Vulnerability Scan Result
| Title: | Metsel- en klussenbedrijf Tonnie Klaassen |
| Description: | No description found |
| IP address | 178.251.26.76 |
| Country | NL  |
| AS number | AS42093 |
| Net name | Interracks B.V |
21/tcp | ftp | Pure-FTPd |
22/tcp | ssh | OpenSSH 7.4 |
25/tcp | smtp | Exim smtpd 4.98 |
53/tcp | domain | ISC BIND 9.11.4-P2 |
80/tcp | http | Apache/2 |
110/tcp | pop3 | Dovecot DirectAdmin pop3d |
143/tcp | imap | Dovecot imapd |
443/tcp | https | Apache/2 |
465/tcp | smtp | Exim smtpd 4.98 |
587/tcp | smtp | Exim smtpd 4.98 |
993/tcp | imaps | |
995/tcp | pop3s |
| Software / Version | Category |
|---|---|
| UIKit | UI frameworks |
| Apache HTTP Server 2 | Web servers |
| PHP 8.3.11 | Programming languages |
Web Application Vulnerabilities
Evidence
| URL | Evidence |
|---|---|
| https://metsel-tegel-timmerbedrijf.nl/ | Response headers do not include the HTTP Strict-Transport-Security header |
Vulnerability description
We noticed that the target application lacks the HTTP Strict-Transport-Security header in its responses. This security header is crucial as it instructs browsers to only establish secure (HTTPS) connections with the web server and reject any HTTP connections.
Recommendation
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows: `Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]` The parameter `max-age` gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. A value below 7776000 is considered as too low by this scanner check. The flag `includeSubDomains` defines that the policy applies also for sub domains of the sender of the response.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://metsel-tegel-timmerbedrijf.nl/ | Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response. |
Vulnerability description
We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.
Recommendation
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://metsel-tegel-timmerbedrijf.nl/ | Response does not include the HTTP Content-Security-Policy security header or meta tag |
Vulnerability description
We noticed that the target application lacks the Content-Security-Policy (CSP) header in its HTTP responses. The CSP header is a security measure that instructs web browsers to enforce specific security rules, effectively preventing the exploitation of Cross-Site Scripting (XSS) vulnerabilities.
Recommendation
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| Software / Version | Category |
|---|---|
| UIKit | UI frameworks |
| Apache HTTP Server 2 | Web servers |
| PHP 8.3.11 | Programming languages |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
Vulnerability description
We found the robots.txt on the target server. This file instructs web crawlers what URLs and endpoints of the web application they can visit and crawl. Website administrators often misuse this file while attempting to hide some web pages from the users.
Recommendation
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex. administration panels, configuration files, etc).
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Vulnerability description
Website is accessible.
Vulnerability description
We have noticed that the server is missing the security.txt file, which is considered a good practice for web security. It provides a standardized way for security researchers and the public to report security vulnerabilities or concerns by outlining the preferred method of contact and reporting procedures.
Recommendation
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Method | Summary |
|---|---|---|
| https://metsel-tegel-timmerbedrijf.nl/ | OPTIONS | We did a HTTP OPTIONS request. The server responded with a 405 status code and the header: `Allow: ` Request / Response |
Vulnerability description
We have noticed that the webserver responded with an Allow HTTP header when an OPTIONS HTTP request was sent. This method responds to requests by providing information about the methods available for the target resource.
Recommendation
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your webserver configuration.
Classification
| CWE | CWE-16 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Infrastructure Vulnerabilities
Evidence
| Risk level | CVSS | CVE | Summary | Exploit |
|---|---|---|---|---|
| 9.8 | CVE-2023-38408 | The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. | N/A | |
| 6.8 | CVE-2020-15778 | scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." | N/A | |
| 6.5 | CVE-2023-51385 | In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. | N/A | |
| 5.9 | CVE-2023-48795 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | N/A | |
| 5.8 | CVE-2019-6111 | An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). | EDB-ID:46193 |
Vulnerability description
Vulnerabilities found for Openssh 7.4
Recommendation
We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.
