Vulnerability Scan Result

Target:

https://www.mylittlebloom.com/

Scanned target: https://www.mylittlebloom.com/

Submitted: January 13, 2025 from ST

Public scan

Scan mode: Passive (non-intrusive)

finished

Summary

high

Info

Low

Medium

High

Critical

Screenshot

Title:	OLXTOTO \| Toto Macau 4D Dan Bandar Toto Macau Bet 100 Perak
Description:	OLXTOTO adalah platform permainan yang menawarkan pengalaman menarik dengan Toto Macau 4D. Dengan taruhan minimal hanya 100 perak, pemain dapat menikmati berbagai pilihan taruhan yang menguntungkan. Keamanan dan kenyamanan transaksi menjadi prioritas utama, memastikan setiap pemain dapat bermain dengan tenang. Bergabunglah sekarang dan rasakan sensasi permainan Toto Macau yang mendebarkan.

IP Information

Open Ports

7/tcp	tcpwrapped
9/tcp	tcpwrapped
13/tcp	tcpwrapped
21/tcp	tcpwrapped
22/tcp	ssh	OpenSSH 7.4
23/tcp	tcpwrapped
25/tcp	tcpwrapped
26/tcp	tcpwrapped
37/tcp	tcpwrapped
53/tcp	tcpwrapped
79/tcp	tcpwrapped
80/tcp	http	CDN
81/tcp	tcpwrapped
88/tcp	tcpwrapped
106/tcp	tcpwrapped
110/tcp	tcpwrapped
111/tcp	tcpwrapped
113/tcp	tcpwrapped
119/tcp	tcpwrapped
135/tcp	tcpwrapped
139/tcp	tcpwrapped
143/tcp	tcpwrapped
144/tcp	tcpwrapped
179/tcp	tcpwrapped
199/tcp	tcpwrapped
389/tcp	tcpwrapped
427/tcp	tcpwrapped
443/tcp	https	CDN
444/tcp	tcpwrapped
445/tcp	tcpwrapped
465/tcp	tcpwrapped
513/tcp	tcpwrapped
514/tcp	tcpwrapped
515/tcp	tcpwrapped
543/tcp	tcpwrapped
544/tcp	tcpwrapped
548/tcp	tcpwrapped
554/tcp	tcpwrapped
587/tcp	tcpwrapped
631/tcp	tcpwrapped
646/tcp	tcpwrapped
873/tcp	tcpwrapped
990/tcp	tcpwrapped
993/tcp	tcpwrapped
995/tcp	tcpwrapped
1025/tcp	tcpwrapped
1026/tcp	tcpwrapped
1027/tcp	tcpwrapped
1028/tcp	tcpwrapped
1029/tcp	tcpwrapped
1110/tcp	tcpwrapped
1433/tcp	tcpwrapped
1720/tcp	tcpwrapped
1723/tcp	tcpwrapped
1755/tcp	tcpwrapped
1900/tcp	tcpwrapped
2000/tcp	tcpwrapped
2001/tcp	tcpwrapped
2049/tcp	tcpwrapped
2121/tcp	tcpwrapped
2717/tcp	tcpwrapped
3000/tcp	tcpwrapped
3128/tcp	tcpwrapped
3306/tcp	tcpwrapped
3389/tcp	tcpwrapped
3986/tcp	tcpwrapped
4444/tcp	tcpwrapped
4899/tcp	tcpwrapped
5000/tcp	tcpwrapped
5009/tcp	tcpwrapped
5051/tcp	tcpwrapped
5060/tcp	tcpwrapped
5101/tcp	tcpwrapped
5190/tcp	tcpwrapped
5357/tcp	tcpwrapped
5432/tcp	tcpwrapped
5631/tcp	tcpwrapped
5666/tcp	tcpwrapped
5800/tcp	tcpwrapped
5900/tcp	tcpwrapped
5985/tcp	tcpwrapped
5986/tcp	tcpwrapped
6000/tcp	tcpwrapped
6001/tcp	tcpwrapped
6646/tcp	tcpwrapped
7070/tcp	tcpwrapped
8000/tcp	tcpwrapped
8008/tcp	tcpwrapped
8009/tcp	tcpwrapped
8080/tcp	tcpwrapped
8081/tcp	tcpwrapped
8443/tcp	tcpwrapped
8888/tcp	tcpwrapped
9100/tcp	jetdirect
9999/tcp	tcpwrapped
10000/tcp	tcpwrapped
32768/tcp	tcpwrapped
49152/tcp	tcpwrapped
49153/tcp	tcpwrapped
49154/tcp	tcpwrapped

