Vulnerability Scan Result
| Title: | Ghazal – Vos Courses À La Source |
| Description: | No description found |
| IP address | 84.32.84.81 |
| Country | LT  |
| AS number | AS47583 |
| Net name | Ripe NCC ASN Block |
80/tcp | http | hcdn |
443/tcp | https | hcdn |
| Software / Version | Category |
|---|---|
| Clipboard.js | JavaScript libraries |
| Contact Form 7 6.0.2 | WordPress plugins, Form builders |
| Elementor 3.26.3 | Page builders, WordPress plugins |
| jQuery Migrate 3.4.1 | JavaScript libraries |
| HTTP/3 | Miscellaneous |
| imagesLoaded 5.0.0 | JavaScript libraries |
| jQuery | JavaScript libraries |
| MySQL | Databases |
| PHP 8.2.15 | Programming languages |
| Underscore.js 1.13.7 | JavaScript libraries |
| Webpack | Miscellaneous |
| Module Federation | Miscellaneous |
| WooCommerce 9.5.1 | Ecommerce, WordPress plugins |
| Woodmart | WordPress themes |
| WordPress 6.7.1 | CMS, Blogs |
| Hostinger | Hosting |
| Hostinger CDN | CDN |
| Slider Revolution 6.6.20 | Widgets, Photo galleries |
| WhatsApp Business Chat | Live chat |
Web Application Vulnerabilities
Evidence
| Risk Level | CVSS | CVE | Summary | Affected software |
|---|---|---|---|---|
| 9.8 | CVE-2024-4577 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | php 8.2.15 | |
| 9.8 | CVE-2024-11236 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | php 8.2.15 | |
| 8.8 | CVE-2024-5585 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | php 8.2.15 | |
| 5.9 | CVE-2024-2408 | The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability. | php 8.2.15 | |
| 5.3 | CVE-2024-5458 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. | php 8.2.15 |
Vulnerability description
We noticed known vulnerabilities in the target application based on the server responses. They are usually related to outdated systems and expose the affected applications to the risk of unauthorized access to confidential data and possibly denial of service attacks. Depending on the system distribution the affected software can be patched but displays the same version, requiring manual checking.
Recommendation
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest version.
Classification
| CWE | CWE-1026 |
| OWASP Top 10 - 2017 | A9 - Using Components with Known Vulnerabilities |
| OWASP Top 10 - 2021 | A6 - Vulnerable and Outdated Components |
Evidence
| URL | Evidence |
|---|---|
| https://ghazzal.ma/ | Response headers do not include the HTTP Strict-Transport-Security header |
Vulnerability description
We noticed that the target application lacks the HTTP Strict-Transport-Security header in its responses. This security header is crucial as it instructs browsers to only establish secure (HTTPS) connections with the web server and reject any HTTP connections.
Recommendation
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows: `Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]` The parameter `max-age` gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. A value below 7776000 is considered as too low by this scanner check. The flag `includeSubDomains` defines that the policy applies also for sub domains of the sender of the response.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://ghazzal.ma/ | Response headers do not include the X-Content-Type-Options HTTP security header |
Vulnerability description
We noticed that the target application's server responses lack the <code>X-Content-Type-Options</code> header. This header is particularly important for preventing Internet Explorer from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header.
Recommendation
We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://ghazzal.ma/ | Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response. |
Vulnerability description
We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.
Recommendation
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://ghazzal.ma/ | Response headers include the HTTP Content-Security-Policy security header with the following security issues:`script-src: script-src directive is missing. default-src: The default-src directive should be set as a fall-back when other restrictions have not been specified. object-src: Missing object-src allows the injection of plugins which can execute JavaScript. We recommend setting it to 'none'. base-uri: Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain. We recommend setting it to 'none' or 'self'.` |
Vulnerability description
We noticed that the Content-Security-Policy (CSP) header configured for the web application includes unsafe directives. The CSP header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS) by restricting the sources from which content can be loaded or executed.