Evidence
| Risk level | CVSS | CVE | Summary | Exploit |
|---|---|---|---|---|
| 7.5 | CVE-2022-38177 | By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. | N/A | |
| 7.5 | CVE-2022-38178 | By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. | N/A | |
| 7.5 | CVE-2023-2828 | Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. | N/A | |
| 7.5 | CVE-2023-3341 | The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. | N/A | |
| 7.5 | CVE-2023-4408 | The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. | N/A |
Vulnerability description
Vulnerabilities found for Isc Bind 9.11.4-p2
Recommendation
We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.
Starting Nmap ( https://nmap.org ) at 2025-01-13 23:54 EET
Nmap scan report for metsel-tegel-timmerbedrijf.nl (178.251.26.76)
Host is up (0.018s latency).
rDNS record for 178.251.26.76: server1.flokkus.nl
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| gssapi-keyex
| gssapi-with-mic
|_ password
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
Vulnerability description
We found that the SSH service with username/password authentication is publicly accessible. Network administrators often use remote administration protocols to control devices like switches, routers, and other essential systems. However, allowing these services to be accessible via the Internet can increase security risks, creating potential opportunities for attacks on the organization.
Recommendation
We recommend turning off SSH with username/password authentication access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the SSH service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, it is advisable to utilize SSH Public Key Authentication since it employs a key pair to verify the identity of a user or process.
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPdVulnerability description
We found that the File Transfer Protocol (FTP) service is publicly accessible. The FTP enables client systems to connect to upload and download files. Nonetheless, FTP lacks encryption for the data exchanged between the server and the client, leaving all transferred data exposed in plaintext.
Recommendation
We recommend turning off FTP access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the FTP service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, utilizing SFTP (Secure File Transfer Protocol) is recommended as this protocol employs encryption to secure data transfers.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| metsel-tegel-timmerbedrijf.nl | SPF | Sender Policy Framework | "v=spf1 a mx ip4:178.251.26.76 ~all" |
Vulnerability description
We found that the Sender Policy Framework (SPF) record for the domain is configured with ~all (soft fail), which indicates that emails from unauthorized IP addresses are not explicitly denied. Instead, the recipient mail server is instructed to treat these messages with suspicion but may still accept them. This configuration may not provide enough protection against email spoofing and unauthorized email delivery, leaving the domain more vulnerable to impersonation attempts.
Recommendation
We recommend changing the SPF record's ~all (soft fail) directive to -all (hard fail). The -all setting tells recipient mail servers to reject emails from any IP addresses not listed in the SPF record, providing stronger protection against email spoofing. Ensure that all legitimate IP addresses and services that send emails on behalf of your domain are properly included in the SPF record before implementing this change.
Vulnerability description
We found that the target server has no DMARC policy configured. A missing DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy means that the domain is not enforcing any DMARC policies to protect against email spoofing and phishing attacks. Without DMARC, even if SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) are configured, there is no mechanism to tell receiving email servers how to handle messages that fail authentication. This leaves the domain vulnerable to abuse, such as email spoofing and impersonation.
Recommendation
We recommend implementing a DMARC policy for your domain. Start by configuring a DMARC record with a policy of p=none, which will allow you to monitor email flows without impacting legitimate emails. This initial setup helps identify how emails from your domain are being processed by recipient servers. Once you’ve verified that legitimate emails are passing SPF and DKIM checks, you can gradually enforce stricter policies like p=quarantine or p=reject to protect against spoofing and phishing attacks. Additionally, include rua and ruf email addresses in the DMARC record to receive aggregate and forensic reports. These reports will provide valuable insights into authentication failures and help you detect any spoofing attempts.
