List of hosts
111.222.333.444 High Severity problem(s) found
[^] Back
111.222.333.444
Scan Time
Start time : Tue Jul 12 09:01:54 2011
End time : Tue Jul 12 09:04:23 2011

Number of vulnerabilities
Open ports : 16
High : 3
Medium : 5
Low : 26

Remote host information
Operating System : Xerox Printer
NetBIOS name :
DNS name :
[^] Back to 111.222.333.444

Port general (0/udp) [-/+]
Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 111.222.333.443 to 111.222.333.444 : 111.222.333.443 111.222.333.444

Plugin ID:
10287
Nessus Scan Information

Synopsis:
Information about the Nessus scan.

Description:
This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan : Nessus version : 4.2.2 (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107111935 Type of plugin feed : ProfessionalFeed (Direct) Scanner IP : 111.222.333.443 Port scanner(s) : snmp_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : enabled Web application tests : disabled Max hosts : 4 Max checks : 3 Recv timeout : 4 Backports : None Scan Start Date : 2011/7/12 9:01 Scan duration : 149 sec

Plugin ID:
19506
Device Type

Synopsis:
It is possible to guess the remote device type.

Description:
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
Remote device type : printer Confidence level : 100

Plugin ID:
54615
OS Identification

Synopsis:
It is possible to guess the remote operating system

Description:
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version

Risk factor:
None

Solution:
N/A

Plugin output:
Remote operating system : Xerox Printer Confidence Level : 100 Method : SNMP The remote host is running Xerox Printer

Plugin ID:
11936
Ethernet Card Manufacturer Detection

Synopsis:
The manufacturer can be deduced from the Ethernet OUI.

Description:
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'. These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified : 00:00:aa:bb:cc:dd : XEROX CORPORATION 00:00:aa:bb:cc:dd : XEROX CORPORATION

Plugin ID:
35716
Ping the remote host

Synopsis:
It was possible to identify the status of the remote host (alive or dead)

Description:
This plugin attempts to determine if the remote host is alive using one or more ping types : - An ARP ping, provided the host is on the local subnet and Nessus is running over ethernet. - An ICMP ping. - A TCP ping, in which the plugin sends to the remote host a packet with the flag SYN, and the host will reply with a RST or a SYN/ACK. - A UDP ping (DNS, RPC, NTP, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
The remote host is up The remote host replied to a TCP SYN packet sent to port 139 with a RST,ACK packet

Plugin ID:
10180
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
The difference between the local and remote clocks is 27172 seconds.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94, CWE:200

Port unknown (1024/udp) [-/+]

Port scol? (1200/udp) [-/+]

Port netbios-ns? (137/udp) [-/+]

Port snmp (161/udp) [-/+]
SNMP Agent Default Community Names

Synopsis:
The community names of the remote SNMP server can be guessed.

Description:
It is possible to obtain the default community names of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host or to change the configuration of the remote system (if the default community allow such modifications).

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution:
Disable the SNMP service on the remote host if you do not use it, filter incoming UDP packets going to this port, or change the default community string.

Plugin output:
The remote SNMP server replies to the following default community strings : - private - public

Plugin ID:
10264

CVE:
CVE-1999-0186, CVE-1999-0254, CVE-1999-0516, CVE-1999-0517, CVE-2004-0311, CVE-2004-1474, CVE-2010-1574

BID:
177, 2112, 6825, 7081, 7212, 7317, 9681, 986, 10576, 11237, 41436

Other references:
OSVDB:209, OSVDB:3985, OSVDB:5770, OSVDB:8076, OSVDB:10206, OSVDB:11964, OSVDB:58147, OSVDB:66120, IAVA:2001-B-0001
SNMP Agent Default Community Name (public)

Synopsis:
The community name of the remote SNMP server can be guessed.

Description:
It is possible to obtain the default community name of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system (if the default community allow such modifications).

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution:
Disable the SNMP service on the remote host if you do not use it, filter incoming UDP packets going to this port, or change the default community string.

Plugin output:
The remote SNMP server replies to the following default community string : public

Plugin ID:
41028

CVE:
CVE-1999-0517

BID:
2112

Other references:
OSVDB:209
SNMP Query Routing Information Disclosure

Synopsis:
The list of IP routes on the remote host can be obtained via SNMP.

Description:
It is possible to obtain the routing information on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.4.21 An attacker may use this information to gain more knowledge about the network topology.

Risk factor:
None

Solution:
Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.

Plugin output:
127.0.0.1/255.255.255.255 111.222.333.128/255.255.255.128 111.222.333.192/255.255.255.255 111.222.333.255/255.255.255.255 169.254.0.0/255.255.0.0

Plugin ID:
34022
SNMP Query Installed Software Disclosure

Synopsis:
The list of software installed on the remote host can be obtained via SNMP.

Description:
It is possible to obtain the list of installed software on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.25.6.3.1.2 An attacker may use this information to gain more knowledge about the target host.

