sábado, 4 de junio de 2011

Vulnerabilidad en www.ixe.com.mx/portal/

Saludos Mundo Libre.

He aqui Posibles Vulnerabilidades.

http://www.ixe.com.mx/portal/

[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: grep.collectCookies
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: grep.httpAuthDetect
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: grep.error500
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: discovery.serverHeader
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: discovery.allowedMethods
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: discovery.frontpage_version
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: grep.passwordProfiling
[Sat 04 Jun 2011 09:52:28 PM CDT] Auto-enabling plugin: grep.getMails
[Sat 04 Jun 2011 09:52:29 PM CDT] Auto-enabling plugin: grep.lang
[Sat 04 Jun 2011 09:52:38 PM CDT] The remote HTTP Server ommited the "server" header in it's response. This information was found in the request with id 16.
[Sat 04 Jun 2011 09:52:39 PM CDT] The URL: "http://www.ixe.com.mx/portal/" has the following DAV methods enabled:
[Sat 04 Jun 2011 09:52:39 PM CDT] - DELETE, GET, HEAD, INDEX, MKDIR, MOVE, OPTIONS, POST, PUT, RMDIR, TRACE
[Sat 04 Jun 2011 09:52:39 PM CDT] Starting formAuthBrute plugin execution.
[Sat 04 Jun 2011 09:52:39 PM CDT] https://www.ixe.com.mx/ixenet/app is a registration form.
[Sat 04 Jun 2011 09:52:39 PM CDT] Starting basicAuthBrute plugin execution.
[Sat 04 Jun 2011 09:52:39 PM CDT] Found 4 URLs and 5 different points of injection.
[Sat 04 Jun 2011 09:52:39 PM CDT] The list of URLs is:
[Sat 04 Jun 2011 09:52:39 PM CDT] - http://www.ixe.com.mx/portal/
[Sat 04 Jun 2011 09:52:39 PM CDT] - http://www.ixe.com.mx/portal/document/doc_send.jsp
[Sat 04 Jun 2011 09:52:39 PM CDT] - http://www.ixe.com.mx/portal/index.jsp?page=modules/search/search_acc.jsp
[Sat 04 Jun 2011 09:52:39 PM CDT] - https://www.ixe.com.mx/ixenet/app
[Sat 04 Jun 2011 09:52:39 PM CDT] The list of fuzzable requests is:
[Sat 04 Jun 2011 09:52:39 PM CDT] - http://www.ixe.com.mx/portal/ | Method: GET
[Sat 04 Jun 2011 09:52:39 PM CDT] - http://www.ixe.com.mx/portal/document/doc_send.jsp | Method: POST | Parameters: (mailTo="", form_doc_version="", doc_title="", doc_resource="", form_id_document="", page="document/d...")
[Sat 04 Jun 2011 09:52:39 PM CDT] - http://www.ixe.com.mx/portal/index.jsp?page=modules/search/search_acc.jsp | Method: POST | Parameters: (id_category="0", doc_expand="false", id_content="0", no_reg_page="10", search_date="", no_page="1", module="todos", buscado="", dosearch="true")
[Sat 04 Jun 2011 09:52:39 PM CDT] - https://www.ixe.com.mx/ixenet/app | Method: POST | Parameters: (userField="", service="direct/1/P...", sp="S0", Form0="userField,...", $FormConditional="T", Image1="login", passwordField="")
[Sat 04 Jun 2011 09:52:39 PM CDT] - https://www.ixe.com.mx/ixenet/app | Method: POST | Parameters: (userField="", service="direct/1/P...", sp="S0", Form0="userField,...", $FormConditional="T", passwordField="")
[Sat 04 Jun 2011 09:52:40 PM CDT] The page language is: es
[Sat 04 Jun 2011 09:52:49 PM CDT] The web application sent a persistent cookie.
[Sat 04 Jun 2011 09:52:49 PM CDT] The following scripts allow an attacker to send POST data as query string data (this makes XSRF easier to exploit):
[Sat 04 Jun 2011 09:52:49 PM CDT] - The URL: http://www.ixe.com.mx/portal/document/doc_send.jsp is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.
[Sat 04 Jun 2011 09:54:44 PM CDT] This is the information about the SSL certificate used in the target site:
    - Digest (SHA-1): 51:A2:98:1E:30:3B:3D:9A:B6:CD:EA:89:BC:14:8A:A3:11:A4:B3:15
    - Digest (MD5): 5F:84:A1:B2:6C:99:04:49:09:B2:2F:A9:F1:57:86:CB
    - Serial#: 107111107664083977216497774107247421807
    - Version: 2
    - Expired: No
    - Subject:
    - Issuer:
    - PKey bits: 1024
    - PKey type: RSA (6)
    - Certificate dump:
    -----BEGIN CERTIFICATE-----
    MIIE6jCCBFOgAwIBAgIQUJTZVZ4qSBGLXT+ZWN6pbzANBgkqhkiG9w0BAQUFADCB
    ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
    aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
    dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
    SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0x
    MDA1MjYwMDAwMDBaFw0xMjA2MjQyMzU5NTlaMIH6MQswCQYDVQQGEwJNWDEZMBcG
    A1UECBMQRGlzdHJpdG8gRmVkZXJhbDEPMA0GA1UEBxQGTWV4aWNvMUgwRgYDVQQK
    FD9JeGUgQmFuY28gU0EgSW5zdGl0dWNpb24gZGUgQmFuY2EgTXVsdGlwbGUgSXhl
    IEdydXBvIEZpbmFuY2llcm8xJzAlBgNVBAsUHk1lbWJlciwgVmVyaVNpZ24gVHJ1
    c3QgTmV0d29yazEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2ln
    bi5jb20vcnBhIChjKTA1MRcwFQYDVQQDFA53d3cuaXhlLmNvbS5teDCBnzANBgkq
    hkiG9w0BAQEFAAOBjQAwgYkCgYEAx4Nx6p5CWPu/ypEiFSw6VizNfqUt10/xLK4S
    6OCyald0AfPqMopbHB8M2L3BLitDx8vGm9fZ0swdK+6htqKylVzle2ptsWmtolca
    ZBKzJkcF6ReqQF8+HfkEh2yWHLPiQlwS5CHXHyWD6Vfj/R796JpIVL3uK6fbAP0r
    LQT0ekUCAwEAAaOCAa0wggGpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEQGA1Ud
    IAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cu
    dmVyaXNpZ24uY29tL3JwYTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vU1ZSSW50
    bC1jcmwudmVyaXNpZ24uY29tL1NWUkludGwuY3JsMCgGA1UdJQQhMB8GCCsGAQUF
    BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEF
    BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRw
    Oi8vU1ZSSW50bC1haWEudmVyaXNpZ24uY29tL1NWUkludGwtYWlhLmNlcjBuBggr
    BgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRL
    a7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20v
    dnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADgYEAeWquHwrqi2E4+FBNsIdjZDWR
    BpzqPZHR3w9rXzb9JhpSlL/6maWnIMSSfNu4MbjXRrgSR1XGSVSWQrvvAtv4WZCS
    UR+8jtlh/Ku1e0Lr97gfGTh0OHizrmqs9wJnAmcQwXzpFy6x1Im7MbofYBkLLwBs
    SyjfXjq1JDE8GUVpSdU=
    -----END CERTIFICATE-----


