be found under Web Applications | Web Vulnerability Scanners | Fimap. 

When you open Fimap, a terminal window opens displaying the homescreen. Fimap has a few plugin options, which you can download by using the following command:
fimap --install –plugins

To use Fimap, you need to know your target to scan. For example, we will target www.lifeofpentest.com.

To scan thesecurityblogger.com website, type the following command:
fimap -u 'http://www.lifeofpentest.com'

Fimap will attempt to identify any file inclusion vulnerabilities.

Vulnerability in HTTP.sys

https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

Hardening your HTTP response headers

https://scotthelme.co.uk/hardening-your-http-response-headers/

MS SQL - Revoke Stored Procedures

http://myitforum.com/myitforumwp/2011/11/02/sql-2005-security-revoke-execute-rights-for-public-on-potentially-unsafe-extended-stored-procedures/

[Fix] X-Frame, Information Leakage

Click the link below.

https://scotthelme.co.uk/hardening-your-http-response-headers/

SSH Weak MAC Algorithms Supported

Description:
The affected host support the use of MD5 or 96-bit MAC algorithms, both of which are considered weak encryption which is associated to cryptography flaws.

Risk Level:
Low

Implication:
An attacker could leverage this issue to decipher the encrypted data to obtain sensitive information.

Recommendation:
The affected host should be configured to disable the to disable MD5 and 96-bit MAC algorithms.

Manual Verification:
ssh -m hmac-md5 ipaddr

SSH Server CBC Mode Ciphers Supported

Description:
The affected host support the use of Cipher Block Chaining (CBC) encryption which is associated to cryptography flaws.

Risk Level:
Low

Implication:
An attacker could leverage this issue to decipher the encrypted data to obtain sensitive information.

Recommendation:
The affected host should be configured to disable the CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

Manual Verification:
nmap --script ssh2-enum-algos -p port ipaddr =>report the number of algorithms used (such as encryption, compression, etc)