Risk factor:
None

Solution:
Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.

Plugin output:
PhaserHD

Plugin ID:
19763
SNMP Request Network Interfaces Enumeration

Synopsis:
The list of network interfaces cards of the remote host can be obtained via SNMP.

Description:
It is possible to obtain the list of the network interfaces installed on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.2.1.0 An attacker may use this information to gain more knowledge about the target host.

Risk factor:
None

Solution:
Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.

Plugin output:
Interface 1 information : ifIndex : 1 ifDescr : Xerox Phaser 7750DN v(5.0.2/24.46.05.11.2005/3.9.0/5.66) Ethernet Interface 100 Mbps RRW330952 ifPhysAddress : 0000aabbccdd Interface 2 information : ifIndex : 2 ifDescr : Xerox Phaser 7750DN v(5.0.2/24.46.05.11.2005/3.9.0/5.66) Ethernet Interface 100 Mbps RRW330952 ifPhysAddress : 0000aabbccdd

Plugin ID:
10551
SNMP Query System Information Disclosure

Synopsis:
The System Information of the remote host can be obtained via SNMP.

Description:
It is possible to obtain the system information about the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.1.1. An attacker may use this information to gain more knowledge about the target host.

Risk factor:
None

Solution:
Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.

Plugin output:
System information : sysDescr : Xerox Phaser 7750DN;PS 5.0.2,Net 24.46.05.11.2005,Eng 3.9.0,OS 5.66;SN SSX441063 sysObjectID : 1.3.6.1.4.1.253.8.62.1.19.5.3.2 sysUptime : 0d 10h 29m 29s sysContact : sysName : Zachary (Color) Phaser 7750 sysLocation : sysServices : 72

Plugin ID:
10800
SNMP Supported Protocols Detection

Synopsis:
This plugin reports all the protocol versions successfully negotiated with the remote SNMP agent.

Description:
Extend the SNMP settings data already gathered by testing for\ SNMP versions other than the highest negotiated.

Risk factor:
None

Solution:
n/a

Plugin output:
This host supports SNMP version SNMPv1.

Plugin ID:
40448
SNMP Protocol Version Detection

Synopsis:
This plugin reports the protocol version negotiated with the remote SNMP agent.

Description:
By sending an SNMP 'get-next-request', it is possible to determine the protocol version of the remote SNMP agent.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

Solution:
Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.

Plugin output:
Nessus has negotiated SNMP communications at SNMPv1.

Plugin ID:
35296
Nessus SNMP Scanner

Synopsis:
SNMP information is enumerated to learn about other open ports.

Description:
This plugin runs an SNMP scan against the remote machine to find open ports. See the section 'plugins options' to configure it

Risk factor:
None

Solution:
n/a

Plugin output:
Nessus snmp scanner was able to retrieve the open port list with the community name: public It found 6 open TCP ports and 10 open UDP ports

Plugin ID:
14274

Port snmptrap? (162/udp) [-/+]

Port ssdp? (1900/udp) [-/+]

Port fjicl-tep-a? (1901/udp) [-/+]

Port ftp (21/tcp) [-/+]
FTP Privileged Port Bounce Scan

Synopsis:
The remote FTP server is vulnerable to a FTP server bounce attack.

Description:
It is possible to force the remote FTP server to connect to third parties using the PORT command. The problem allows intruders to use your network resources to scan other hosts, making them think the attack comes from your network.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

See also:
http://archives.neohapsis.com/archives/bugtraq/1995_3/0047.html

See also:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0367.html

See also:
http://www.cert.org/advisories/CA-1997-27.html

Solution:
See the CERT advisory in the references for solutions and workarounds .

Plugin output:
The following command, telling the server to connect to 169.254.195.180 on port 10794: PORT 169,254,195,180,42,42 produced the following output: 200 PORT command successful.

Plugin ID:
10081

CVE:
CVE-1999-0017

BID:
126

Other references:
OSVDB:71
Multiple Vendor Embedded FTP Service Any Username Authentication Bypass

Synopsis:
A random username and password can be used to authenticate to the remote FTP server.

Description:
The FTP server running on the remote host can be accessed using a random username and password. Nessus has enabled some countermeasures to prevent other plugins from reporting vulnerabilities incorrectly because of this.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Contact the FTP server's documentation so that the service handles authentication requests properly.

Plugin ID:
10990

Other references:
OSVDB:813
Anonymous FTP Enabled

Synopsis:
Anonymous logins are allowed on the remote FTP server.

Description:
This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a password or unique credentials. This allows a user to access any files made available on the FTP server.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not available.

Plugin output:
The contents of the remote FTP root are : [.]

Plugin ID:
10079

CVE:
CVE-1999-0497

Other references:
OSVDB:69
FTP Server Detection

Synopsis:
An FTP server is listening on this port.

Description:
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Risk factor:
None

Solution:
N/A

Plugin output:
The remote FTP banner is : 220 FTP server ready.

