Vulnerability Scan Result

Target:

http://tamkeen.rehab/

Scanned target: http://tamkeen.rehab/

Submitted: January 13, 2025 from RS

Public scan

Scan mode: Passive (non-intrusive)

finished

Summary

high

Info

Low

Medium

High

Critical

Screenshot

Title:	مركز الخنينية للتمكين الوظيفي والإجتماعي
Description:

IP Information

IP address	162.240.174.154
Country	US
AS number	AS46606
Net name	Unified Layer

Open Ports

21/tcp	ftp	Pure-FTPd
22/tcp	ssh	OpenSSH 7.4
25/tcp	smtp
26/tcp	smtp	Exim smtpd 4.96.2
53/tcp	domain	PowerDNS Authoritative Server 4.9.1
80/tcp	http	Apache httpd
110/tcp	pop3	Dovecot pop3d
143/tcp	imap	Dovecot imapd
443/tcp	https	Apache httpd
465/tcp	smtp	Exim smtpd 4.96.2
587/tcp	smtp	Exim smtpd 4.96.2
993/tcp	imaps
995/tcp	pop3s

Web Technologies

Software / Version	Category
Animate.css	UI frameworks
CodeIgniter	Web frameworks
Font Awesome	Font scripts
Bootstrap	UI frameworks
jQuery	JavaScript libraries
Google Maps	Maps
prettyPhoto	JavaScript libraries
OWL Carousel	JavaScript libraries
PHP	Programming languages
WOW	JavaScript frameworks, Web frameworks, JavaScript graphics
YouTube	Video players

Web Application Vulnerabilities

Evidence

URL	Cookie Name	Evidence
http://tamkeen.rehab/	ci_session	The server responded with Set-Cookie header(s) that does not specify the HttpOnly flag: Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223cc96a4fefe87bd629b6d09fb5d88ea8%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22151.236.222.77%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A111%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F108.0.0.0+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1736769796%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22ar%22%3B%7D25ab90d25dbdfdb9a452c7b471d04f37

Vulnerability description

We found that a cookie has been set without the <code>HttpOnly</code> flag, which means it can be accessed by potentially malicious JavaScript code running inside the web page. The root cause for this usually revolves around misconfigurations in the code or server settings.

Recommendation

Ensure that the HttpOnly flag is set for all cookies.

Classification

CWE	CWE-1004
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Cookie Name	Evidence
http://tamkeen.rehab/	ci_session	Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223cc96a4fefe87bd629b6d09fb5d88ea8%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22151.236.222.77%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A111%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F108.0.0.0+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1736769796%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22ar%22%3B%7D25ab90d25dbdfdb9a452c7b471d04f37

Vulnerability description

We found that a cookie has been set without the <code>Secure</code> flag, which means the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. The root cause for this usually revolves around misconfigurations in the code or server settings.

Recommendation

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Classification

CWE	CWE-614
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Response URL	Evidence
http://tamkeen.rehab/	http://tamkeen.rehab/	Communication is made over unsecure, unencrypted HTTP.

Vulnerability description

We noticed that the communication between the web browser and the server is done using the HTTP protocol, which transmits data unencrypted over the network.

Recommendation

We recommend you to reconfigure the web server to use HTTPS - which encrypts the communication between the web browser and the server.

Classification

CWE	CWE-311
OWASP Top 10 - 2017	A3 - Sensitive Data Exposure
OWASP Top 10 - 2021	A4 - Insecure Design

Evidence

URL	Evidence
http://tamkeen.rehab/images/portfolio	Found output resembling directory listing.
http://tamkeen.rehab/images/team/	Found output resembling directory listing.
http://tamkeen.rehab/images/testimonial	Found output resembling directory listing.
http://tamkeen.rehab/img/	Found output resembling directory listing.
http://tamkeen.rehab/site/	Found output resembling directory listing.
http://tamkeen.rehab/site/js/	Found output resembling directory listing.

Vulnerability description

We noticed that the target application's web server is affected by a Directory Listing vulnerability in its URL structure. Directory listing is enabled due to misconfigured server settings, allowing attackers to view all files and subdirectories on the server.

Recommendation

We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive files at the mentioned URLs.

Classification

CWE	CWE-548
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A1 - Broken Access Control

Evidence

URL	Evidence
http://tamkeen.rehab/	Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response.

Vulnerability description

We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.

Recommendation

The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
http://tamkeen.rehab/	Response does not include the HTTP Content-Security-Policy security header or meta tag

Vulnerability description

We noticed that the target application lacks the Content-Security-Policy (CSP) header in its HTTP responses. The CSP header is a security measure that instructs web browsers to enforce specific security rules, effectively preventing the exploitation of Cross-Site Scripting (XSS) vulnerabilities.

