###Issue Description
The researcher identified that the remote host is vulnerable to several denial of service vulnerabilities, however due to the nature of these issues the researcher did not attempt to generate a proof of concept. The information about these issues is based upon the version of apache that is running on the affected host being outdated.
Additionally it was noted that the affected host displays the default suse apache test page when visited over http or https as shown:
{F118343}
From the screencap it can clearly be seen that the test page is displayed. It was noted that there are several publicly available exploits for the vulnerabilities in this version of apache.
###Response
curl -I http://dolph2.booztx.com
HTTP/1.1 403 Forbidden
Date: Thu, 08 Sep 2016 15:18:14 GMT
Server: Apache/2.2.15 (SuSE)
Accept-Ranges: bytes
Content-Length: 4002
Connection: close
Content-Type: text/html; charset=UTF-8
From the response it can be seen that the version of apache running on the server is 2.2.15 (SuSE) which on further inspection was found to be vulnerable to the following CVEs based upon the version number:
CVE ID | Risk Score |
---|---|
CVE-2013-5704 | 5.0 |
CVE-2014-0118 | 4.3 |
CVE-2014-0226 | 6.8 |
CVE-2014-0231 | 5 |
From the CVEs in the table the following descriptions
These issues were deemed the most high risk from the CVEs that affect the installed version, if Boozt are interested the consultant can provide a full list of CVEs that affect this version.
###Affected URLs
###Risk Breakdown
Risk: HighDifficulty to Exploit:Medium
Authentication: None
###Recommended Fix
Update to the latest version of apache for SUSE which at the time of writing is 2.4 additionally the server should be hardened to not disclose the version as can be seen in the example below:
Open httpd.conf
in an editor, and change the following options:
Header unset Server
ServerSignature Off
ServerTokens Prod
Also the default index page should be replaced with either a blank page or adapt the permissions of the domain to return 404/403 pages. For more information please see the apache docs.