[ZendTo] Re: Security

Jules Jules at Zend.To
Fri Dec 9 11:00:56 GMT 2011 


On 09/12/2011 10:42, Joao Alexandre wrote:
> Hi Jules,
>
> All of our internet facing structure was evaluated/scanned for
> security problems and regarding ZendTo they found two issues. They
> don't seem to be related itself with ZendTo but maybe you can help us
> resolve or lead us to the solution:
>
> 1.
> Vulnerability details -
> Script ID    201167
> Name    Directory Browsing
> Port    443/TCP - http
> Risk factor    Medium risk
> CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)
> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> Family    http
> Product    HTTP
> Description    This service lists the contents of various directories.
> Information    Browsable directories:
> Location
> /js/
> /images/
> /icons/
> /css/
> Solution    Disable directory browsing
> History    First seen : 2011-12-09 08:02 - New finding
This one you can fix in your Apache configuration. Look for a line 
saying something like
     Options All Indexes FollowSymLinks MultiViews
and remove the word "Indexes" from it. (Basically just search all the 
Apache configuration files you can find for the word "Indexes" and 
remove it!)
Then restart Apache.
I have just applied this fix to the VMs I distribute.
>
> 2.
> Script ID    236788
> Name    SSL/TLS Cipher Suite Detect MD5
> Port    443/TCP - http
> Risk factor    Medium risk
> CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)
> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> Family    ssl
> Product    SSL
> Description    The MD5 Message-Digest Algorithm is not collision
> resistant, which makes it easier for context-
> dependent attackers to conduct spoofing attacks, as demonstrated by
> attacks on the use of MD5 in the
> signature algorithm of an X.509 certificate.
> Information     SSLv3 Cipher Suite  OpenSSL Cipher
> Name
> Algorithm Bits Bits Used Cipher Strength
> RSA_WITH_RC4_1
> 28_MD5
> RC4-MD5 128 128 medium
> TLSv1 Cipher Suite  OpenSSL Cipher
> Name
> Algorithm Bits Bits Used Cipher Strength
> RSA_WITH_RC4_1
> 28_MD5
> RC4-MD5 128 128 medium
> Solution    Reconfigure the service to disallow the listed cipher suites
> Reference    url - http://www.kb.cert.org/vuls/id/836068CVE    CVE-2004-2761
> History    First seen : 2011-12-09 08:02 - New finding
This is related to your https SSL certificate, and the encryption method 
it uses. Most certificate providers are switching away from MD5 to SHA-1 
so hopefully the next time you renew your certificate this problem 
should disappear.

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

More information about the ZendTo mailing list