Recommendation

Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
http://tamkeen.rehab/	Response headers do not include the X-Content-Type-Options HTTP security header

Vulnerability description

We noticed that the target application's server responses lack the <code>X-Content-Type-Options</code> header. This header is particularly important for preventing Internet Explorer from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header.

Recommendation

We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

Software / Version	Category
Animate.css	UI frameworks
CodeIgniter	Web frameworks
Font Awesome	Font scripts
Bootstrap	UI frameworks
jQuery	JavaScript libraries
Google Maps	Maps
prettyPhoto	JavaScript libraries
OWL Carousel	JavaScript libraries
PHP	Programming languages
WOW	JavaScript frameworks, Web frameworks, JavaScript graphics
YouTube	Video players

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.

Classification

OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL
Missing: http://tamkeen.rehab/.well-known/security.txt

Vulnerability description

We have noticed that the server is missing the security.txt file, which is considered a good practice for web security. It provides a standardized way for security researchers and the public to report security vulnerabilities or concerns by outlining the preferred method of contact and reporting procedures.

Recommendation

We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.

Classification

OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Infrastructure Vulnerabilities

Evidence

CVSS	CVE	Summary	Exploit
9.8	CVE-2023-38408	The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.	N/A
6.8	CVE-2020-15778	scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."	N/A
6.5	CVE-2023-51385	In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.	N/A
5.9	CVE-2023-48795	The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.	N/A
5.8	CVE-2019-6111	An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).	EDB-ID:46193

Vulnerability description

Vulnerabilities found for Openssh 7.4

Recommendation

We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.

We managed to detect a publicly accessible SSH service.

Starting Nmap ( https://nmap.org ) at 2025-01-13 14:08 EET
Nmap scan report for tamkeen.rehab (162.240.174.154)
Host is up (0.15s latency).
rDNS record for 162.240.174.154: 162-240-174-154.unifiedlayer.com

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|     gssapi-keyex
|     gssapi-with-mic
|_    password

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.77 seconds

Vulnerability description

We found that the SSH service with username/password authentication is publicly accessible. Network administrators often use remote administration protocols to control devices like switches, routers, and other essential systems. However, allowing these services to be accessible via the Internet can increase security risks, creating potential opportunities for attacks on the organization.

Recommendation

We recommend turning off SSH with username/password authentication access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the SSH service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, it is advisable to utilize SSH Public Key Authentication since it employs a key pair to verify the identity of a user or process.

We managed to detect a publicly accessible File Transfer Protocol (FTP) service.

PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd

Vulnerability description

We found that the File Transfer Protocol (FTP) service is publicly accessible. The FTP enables client systems to connect to upload and download files. Nonetheless, FTP lacks encryption for the data exchanged between the server and the client, leaving all transferred data exposed in plaintext.

Recommendation

We recommend turning off FTP access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the FTP service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, utilizing SFTP (Secure File Transfer Protocol) is recommended as this protocol employs encryption to secure data transfers.

Evidence

Domain Queried	DNS Record Type	Description	Value
tamkeen.rehab	SPF	Sender Policy Framework	"v=spf1 a mx include:websitewelcome.com ~all"

Vulnerability description

We found that the Sender Policy Framework (SPF) record for the domain is configured with ~all (soft fail), which indicates that emails from unauthorized IP addresses are not explicitly denied. Instead, the recipient mail server is instructed to treat these messages with suspicion but may still accept them. This configuration may not provide enough protection against email spoofing and unauthorized email delivery, leaving the domain more vulnerable to impersonation attempts.

Recommendation

We recommend changing the SPF record's ~all (soft fail) directive to -all (hard fail). The -all setting tells recipient mail servers to reject emails from any IP addresses not listed in the SPF record, providing stronger protection against email spoofing. Ensure that all legitimate IP addresses and services that send emails on behalf of your domain are properly included in the SPF record before implementing this change.

Evidence

Domain Queried	DNS Record Type	Description	Value
tamkeen.rehab	TXT	Text record	"google-site-verification=0HN2juH6sWcYdlq40mdBGLh8t-rgsHnmBvMdGQz6pPY"

Vulnerability description

We found that the target server has no DMARC policy configured. A missing DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy means that the domain is not enforcing any DMARC policies to protect against email spoofing and phishing attacks. Without DMARC, even if SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) are configured, there is no mechanism to tell receiving email servers how to handle messages that fail authentication. This leaves the domain vulnerable to abuse, such as email spoofing and impersonation.

