help with Nikto results...

From: Spaceman Spiff (stupendousman_at_calvin.com)
Date: 02/08/04


Date: Sun, 08 Feb 2004 10:34:40 -0500

Hi all,

I've been playing with Nikto and using it against my personal web
server. I get some results that I cannot find any information about in
my searching. Can anyone help give me an idea of what the /?Open line
indicates and help me understand why I'm seeing something for
MyWebServer when this is an apache web server. And one last thing, why
is there a hit for .htaccess/.htpasswd when I have those disabled in the
httpd.conf and there are no such files in any of my directory structure?
  The results of the scan are;

+ Server: Apache/1.3.29 (Unix) mod_perl/1.28 PHP/4.3.4
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt - contains 19 'disallow' entries which should be manually
viewed (added to mutation file lists) (GET).
+ Apache/1.3.29 appears to be outdated (current is at least
Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.
+ mod_perl/1.28 appears to be outdated (current is at least 1.99_10)
+ PHP/4.3.4 appears to be outdated (current is at least 4.3.4RC2)
+ /.htaccess - Contains authorization information (GET)
+ /.htpasswd - Contains authorization information (GET)
+ /phpBB2/includes/db.php - Some versions of db.php from phpBB2 allow
remote file inclusions. Verify the current version is running. See
http://www.securiteam.com/securitynews/5BP0F2A6KC.html for more info (GET)
+ /\"><img%20src=\"javascript:alert(document.domain)\"> - The IBM Web
Traffic Express Caching Proxy is vulnerable to Cross Site Scripting
(XSS). CA-2000-02. (GET)
+ /?Open - This displays a list of all databases on the server. ĘDisable
this capability via server options. (GET)
+
/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<font%20size=50>DEFACED<!--//--
- MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later
version. (GET)
+ /phpMyAdmin/ - This might be interesting... (GET)
+ 1987 items checked - 8 item(s) found on remote host(s)

Thanks



Relevant Pages

  • Re: The Myth of the secure Mac
    ... >>>Apple calls it 'Personal Web Server'. ... It's really just Apache 1.x. ... You click on 'Personal Web Sharing' or whatever ...
    (comp.sys.mac.advocacy)
  • Re: file size limit
    ... You may be exceeding their anti-spam quota regarding the maximum size of a message, like 10MB is as big as you can send. ... Have you asked the recipient if their mailbox quota will accommodate your 12MB e-mail? ... If the download is corrupted, and because the original back on the server usually gets deleted after the e-mail downloads the message, the recipient has to request the sender to resend another huge message and try it all over again. ... your personal web pages with your ISP, Yahoo Geocities personal web pages, Yahoo Briefcase, X-Drive, or some other freebie or paid online storage provider. ...
    (microsoft.public.outlook)
  • FP2000 Ext/ Win 98
    ... Recently my win 98 pc went through a windows update and it ... has corrupted my Personal Web Server. ... my test web on my pc, I am was receiving an "Unable to ... read congfiguration information for Microsoft Personal Web ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Static IP Security
    ... win98 is not a very stable or secure web server, ... enough for a personal web page with only a little traffic where high ... www.microsoft.com/security for more recommendations. ...
    (comp.security.firewalls)
  • Re: Static IP Security
    ... win98 is not a very stable or secure web server, ... enough for a personal web page with only a little traffic where high ... www.microsoft.com/security for more recommendations. ...
    (comp.security.firewalls)