Recommendation
Remove the unsafe values from the directives, adopt nonces or hashes for safer inclusion of inline scripts if they are needed, and explicitly define the sources from which scripts, styles, images or other resources can be loaded.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| Software / Version | Category |
|---|---|
| Clipboard.js | JavaScript libraries |
| Contact Form 7 6.0.2 | WordPress plugins, Form builders |
| Elementor 3.26.3 | Page builders, WordPress plugins |
| jQuery Migrate 3.4.1 | JavaScript libraries |
| HTTP/3 | Miscellaneous |
| imagesLoaded 5.0.0 | JavaScript libraries |
| jQuery | JavaScript libraries |
| MySQL | Databases |
| PHP 8.2.15 | Programming languages |
| Underscore.js 1.13.7 | JavaScript libraries |
| Webpack | Miscellaneous |
| Module Federation | Miscellaneous |
| WooCommerce 9.5.1 | Ecommerce, WordPress plugins |
| Woodmart | WordPress themes |
| WordPress 6.7.1 | CMS, Blogs |
| Hostinger | Hosting |
| Hostinger CDN | CDN |
| Slider Revolution 6.6.20 | Widgets, Photo galleries |
| WhatsApp Business Chat | Live chat |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
Vulnerability description
We found the robots.txt on the target server. This file instructs web crawlers what URLs and endpoints of the web application they can visit and crawl. Website administrators often misuse this file while attempting to hide some web pages from the users.
Recommendation
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex. administration panels, configuration files, etc).
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Vulnerability description
Website is accessible.
Evidence
Vulnerability description
We have noticed that the server is missing the security.txt file, which is considered a good practice for web security. It provides a standardized way for security researchers and the public to report security vulnerabilities or concerns by outlining the preferred method of contact and reporting procedures.
Recommendation
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Infrastructure Vulnerabilities
Evidence
| Risk level | CVSS | CVE | Summary | Exploit |
|---|---|---|---|---|
| 9.8 | CVE-2024-4577 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | N/A | |
| 9.8 | CVE-2024-11236 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | N/A | |
| 8.8 | CVE-2024-5585 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | N/A | |
| 5.9 | CVE-2024-2408 | The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability. | N/A | |
| 5.3 | CVE-2024-5458 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. | N/A |
Vulnerability description
Vulnerabilities found for PHP 8.2.15
Recommendation
We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| ghazzal.ma | SPF | Sender Policy Framework | "v=spf1 include:_spf.mail.hostinger.com ~all" |
Vulnerability description
We found that the Sender Policy Framework (SPF) record for the domain is configured with ~all (soft fail), which indicates that emails from unauthorized IP addresses are not explicitly denied. Instead, the recipient mail server is instructed to treat these messages with suspicion but may still accept them. This configuration may not provide enough protection against email spoofing and unauthorized email delivery, leaving the domain more vulnerable to impersonation attempts.
Recommendation
We recommend changing the SPF record's ~all (soft fail) directive to -all (hard fail). The -all setting tells recipient mail servers to reject emails from any IP addresses not listed in the SPF record, providing stronger protection against email spoofing. Ensure that all legitimate IP addresses and services that send emails on behalf of your domain are properly included in the SPF record before implementing this change.
Vulnerability description
We found that the target server has no DMARC policy configured. A missing DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy means that the domain is not enforcing any DMARC policies to protect against email spoofing and phishing attacks. Without DMARC, even if SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) are configured, there is no mechanism to tell receiving email servers how to handle messages that fail authentication. This leaves the domain vulnerable to abuse, such as email spoofing and impersonation.
Recommendation
We recommend implementing a DMARC policy for your domain. Start by configuring a DMARC record with a policy of p=none, which will allow you to monitor email flows without impacting legitimate emails. This initial setup helps identify how emails from your domain are being processed by recipient servers. Once you’ve verified that legitimate emails are passing SPF and DKIM checks, you can gradually enforce stricter policies like p=quarantine or p=reject to protect against spoofing and phishing attacks. Additionally, include rua and ruf email addresses in the DMARC record to receive aggregate and forensic reports. These reports will provide valuable insights into authentication failures and help you detect any spoofing attempts.
