• No results found

Vulnerability Scans Remote Support 15.1

N/A
N/A
Protected

Academic year: 2021

Share "Vulnerability Scans Remote Support 15.1"

Copied!
42
0
0

Loading.... (view fulltext now)

Full text

(1)Vulnerability Scans Remote Support 15.1. © 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.. TC:4/23/2015.

(2) VULNERABILITY SCANS REMOTE SUPPORT 15.1. Table of Contents About Vulnerability Scanning. 3. IBM Security AppScan Report. 4. Nexpose Scan Report. 15. QualysGuard PCI Scan Results. 29. CONTACT BOMGAR                                        info@bomgar.com          |          866.205.3650 (US)          |          +44 (0) 1628 480 210 (UK/EMEA). BOMGAR.COM. © 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.. 2 TC: 4/23/2015.

(3) VULNERABILITY SCANS REMOTE SUPPORT 15.1. About Vulnerability Scanning To ensure the security and value of our product, Bomgar incorporates vulnerability scanning in our software testing process. We eagerly commit to addressing, with the utmost urgency, security vulnerabilities as they are detected by industry security professionals. We track the results of vulnerability scans performed prior to a software release and prioritize resolution based on severity and criticality of any issues uncovered. Should a critical or high-risk vulnerability surface after a software release, a subsequent maintenance version release addresses the vulnerability. Updated maintenance versions are distributed to our customers via the update manager interface within the Bomgar administrative interface. Where necessary, Bomgar Technical Support will contact customers directly, describing special procedures to follow to obtain an updated maintenance version. Our customers can rely on our commitment to address security issues at our earliest opportunity. Note: The contents of this document comprise the latest scan results from IBM Security AppScan, Nexpose, and QualysGuard. All scans were performed against an installation of Bomgar 15.1.. CONTACT BOMGAR                                        info@bomgar.com          |          866.205.3650 (US)          |          +44 (0) 1628 480 210 (UK/EMEA). BOMGAR.COM. © 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.. 3 TC: 4/23/2015.

(4). Web Application Report This report includes important security information about your web application.. The Payment Card Industry Data Security Standard (PCI DSS) Compliance Report This report was created by IBM Security AppScan Standard 9.0.0.1, Rules: 1718 Scan started: 4/20/2015 9:00:24 AM.

(5). Regulations The Payment Card Industry Data Security Standard (PCI) Version 3.0. Summary The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personally identifiable information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements. The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. Examples of system components include but are not limited to the following: Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE. Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS). Applications including all purchased and custom applications, including internal and external (for example, Internet) applications. Any other component or device located within or connected to the CDE.. Covered Entities. 4/20/2015. 1.

(6) PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). PCI DSS requirements apply to organizations and environments where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted. Some PCI DSS requirements may also be applicable to organizations that have outsourced their payment operations or management of their CDE1. Additionally, organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.. Compliance Penalties If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, the card companies may fine the acquiring member, or impose restrictions on the merchant or its agent.. Compliance Required By PCI DSS version 3.0 has replaced PCI DSS v.2 and is effective as of January 1st 2014. The PCI DSS v.2 may be used for PCI DSS compliance until December 31, 2014.. Regulators The PCI Security Standards Council, and its founding members including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. For more information on the PCI Data Security Standard, please visit: https://www.pcisecuritystandards.org./index.htm For more information on securing web applications, please visit http://www01.ibm.com/software/rational/offerings/websecurity/ Copyright: The PCI information contained in this report is proprietary to PCI Security Standards Council, LLC. Any use of this material is subject to the PCI SECURITY STANDARDS COUNCIL, LLC LICENSE AGREEMENT that can be found at: https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstrate potential vulnerabilities in your application that should be corrected in order to reduce the likelihood that your information will be compromised. As legal advice must be tailored to the specific application of each law, and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws.. 4/20/2015. 2.

