FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Security Scans Show Vulnerabilities
Posted on 14 October 2007 11:42 PM
Question:

I have run tests through Security Metrics and TrustKeeper and the results are showing some vulnerabilities. Will you please review the reports and address each item that was identified as a risk? Thanks!

Answer:

Thank you for sharing these reports with us. We have seen similar reports in the past and most of the concerns showing up on the reports are not relevant to our systems.

As for the specific items:

Helix Universal Server RTSP Buffer Overflow: Not applicable, as the vulnerable plugin (View Source) is not present on our servers. (Real Server 8 or Helix is not present on our servers. The Real G2 server we have in place is version 6.0.3.353.)

Microsoft RDS Method Exposure: Not applicable, as this bug only applies to servers running on Microsoft Windows.

newdsn.exe Detected: Not possible, as there is no newdsn.exe file on your server nor would it (a MS Windows executable) be functional.

DB4Web directory traversal: Not possible, as we do not have any DB4Web software installed.

ndcgi.exe Detected: Not possible, as above.

DCE Service Ports Accessibility: We use port 1025 as a secondary port for SMTP service, not for DCE, and as such there is no access violation here.

printenv CGI Detected: We have been unable to find any such CGI in your account's cgi-bin. We have no idea why this is being reported, as it should not be possible.

CVS "Entries" File on Web Server: There are no globally available CVS/Entries files, nor did we find any such files in your account. We again cannot determine why this is being reported.

IIS FrontPage SHTML ISAPI DoS: Not applicable, as we do not run IIS nor FrontPage and as such are not vulnerable.

Apache htaccess Overflow: Not applicable. While I cannot verify if there is or isn't a bug in the htaccess program we are running, it is not setuid, and as such it is not possible for "a local user to gain the privilege level of the httpd process" as they claim. Also, at least one of the bug IDs listed for this is completely unrelated. We are running the 1.3.41 version of Apache.

ICMP Timestamping Response: This is a fairly low-impact vulnerability, as indicated, but we will consider disabling the specific timestamping ICMP service.

OpenSSH PAM Timing Attack: As the description states, this is only applicable to version 3.6.1p1 and earlier, and we are running version 5.0p1 (or later), and as such this is not applicable.

Robots.txt with Disallows: This is local to your account.

QMTP: Yes, we run QMTP services to allow suitably configured remote systems to send us mail more efficiently.

No CGI Scan Results: This seems to be indicating that their tool wasn't able to automatically scan for further CGI scripts due to the presence of customized error documents, something that could well be considered a security benefit.

Apache::ASP source.asp: No "source.asp" was to be found on the server, nor would it be executable normally as we do not run Apache::ASP.

OfficeScan Info Dump: We do not run OfficeScan, and we found no ofcscan.ini files on the server.

Apache Username Probing: We do not support ~username access.

SMTP Server Running on a Non Standard Port: SMTP is running on nonstandard ports 1025 and 587 by design for those clients whose ISPs block Port 25 (see http://service.FutureQuest.net/kba123 "Why can I receive email, but not send any?").

We hope the above information satisfactorily addresses the concerns presented by the reports.