Vulnerability description
We found that no DKIM record was configured. When a DKIM (DomainKeys Identified Mail) record is not present for a domain, it means that outgoing emails from that domain are not cryptographically signed. DKIM is a critical component of email authentication, allowing recipients to verify that an email was genuinely sent from an authorized server and that the message has not been altered in transit. The absence of a DKIM record leaves the domain vulnerable to email spoofing and phishing attacks, as attackers can send fraudulent emails that appear to originate from the domain without any cryptographic verification.
Recommendation
We recommend implementing DKIM for your domain to enhance email security and protect your brand from email-based attacks. Generate a DKIM key pair (public and private keys), publish the public key in the DNS under the appropriate selector, and configure your email servers to sign outgoing messages using the private key. Ensure that the DKIM key length is at least 1024 bits to prevent cryptographic attacks. Regularly monitor DKIM signatures to ensure the system is functioning correctly and update keys periodically to maintain security.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| ghazzal.ma | A | IPv4 address | 185.77.97.52 |
| ghazzal.ma | NS | Name server | ns1.dns-parking.com |
| ghazzal.ma | NS | Name server | ns2.dns-parking.com |
| ghazzal.ma | MX | Mail server | 10 mx2.hostinger.com |
| ghazzal.ma | MX | Mail server | 5 mx1.hostinger.com |
| ghazzal.ma | SOA | Start of Authority | ns1.dns-parking.com. dns.hostinger.com. 2025011201 10000 2400 604800 600 |
| ghazzal.ma | AAAA | IPv6 address | 2a02:4780:84:bc96:ea6e:9ae8:a200:c510 |
| ghazzal.ma | SPF | Sender Policy Framework | "v=spf1 include:_spf.mail.hostinger.com ~all" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issuewild "digicert.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issue "globalsign.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issuewild "pki.goog" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issuewild "sectigo.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issuewild "letsencrypt.org" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issue "sectigo.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issue "letsencrypt.org" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issuewild "comodoca.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issue "digicert.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issuewild "globalsign.com" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issue "pki.goog" |
| ghazzal.ma | CAA | Certificate Authority Authorization | 0 issue "comodoca.com" |
Recommendation
We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.
Vulnerability description
OS detection couldn't determine the operating system.
Recommendation
Vulnerability checks are skipped for ports that redirect to another port. We recommend scanning the redirected port directly.
Evidence
| Software / Version | Category |
|---|---|
| WordPress 6.7.1 | CMS, Blogs |
| Slider Revolution 6.6.19 | Widgets, Photo galleries |
| MySQL | Databases |
| PHP 8.2.15 | Programming languages |
| CFML | Programming languages |
| Google Maps | Maps |
| GeoServer | Maps |
| Contact Form 7 6.0.2 | WordPress plugins, Form builders |
| Adobe ColdFusion | Web frameworks |
| GSAP | JavaScript frameworks |
| Woodmart | WordPress themes |
| WooCommerce 9.5.1 | Ecommerce, WordPress plugins |
| Elementor 3.26.3 | Page builders, WordPress plugins |
| SuperPWA | WordPress plugins |
| imagesLoaded 5.0.0 | JavaScript libraries |
| Lodash 1.13.7 | JavaScript libraries |
| jQuery UI 1.13.3 | JavaScript libraries |
| jQuery Migrate 3.4.1 | JavaScript libraries |
| jQuery 3.7.1 | JavaScript libraries |
| core-js 3.32.0 | JavaScript libraries |
| WhatsApp Business Chat | Live chat |
| Priority Hints | Performance |
| Google Font API | Font scripts |
| Hostinger CDN | CDN |
| Hostinger | Hosting |
| Webpack | Miscellaneous |
| RSS | Miscellaneous |
| PWA | Miscellaneous |
| Module Federation | Miscellaneous |
| HTTP/3 | Miscellaneous |
| Clipboard.js | JavaScript libraries |
| Underscore.js 1.13.7 | JavaScript libraries |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.