(7) Violated Section Issues detected across 32 sections of the regulation:. Sections. Number of Issues. Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security paramete 0 rs. Requirement 2.1 - Always change vendor-supplied defaults and remove or disable unnecessary default a 0 ccounts before installing a system on the network. This applies to ALL default passwords, including but n ot limited to those used by operating systems, software that provides security services, application and s ystem accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) communi ty strings, etc.) Requirement 2.2.2 - Enable only necessary services, protocols, daemons, etc., as required for the functi on of the system.. 0. Requirement 2.2.4 - Configure system security parameters to prevent misuse.. 0. Requirement 2.2.5 - Remove all unnecessary functionality, such as scripts, drivers, features, subsystems 0 , file systems. Requirement 2.3 - Encrypt all non-console administrative access using strong cryptography. Use technol 0 ogies such as SSH, VPN, or SSL/TLS for web based management and other non console administrative. access. Requirement 2.6 - This section applies to web applications that are used by hosting providers for hosting 0 purposes – Hosting providers must protect each entity’s hosted environment and data. Requirement 4 - Encrypt transmission of cardholder data across open, public networks.. 0. Requirement 4.1 - Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, 0 etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including th e following: • Only trusted keys and certificates are accepted. • The protocol in use only supports secure. versions or configurations. • The encryption strength is appropriate for the encryption methodology in use . Examples of open, public networks include but are not limited to: • The Internet • Wireless technologies, including 802.11 and Bluetooth • Cellular technologies, for example, Global System for Mobile communic ations (GSM), Code division multiple access (CDMA) • General Packet Radio Service (GPRS). • Satellite communications. Requirement 6 - Develop and maintain secure systems and applications.. 0. Requirement 6.1 - Establish a process to identify security vulnerabilities, using reputable outside sources 0 for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low” ) to newly discovered security vulnerabilities. Requirement 6.2 - Ensure that all system components and software are protected from known vulnerabili 0 ties by installing applicable vendor- supplied security patches. Install critical security patches within one. month of release. Requirement 6.3 - Develop internal and external software applications (including web-based administrati 0 ve access to applications) securely, as follows: • In accordance with PCI DSS (for example, secure authe ntication and logging) • Based on industry standards and/or best practices. • Incorporating information se curity throughout the software-development life cycle Note: this applies to all software developed internall y as well as bespoke or custom software developed by a third party. Requirement 6.3.1 - Remove development, test and/or custom application accounts, user IDs, and pass words before applications become active or are released to customers.. 0. Requirement 6.4.4 - Removal of test data and accounts before production systems become active.. 0. Requirement 6.5 - 5 Address common coding vulnerabilities in software-development processes as follo 0 ws: • Train developers in secure coding techniques, including how to avoid common coding vulnerabilitie s, and understanding how sensitive data is handled in memory. • Develop applications based on secure. coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best. practices when this version of PCI DSS was published. However, as industry best practices for vulnerabil ity management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Codin. 4/20/2015. 3.

(8) g, etc.), the current best practices must be used for these requirements. Requirement 6.5.1 - Injection flaws, particularly SQL injection. Also consider OS Command Injection, LD AP and XPath injection flaws as well as other injection flaws.. 0. Requirement 6.5.2 - Buffer overflow. 0. Requirement 6.5.3 - Insecure cryptographic storage. 0. Requirement 6.5.4 - Insecure communications. 0. Requirement 6.5.5 - Improper error handling. 0. Requirement 6.5.7 - Cross site scripting (XSS). 0. Requirement 6.5.8 - Improper access control (such as insecure direct object references, failure to restrict 0 URL access, directory traversal, and failure to restrict user access to functions). Requirement 6.5.9 - Cross site request forgery (CSRF). 0. Requirement 6.5.10 - Broken authentication and session management Note: Requirement 6.5.10 is a be st practice until June 30, 2015, after which it becomes a requirement. 0. Requirement 6.6 - For public-facing web applications, address new threats and vulnerabilities on an ong 0 oing basis and ensure these applications are protected against known attacks by either of the following. methods: • Reviewing public-facing web applications via manual or automated application vulnerability se curity assessment tools or methods, at least annually and after any changes Note: This assessment is n ot the same as the vulnerability scans performed for Requirement 11.2. • Installing an automated technic al solution that detects and prevents web-based attacks (for example, a web-application firewall) in front. of public-facing web applications, to continually check all traffic. Requirement 7 - Restrict access to data by business need-to-know. 0. Requirement 7.1 - Limit access to system components and cardholder data to only those individuals who 0 se job requires such access. Requirement 7.1.2 - Restrict access to privileged user IDs to least privileges necessary to perform job re sponsibilities.. 0. Requirement 8.2 - In addition to assigning a unique ID, ensure proper user-authentication management f 0 or non-consumer users and administrators on all system components by employing at least one of the fol lowing methods to authenticate all users: • Something you know, such as a password or passphrase • So mething you have, such as a token device or smart card • Something you are, such as a biometric. Requirement 8.2.1 - Using strong cryptography, render all authentication credentials (such as passwords 0 /phrases) unreadable during transmission and storage on all system components. Requirement 8.7 - All access to any database containing cardholder data (including access by applicatio 0 ns, administrators, and all other users) is restricted as follows: • All user access to, user queries of, and u ser actions on databases are through programmatic methods. • Only database administrators have the a bility to directly access or query databases. • Application IDs for database applications can only be used. by the applications (and not by individual users or other non-application processes).. Section Violation By Issue 0 Unique issues detected across 32 sections of the regulation:. URL. Entity. Issue Type. Sections. Detailed Security Issues by Sections. 4/20/2015. 4.