Plugin ID:
10092
Service Detection

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
An FTP server is running on this port.

Plugin ID:
22964

Port slp (427/tcp) [-/+]
SLP Server Detection (UDP)

Synopsis:
The remote server supports the Service Location Protocol.

Description:
The remote server understands Service Location Protocol (SLP), a protocol that allows network applications to discover the existence, location, and configuration of various services in an enterprise network environment. A server that understands SLP can either be a service agent (SA), which knows the location of various services, or a directory agent (DA), which acts as a central repository for service location information.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc2608.txt

Solution:
Limit incoming traffic to this port if desired.

Plugin output:
An SLP Service Agent is listening on this port. In addition, Nessus was able to learn that the agent knows about the following services : service:printer:ipp service:printer:lpr service:printer:raw-tcp

Plugin ID:
23778
SLP Server Detection (TCP)

Synopsis:
The remote server supports the Service Location Protocol.

Description:
The remote server understands Service Location Protocol (SLP), a protocol that allows network applications to discover the existence, location, and configuration of various services in an enterprise network environment. A server that understands SLP can either be a service agent (SA), which knows the location of various services, or a directory agent (DA), which acts as a central repository for service location information.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc2608.txt

Solution:
Limit incoming traffic to this port if desired.

Plugin output:
An SLP Service Agent is listening on this port. In addition, Nessus was able to learn that the agent knows about the following services : service:printer:ipp service:printer:lpr service:printer:raw-tcp

Plugin ID:
23777

Port lpd (515/tcp) [-/+]
Service Detection

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
An LPD (Line Printer Daemon) server is running on this port.

Plugin ID:
22964

Port mdns (5353/udp) [-/+]
mDNS Detection

Synopsis:
It is possible to obtain information about the remote host.

Description:
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Filter incoming traffic to UDP port 5353 if desired.

Plugin output:
Nessus was able to extract the following information : - mDNS hostname : Zachary.local.

Plugin ID:
12218

Port www (631/tcp) [-/+]
Web Server Generic XSS

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross-site_scripting

Solution:
Contact the vendor for a patch or upgrade.

Plugin output:
The request string used to detect this flaw was : /<script>cross_site_scripting.nasl</script>.asp The output was : HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Server: Allegro-Software-RomPager/4.10 Connection: close <body> <h1>Object Not Found</h1> The requested URL '/<script>cross_site_scripting.nasl</script>.asp' was not found on the RomPager server.<p> Return to <A HREF="">last page</A><p>

Plugin ID:
10815

CVE:
CVE-2002-1700, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681

BID:
5011, 5305, 7344, 7353, 8037, 14473, 17408

Other references:
OSVDB:18525, OSVDB:24469, OSVDB:42314, OSVDB:4989, OSVDB:58976, CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116
HTTP Methods Allowed (per directory)

Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.

Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request : - HTTP methods HEAD POST PUT GET are allowed on : /

Plugin ID:
43111
HTTP Server Type and Version

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Allegro-Software-RomPager/4.10

Plugin ID:
10107
Service Detection

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964

Port www (80/tcp) [-/+]
Web Server Generic XSS

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross-site_scripting

Solution:
Contact the vendor for a patch or upgrade.

Plugin output:
The request string used to detect this flaw was : /<script>cross_site_scripting.nasl</script>.asp The output was : HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Server: Allegro-Software-RomPager/4.10 Connection: close <body> <h1>Object Not Found</h1> The requested URL '/<script>cross_site_scripting.nasl</script>.asp' was not found on the RomPager server.<p> Return to <A HREF="">last page</A><p>

Plugin ID:
10815

CVE:
CVE-2002-1700, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681

BID:
5011, 5305, 7344, 7353, 8037, 14473, 17408

Other references:
OSVDB:18525, OSVDB:24469, OSVDB:42314, OSVDB:4989, OSVDB:58976, CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116
HTTP Methods Allowed (per directory)

Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.

Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request : - HTTP methods HEAD POST PUT GET are allowed on : /

Plugin ID:
43111
HTTP Server Type and Version

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Allegro-Software-RomPager/4.10

Plugin ID:
10107
Service Detection

Synopsis:
The remote service could be identified.

Description:
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964

Port jetdirect (9100/tcp) [-/+]
Printer Job Language (PJL) Detection

Synopsis:
The remote service uses the PJL (Printer Job Language) protocol.

Description:
The remote service answered to a HP PJL request. This is indicates the remote device is probably a printer running JetDirect. Through PJL, users can submit printing jobs, transfer files to or from the printers, change some settings, etc...

Risk factor:
None

See also:
http://www.maths.usyd.edu.au/u/psz/ps.html

See also:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpl04568

See also:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pdf

See also:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13207/bpl13207.pdf

Solution:
n/a

Plugin output:
The device INFO ID is: Xerox Phaser 7750DN

Plugin ID:
25037

Port bacula-dir? (9101/udp) [-/+]
[^] Back to 111.222.333.444