[Sat 04 Jun 2011 09:58:46 PM CDT] The URL: http://www.ixe.com.mx/portal/document/doc_send.jsp is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.
[Sat 04 Jun 2011 09:58:46 PM CDT] An unidentified vulnerability was found at: "https://www.ixe.com.mx/ixenet/app", using HTTP method POST. The sent post-data was: "userField=John8212&service=direct/1/PortalLogin/form.form&sp=S0&Form0=userField%2CpasswordField%2C%24FormConditional%2C%24ImageSubmit&%24FormConditional=d'kc"z'gj'"%2A%2A5%2A(((%3B-%2A%60)&passwordField=FrAmE30.". The modified parameter was "$FormConditional". This vulnerability was found in the request with id 172.
[Sat 04 Jun 2011 09:58:46 PM CDT] An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/index.jsp?page=modules/search/search_acc.jsp", using HTTP method POST. The sent post-data was: "...id_category=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 201.
[Sat 04 Jun 2011 09:58:46 PM CDT] An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/index.jsp?page=modules/search/search_acc.jsp", using HTTP method POST. The sent post-data was: "...buscado=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 224.
[Sat 04 Jun 2011 09:58:46 PM CDT] An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/document/doc_send.jsp", using HTTP method POST. The sent post-data was: "...mailTo=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 232.
[Sat 04 Jun 2011 09:58:46 PM CDT] An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/document/doc_send.jsp", using HTTP method POST. The sent post-data was: "...form_doc_version=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 237.
[Sat 04 Jun 2011 09:58:46 PM CDT] The remote HTTP Server ommited the "server" header in it's response. This information was found in the request with id 16.
[Sat 04 Jun 2011 09:58:46 PM CDT] The URL "http://www.ixe.com.mx/portal/" has the following allowed methods, which include DAV methods: DELETE, GET, HEAD, INDEX, MKDIR, MOVE, OPTIONS, POST, PUT, RMDIR, TRACE. This information was found in the request with id 18.
[Sat 04 Jun 2011 09:58:46 PM CDT] The URL: "https://www.ixe.com.mx/ixenet/app" sent the cookie: "JSESSIONID=Kc2dNqvYnCkmBbtLKZ7x8mfHTQQQ1jHK2FXTprWVFYnJd92W0tT8!-2087253857; path=/". This information was found in the request with id 21.

