[ZendTo] Re: Security

Joao Alexandre jalexandre1964 at gmail.com
Fri Dec 9 12:11:19 GMT 2011


Hi Jules,

Thank you very much.

I've already corrected the apache configuration.

Regards,

Joao


On Fri, Dec 9, 2011 at 11:00 AM, Jules <Jules at zend.to> wrote:
>
>
> On 09/12/2011 10:42, Joao Alexandre wrote:
>> Hi Jules,
>>
>> All of our internet facing structure was evaluated/scanned for
>> security problems and regarding ZendTo they found two issues. They
>> don't seem to be related itself with ZendTo but maybe you can help us
>> resolve or lead us to the solution:
>>
>> 1.
>> Vulnerability details -
>> Script ID    201167
>> Name    Directory Browsing
>> Port    443/TCP - http
>> Risk factor    Medium risk
>> CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)
>> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
>> Family    http
>> Product    HTTP
>> Description    This service lists the contents of various directories.
>> Information    Browsable directories:
>> Location
>> /js/
>> /images/
>> /icons/
>> /css/
>> Solution    Disable directory browsing
>> History    First seen : 2011-12-09 08:02 - New finding
> This one you can fix in your Apache configuration. Look for a line
> saying something like
>     Options All Indexes FollowSymLinks MultiViews
> and remove the word "Indexes" from it. (Basically just search all the
> Apache configuration files you can find for the word "Indexes" and
> remove it!)
> Then restart Apache.
> I have just applied this fix to the VMs I distribute.
>>
>> 2.
>> Script ID    236788
>> Name    SSL/TLS Cipher Suite Detect MD5
>> Port    443/TCP - http
>> Risk factor    Medium risk
>> CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)
>> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
>> Family    ssl
>> Product    SSL
>> Description    The MD5 Message-Digest Algorithm is not collision
>> resistant, which makes it easier for context-
>> dependent attackers to conduct spoofing attacks, as demonstrated by
>> attacks on the use of MD5 in the
>> signature algorithm of an X.509 certificate.
>> Information     SSLv3 Cipher Suite  OpenSSL Cipher
>> Name
>> Algorithm Bits Bits Used Cipher Strength
>> RSA_WITH_RC4_1
>> 28_MD5
>> RC4-MD5 128 128 medium
>> TLSv1 Cipher Suite  OpenSSL Cipher
>> Name
>> Algorithm Bits Bits Used Cipher Strength
>> RSA_WITH_RC4_1
>> 28_MD5
>> RC4-MD5 128 128 medium
>> Solution    Reconfigure the service to disallow the listed cipher suites
>> Reference    url - http://www.kb.cert.org/vuls/id/836068CVE    CVE-2004-2761
>> History    First seen : 2011-12-09 08:02 - New finding
> This is related to your https SSL certificate, and the encryption method
> it uses. Most certificate providers are switching away from MD5 to SHA-1
> so hopefully the next time you renew your certificate this problem
> should disappear.
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'It's okay to live without all the answers' - Charlie Eppes, 2011
> 'All programs have a desire to be useful' - Tron, 1982
> 'That is the land of lost content,
>  I see it shining plain,
>  The happy highways where I went,
>  And cannot come again.' - A.E. Houseman
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto



More information about the ZendTo mailing list