Web Technologies

Software / Version	Category
Google Analytics	Analytics

Web Application Vulnerabilities

Evidence

URL	Evidence
https://www.mylittlebloom.com/	Response headers do not include the HTTP Strict-Transport-Security header

Vulnerability description

We noticed that the target application lacks the HTTP Strict-Transport-Security header in its responses. This security header is crucial as it instructs browsers to only establish secure (HTTPS) connections with the web server and reject any HTTP connections.

Risk description

The risk is that lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to the server, thus opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).

Recommendation

The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows: `Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]` The parameter `max-age` gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. A value below 7776000 is considered as too low by this scanner check. The flag `includeSubDomains` defines that the policy applies also for sub domains of the sender of the response.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://www.mylittlebloom.com/	Response does not include the HTTP Content-Security-Policy security header or meta tag

Vulnerability description

We noticed that the target application lacks the Content-Security-Policy (CSP) header in its HTTP responses. The CSP header is a security measure that instructs web browsers to enforce specific security rules, effectively preventing the exploitation of Cross-Site Scripting (XSS) vulnerabilities.

Risk description

The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.

Recommendation

Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://www.mylittlebloom.com/	Response headers do not include the X-Content-Type-Options HTTP security header

Vulnerability description

We noticed that the target application's server responses lack the <code>X-Content-Type-Options</code> header. This header is particularly important for preventing Internet Explorer from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header.

Risk description

The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.

Recommendation

We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://www.mylittlebloom.com/howto	Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response.

Vulnerability description

We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.

Risk description

The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g. "https://www.google.com", the browser will send to Google the full originating URL in the `Referer` header, assuming the Referrer-Policy header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Recommendation

The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

Software / Version	Category
Google Analytics	Analytics

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Risk description

The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.

Classification

OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL
https://www.mylittlebloom.com/robots.txt

Vulnerability description

We found the robots.txt on the target server. This file instructs web crawlers what URLs and endpoints of the web application they can visit and crawl. Website administrators often misuse this file while attempting to hide some web pages from the users.

Risk description

There is no particular security risk in having a robots.txt file. However, it's important to note that adding endpoints in it should not be considered a security measure, as this file can be directly accessed and read by anyone.

Recommendation

We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex. administration panels, configuration files, etc).

Classification

OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Infrastructure Vulnerabilities

Evidence

CVSS	CVE	Summary	Exploit
9.8	CVE-2023-38408	The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.	N/A
6.8	CVE-2020-15778	scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."	N/A
6.5	CVE-2023-51385	In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.	N/A
5.9	CVE-2023-48795	The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.	N/A
5.8	CVE-2019-6111	An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).	EDB-ID:46193

Vulnerability description

Vulnerabilities found for Openssh 7.4

Recommendation

We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.

We managed to detect a publicly accessible SSH service.

Starting Nmap ( https://nmap.org ) at 2025-01-14 00:28 EET
Nmap scan report for www.mylittlebloom.com (23.167.152.118)
Host is up (0.0023s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|     gssapi-keyex
|     gssapi-with-mic
|_    password

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.65 seconds

Vulnerability description

We found that the SSH service with username/password authentication is publicly accessible. Network administrators often use remote administration protocols to control devices like switches, routers, and other essential systems. However, allowing these services to be accessible via the Internet can increase security risks, creating potential opportunities for attacks on the organization.

Recommendation

We recommend turning off SSH with username/password authentication access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the SSH service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, it is advisable to utilize SSH Public Key Authentication since it employs a key pair to verify the identity of a user or process.

Evidence

Domain Queried	DNS Record Type	Description	Value
www.mylittlebloom.com	A	IPv4 address	23.167.152.118
www.mylittlebloom.com	CNAME	Canonical name	ngts.gtr-cloudflare.net

Recommendation

We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.