Vulnerability Scan Result
| Title: | 403 Forbidden |
| Description: | No description found |
22/tcp | ssh | OpenSSH 8.2p1 |
80/tcp | http | nginx |
443/tcp | https | nginx |
6000/tcp | http | nginx |
6001/tcp | http | nginx |
| Software / Version | Category |
|---|---|
| Alpine.js 3.12.0 | JavaScript frameworks |
| Bunny | CDN |
| Axios | JavaScript libraries |
| core-js 3.27.1 | JavaScript libraries |
| Livewire | Web frameworks, Miscellaneous |
| Laravel | Web frameworks |
| Matomo Analytics | Analytics |
| Open Graph | Miscellaneous |
| PHP 8.1.29 | Programming languages |
| SweetAlert2 11 | JavaScript libraries |
| PWA | Miscellaneous |
| Webpack | Miscellaneous |
| jsDelivr | CDN |
| Lodash 4.17.21 | JavaScript libraries |
| HSTS | Security |
| RSS | Miscellaneous |
Web Application Vulnerabilities
Evidence
| Risk Level | CVSS | CVE | Summary | Affected software |
|---|---|---|---|---|
| 9.8 | CVE-2024-11236 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | php 8.1.29 | |
| 4.8 | CVE-2024-11234 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. | php 8.1.29 | |
| 4.8 | CVE-2024-11233 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. | php 8.1.29 |
Vulnerability description
We noticed known vulnerabilities in the target application based on the server responses. They are usually related to outdated systems and expose the affected applications to the risk of unauthorized access to confidential data and possibly denial of service attacks. Depending on the system distribution the affected software can be patched but displays the same version, requiring manual checking.
Recommendation
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest version.
Classification
| CWE | CWE-1026 |
| OWASP Top 10 - 2017 | A9 - Using Components with Known Vulnerabilities |
| OWASP Top 10 - 2021 | A6 - Vulnerable and Outdated Components |
Evidence
| URL | Cookie Name | Evidence |
|---|---|---|
| https://designer-bag-boutique.instantstores.cloud/livewire | freshstore_session | Set-Cookie: freshstore_session=eyJpdiI6IlQrMGJ6aXFVVDlEWi9iNUdvTjd3V3c9PSIsInZhbHVlIjoieU9KQW0vUk03QWhrVnMwYlZndzh0OTFpdStHclZ5TU1UaDIrSmNscDFBVDNhSkg0a1pqOE1hSVJFZ3JFSjJYTllRQXA2TW5WU3N1SVB2cG1iUW1oeWVqZy8zajhDS2JZZWpKMDdYTlJtb2J0b2tmRkFnSVJPcmUyUlZZNE9ja00iLCJtYWMiOiJiMTE1NTBkMDNkYWY0ZTVjY2UyMzEzOTNlYWM2NzlhNTI2YjViMTM0YWQ3MTIyODY5NmU3MTVjODcxMTUyNjNiIiwidGFnIjoiIn0%3D |
Vulnerability description
We found that a cookie has been set without the <code>Secure</code> flag, which means the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. The root cause for this usually revolves around misconfigurations in the code or server settings.
Recommendation
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
Classification
| CWE | CWE-614 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://designer-bag-boutique.instantstores.cloud/ | Response does not include the HTTP Content-Security-Policy security header or meta tag |
Vulnerability description
We noticed that the target application lacks the Content-Security-Policy (CSP) header in its HTTP responses. The CSP header is a security measure that instructs web browsers to enforce specific security rules, effectively preventing the exploitation of Cross-Site Scripting (XSS) vulnerabilities.
Recommendation
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| Software / Version | Category |
|---|---|
| Alpine.js 3.12.0 | JavaScript frameworks |
| Bunny | CDN |
| Axios | JavaScript libraries |
| core-js 3.27.1 | JavaScript libraries |
| Livewire | Web frameworks, Miscellaneous |
| Laravel | Web frameworks |
| Matomo Analytics | Analytics |
| Open Graph | Miscellaneous |
| PHP 8.1.29 | Programming languages |
| SweetAlert2 11 | JavaScript libraries |
| PWA | Miscellaneous |
| Webpack | Miscellaneous |
| jsDelivr | CDN |
| Lodash 4.17.21 | JavaScript libraries |
| HSTS | Security |
| RSS | Miscellaneous |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Vulnerability description
We found the robots.txt on the target server. This file instructs web crawlers what URLs and endpoints of the web application they can visit and crawl. Website administrators often misuse this file while attempting to hide some web pages from the users.
Recommendation
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex. administration panels, configuration files, etc).
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Vulnerability description
Website is accessible.
Vulnerability description
We have noticed that the server is missing the security.txt file, which is considered a good practice for web security. It provides a standardized way for security researchers and the public to report security vulnerabilities or concerns by outlining the preferred method of contact and reporting procedures.
Recommendation
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Infrastructure Vulnerabilities
Evidence
| Risk level | CVSS | CVE | Summary | Exploit |
|---|---|---|---|---|
| 9.8 | CVE-2024-11236 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | N/A | |
| 4.8 | CVE-2024-11234 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. | N/A | |
| 4.8 | CVE-2024-11233 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. | N/A |
Vulnerability description
Vulnerabilities found for PHP 8.1.29
Recommendation
We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.
Starting Nmap ( https://nmap.org ) at 2025-01-13 13:41 EET
Nmap scan report for designer-bag-boutique.instantstores.cloud (79.127.237.132)
Host is up (0.0017s latency).
rDNS record for 79.127.237.132: 79-127-237-132.bunnyinfra.net
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 (protocol 2.0)
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
Vulnerability description
We found that the SSH service with username/password authentication is publicly accessible. Network administrators often use remote administration protocols to control devices like switches, routers, and other essential systems. However, allowing these services to be accessible via the Internet can increase security risks, creating potential opportunities for attacks on the organization.
Recommendation
We recommend turning off SSH with username/password authentication access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the SSH service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, it is advisable to utilize SSH Public Key Authentication since it employs a key pair to verify the identity of a user or process.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| designer-bag-boutique.instantstores.cloud | A | IPv4 address | 143.244.38.136 |
Recommendation
We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.
Vulnerability description
OS detection couldn't determine the operating system.
Evidence
| Software / Version | Category |
|---|---|
| PHP 8.1.29 | Programming languages |
| CFML | Programming languages |
| Laravel | Web frameworks |
| Adobe ColdFusion | Web frameworks |
| Alpine.js | JavaScript frameworks |
| SweetAlert2 11 | JavaScript libraries |
| jsDelivr | CDN |
| HSTS | Security |
| Bunny | CDN |
| Livewire | Web frameworks, Miscellaneous |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Evidence
| Software / Version | Category |
|---|---|
| Nginx | Web servers, Reverse proxies |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.