Recommendation

We recommend implementing a DMARC policy for your domain. Start by configuring a DMARC record with a policy of p=none, which will allow you to monitor email flows without impacting legitimate emails. This initial setup helps identify how emails from your domain are being processed by recipient servers. Once you’ve verified that legitimate emails are passing SPF and DKIM checks, you can gradually enforce stricter policies like p=quarantine or p=reject to protect against spoofing and phishing attacks. Additionally, include rua and ruf email addresses in the DMARC record to receive aggregate and forensic reports. These reports will provide valuable insights into authentication failures and help you detect any spoofing attempts.

Evidence

DKIM selector	Key type	Key size	Value
default	rsa	1422	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+dJCUHE9nlnuY9rEv2hSWuR2DAiOEN3QQ9nHpNYCV1Ul74da+hTxA+ePxw/RZrzuytpvWkx9qL7z4W0gfQZMYgmQ2DxdKiZ6rnxwZDXNMvDik6yl2I7RBLZomRe9H9sX/puDOgmhjJY8i38kkv2/Pkau2U8VFoQ/awke6e2ku+YVGhAJGc1Rkzie3Jt+yWas/" "idtURoscFvOM+NDt7Hl9hVMVcRJoDrTbyyvf5HZiRp2GHtN+s/zEYXbN5v1V2FeWLZp42lmZo98JWskv80xoD9GTEo/wwjoW51r+xmKAsVTXDY3/cf9K+983/uZT+no3NZFcYn4JZJH2hCMNy6pBwIDAQAB;"

Vulnerability description

We found that the DKIM record uses common selectors. The use of common DKIM selectors such as default, test, dkim, or mail may indicate a lack of proper customization or key management. Attackers often target domains using such selectors because they suggest that the domain is relying on default configurations, which could be less secure and easier to exploit. This can increase the risk of DKIM key exposure or misuse.

Recommendation

We recommend using unique, customized selectors for each DKIM key to make it more difficult for attackers to predict and target the domain's DKIM records. Regularly rotate selectors and associated keys to further strengthen the security of your domain's email authentication infrastructure.

Evidence

Domain Queried	DNS Record Type	Description	Value
tamkeen.rehab	A	IPv4 address	162.240.174.154
tamkeen.rehab	NS	Name server	ns1.moh4host.com
tamkeen.rehab	NS	Name server	ns2.moh4host.com
tamkeen.rehab	MX	Mail server	0 mail.tamkeen.rehab
tamkeen.rehab	SOA	Start of Authority	ns1.moh4host.com. root.server-605339.moh4host.com. 2024102102 3600 1800 1209600 86400
tamkeen.rehab	TXT	Text record	"google-site-verification=0HN2juH6sWcYdlq40mdBGLh8t-rgsHnmBvMdGQz6pPY"
tamkeen.rehab	SPF	Sender Policy Framework	"v=spf1 a mx include:websitewelcome.com ~all"

Recommendation

We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.

Operating System
Linux 5.1

Evidence

DKIM selector	Key type	Key size	Value
default	rsa	1422	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+dJCUHE9nlnuY9rEv2hSWuR2DAiOEN3QQ9nHpNYCV1Ul74da+hTxA+ePxw/RZrzuytpvWkx9qL7z4W0gfQZMYgmQ2DxdKiZ6rnxwZDXNMvDik6yl2I7RBLZomRe9H9sX/puDOgmhjJY8i38kkv2/Pkau2U8VFoQ/awke6e2ku+YVGhAJGc1Rkzie3Jt+yWas/" "idtURoscFvOM+NDt7Hl9hVMVcRJoDrTbyyvf5HZiRp2GHtN+s/zEYXbN5v1V2FeWLZp42lmZo98JWskv80xoD9GTEo/wwjoW51r+xmKAsVTXDY3/cf9K+983/uZT+no3NZFcYn4JZJH2hCMNy6pBwIDAQAB;"

Evidence

Software / Version	Category
PHP	Programming languages
Google Maps	Maps
WOW	JavaScript frameworks, Web frameworks, JavaScript graphics
YouTube	Video players
Bootstrap	UI frameworks
CodeIgniter	Web frameworks
Apache HTTP Server	Web servers
prettyPhoto	JavaScript libraries
OWL Carousel	JavaScript libraries
jQuery	JavaScript libraries

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.

Evidence

Software / Version	Category
PHP	Programming languages
Google Maps	Maps
WOW	JavaScript frameworks, Web frameworks, JavaScript graphics
YouTube	Video players
Bootstrap	UI frameworks
CodeIgniter	Web frameworks
Apache HTTP Server	Web servers
prettyPhoto	JavaScript libraries
OWL Carousel	JavaScript libraries
jQuery	JavaScript libraries

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.