xsrf:post_xsrf:
Cross Site request forgery vulnerability
The URL: http://www.ixe.com.mx/portal/document/doc_send.jsp is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.

generic:generic:

An unidentified vulnerability was found at: "https://www.ixe.com.mx/ixenet/app", using HTTP method POST. The sent post-data was: "userField=John8212&service=direct/1/PortalLogin/form.form&sp=S0&Form0=userField%2CpasswordField%2C%24FormConditional%2C%24ImageSubmit&%24FormConditional=d'kc"z'gj'"%2A%2A5%2A(((%3B-%2A%60)&passwordField=FrAmE30.". The modified parameter was "$FormConditional". This vulnerability was found in the request with id 172.

POST https://www.ixe.com.mx/ixenet/app HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

Form0=userField%2CpasswordField%2C%24FormConditional%2C%24ImageSubmit&userField=John8212&service=direct/1/PortalLogin/form.form&%24FormConditional=d'kc"z'gj'"%2A%2A5%2A(((%3B-%2A%60)&sp=S0&passwordField=FrAmE30.

An unidentified vulnerability was found at: "https://www.ixe.com.mx/ixenet/app", using HTTP method POST. The sent post-data was: "userField=John8212&service=direct/1/PortalLogin/form.form&sp=S0&Form0=userField%2CpasswordField%2C%24FormConditional%2C%24ImageSubmit&%24FormConditional=&passwordField=FrAmE30.". The modified parameter was "$FormConditional". This vulnerability was found in the request with id 174.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=w3af%40email.com&form_doc_version=&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/index.jsp?page=modules/search/search_acc.jsp", using HTTP method POST. The sent post-data was: "...id_category=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 201.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=w3af%40email.com&form_doc_version=&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/index.jsp?page=modules/search/search_acc.jsp", using HTTP method POST. The sent post-data was: "...buscado=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 224.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=&form_doc_version=5672&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/document/doc_send.jsp", using HTTP method POST. The sent post-data was: "...mailTo=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 232.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=d'kc"z'gj'"%2A%2A5%2A(((%3B-%2A%60)&form_doc_version=5672&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/document/doc_send.jsp", using HTTP method POST. The sent post-data was: "...mailTo=...". This vulnerability was found in the request with id 234.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=&form_doc_version=5672&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/document/doc_send.jsp", using HTTP method POST. The sent post-data was: "...form_doc_version=d'kc"z'gj'"**5*(((;-*`)...". This vulnerability was found in the request with id 237.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=w3af%40email.com&form_doc_version=d'kc"z'gj'"%2A%2A5%2A(((%3B-%2A%60)&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

An unidentified vulnerability was found at: "http://www.ixe.com.mx/portal/document/doc_send.jsp", using HTTP method POST. The sent post-data was: "...form_doc_version=...". This vulnerability was found in the request with id 239.

POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=w3af%40email.com&form_doc_version=&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

sslCertificate: version:

The certificate is using an old version of SSL (2), which is insecure.
POST http://www.ixe.com.mx/portal/document/doc_send.jsp HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=w3af%40email.com&form_doc_version=&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

Certificate:SSl Certificate:
The certificate is using an old version of SSL (2), which is insecure.

Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: www.ixe.com.mx
Cookie: path=/; FWPFSESSIONID=HrxnNqvNwtC5N2rzhQ12PJbSTXnr5tlnNTTyyXVw1pJXfvFT4yp2!-1184488609!80571002;
Content-type: application/x-www-form-urlencoded

mailTo=w3af%40email.com&form_doc_version=&doc_title=Hello+World&doc_resource=5672&form_id_document=3419&page=document/doc_send.jsp

Hay selas dejo.

Saludos Mundo libre.

No hay comentarios:

Publicar un comentario