Evidence
| DKIM selector | Key type | Key size | Value |
|---|---|---|---|
| x | rsa | 786 | "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Rj+qTYGk/qpYePICN+//mtes/aIKp80kjVBLBbVDAHenTDM3TGnzlLHO7ApWxETMs3WQPu6/0nqaW1yBljMosV" "PjByPgIibum7fgBtrJjV7xX0mqPrlS60LvF82hI1UpjHip6euQ5zZZox7Hu+ft+8G8OYaTm9W1ejV3rPPcLqGd6PRbi+2m8RxA7ufwBRD5S5WsVHwpmCX9fLmHLReSgZ9vZjfjsSz2VKkoutxL+CVY" "63CpabHb+tmkaNA0Zkyaslh7YS2tXSpU6pTnquAnnbgN5ZX8yiNhB4C5rU9+HLXt3zAp/hW4zpoMYTCtHcu4KHp7Bms4bynXb+xK+D99wIDAQAB" |
Vulnerability description
We found that the DKIM key length is under 1024-bit. When a DKIM (DomainKeys Identified Mail) key length is under 1024-bit, it is considered weak by modern cryptographic standards. Shorter key lengths, such as 512 or 768 bits, are vulnerable to brute-force attacks, where an attacker could potentially forge a valid DKIM signature for a domain. This undermines the entire purpose of DKIM, which is to authenticate email messages and prevent email spoofing by verifying that the message headers have not been tampered with. A DKIM key under 1024 bits significantly reduces the difficulty for attackers to break the signature.
Recommendation
We recommend using a DKIM key with a length of at least 1024 bits. Ideally, 2048-bit keys should be used, as they provide a higher level of security and are more resistant to brute-force attacks. Organizations should regularly audit their DKIM configurations and rotate cryptographic keys periodically to maintain security. In addition, any DKIM keys that are less than 1024 bits should be immediately replaced with stronger keys to prevent exploitation.
Recommendation
To mitigate the risks associated with end-of-life (EOL) software, it's crucial to take proactive steps. Start by identifying any EOL software currently in use within your organization. Once identified, prioritize upgrading or replacing these applications with supported versions that receive regular updates and security patches. This not only helps close security gaps but also ensures better compatibility with newer technologies, enhancing overall system efficiency and reliability.Additionally, develop a comprehensive software lifecycle management plan. This plan should include regular audits to identify upcoming EOL dates and a schedule for timely updates or replacements. Train your IT staff and users about the importance of keeping software up to date and the risks associated with using outdated versions. By maintaining a proactive approach to software management, you can significantly reduce security risks, ensure compliance with industry regulations, and protect your organization's reputation and customer trust.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| metsel-tegel-timmerbedrijf.nl | A | IPv4 address | 178.251.26.76 |
| metsel-tegel-timmerbedrijf.nl | NS | Name server | ns2.flokkus.nl |
| metsel-tegel-timmerbedrijf.nl | NS | Name server | ns1.flokkus.nl |
| metsel-tegel-timmerbedrijf.nl | MX | Mail server | 10 mail.metsel-tegel-timmerbedrijf.nl |
| metsel-tegel-timmerbedrijf.nl | SOA | Start of Authority | ns1.flokkus.nl. hostmaster.metsel-tegel-timmerbedrijf.nl. 2024100101 3600 3600 1209600 86400 |
| metsel-tegel-timmerbedrijf.nl | SPF | Sender Policy Framework | "v=spf1 a mx ip4:178.251.26.76 ~all" |
Recommendation
We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.
Evidence
| Operating System |
|---|
| Linux 4.4 |
Vulnerability description
OS Detection
Recommendation
Vulnerability checks are skipped for ports that redirect to another port. We recommend scanning the redirected port directly.
Evidence
| DKIM selector | Key type | Key size | Value |
|---|---|---|---|
| x | rsa | 786 | "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Rj+qTYGk/qpYePICN+//mtes/aIKp80kjVBLBbVDAHenTDM3TGnzlLHO7ApWxETMs3WQPu6/0nqaW1yBljMosV" "PjByPgIibum7fgBtrJjV7xX0mqPrlS60LvF82hI1UpjHip6euQ5zZZox7Hu+ft+8G8OYaTm9W1ejV3rPPcLqGd6PRbi+2m8RxA7ufwBRD5S5WsVHwpmCX9fLmHLReSgZ9vZjfjsSz2VKkoutxL+CVY" "63CpabHb+tmkaNA0Zkyaslh7YS2tXSpU6pTnquAnnbgN5ZX8yiNhB4C5rU9+HLXt3zAp/hW4zpoMYTCtHcu4KHp7Bms4bynXb+xK+D99wIDAQAB" |
Evidence
| Software / Version | Category |
|---|---|
| PHP 8.3.11 | Programming languages |
| UIKit | UI frameworks |
| Apache HTTP Server 2 | Web servers |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.