(9) Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters.. 0. Requirement 2.1 - Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.). 0. Requirement 2.2.2 - Enable only necessary services, protocols, daemons, etc., as required for the function of the system.. 0. Requirement 2.2.4 - Configure system security parameters to prevent misuse.. 0. Requirement 2.2.5 - Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems.. 0. Requirement 2.3 - Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non console administrative access.. 0. 4/20/2015. 5.

(10) Requirement 2.6 - This section applies to web applications that are used by hosting providers for hosting purposes – Hosting providers must protect each entity’s hosted environment and data.. 0. Requirement 4 - Encrypt transmission of cardholder data across open, public networks.. 0. Requirement 4.1 - Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: • Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations. • The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: • The Internet • Wireless technologies, including 802.11 and Bluetooth • Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) • General Packet Radio Service (GPRS). • Satellite communications.. 0. Requirement 6 - Develop and maintain secure systems and applications.. 0. Requirement 6.1 - Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.. 0. Requirement 6.2 - Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.. 0. 4/20/2015. 6.

(11) Requirement 6.3 - Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: • In accordance with PCI DSS (for example, secure authentication and logging) • Based on industry standards and/or best practices. • Incorporating information security throughout the software-development life cycle Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party.. 0. Requirement 6.3.1 - Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.. 0. Requirement 6.4.4 - Removal of test data and accounts before production systems become active.. 0. Requirement 6.5 - 5 Address common coding vulnerabilities in softwaredevelopment processes as follows: • Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. • Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.. 0. 4/20/2015. 7.

(12) Requirement 6.5.1 - Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.. 0. Requirement 6.5.2 - Buffer overflow. 0. Requirement 6.5.3 - Insecure cryptographic storage. 0. Requirement 6.5.4 - Insecure communications. 0. Requirement 6.5.5 - Improper error handling. 0. Requirement 6.5.7 - Cross site scripting (XSS). 0. Requirement 6.5.8 - Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).. 0. Requirement 6.5.9 - Cross site request forgery (CSRF). 0. 4/20/2015. 8.

(13) Requirement 6.5.10 - Broken authentication and session management Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement. 0. Requirement 6.6 - For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2. • Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.. 0. Requirement 7 - Restrict access to data by business need-to-know. 0. Requirement 7.1 - Limit access to system components and cardholder data to only those individuals whose job requires such access.. 0. Requirement 7.1.2 - Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.. 0. 4/20/2015. 9.

(14) Requirement 8.2 - In addition to assigning a unique ID, ensure proper userauthentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: • Something you know, such as a password or passphrase • Something you have, such as a token device or smart card • Something you are, such as a biometric.. 0. Requirement 8.2.1 - Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.. 0. Requirement 8.7 - All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: • All user access to, user queries of, and user actions on databases are through programmatic methods. • Only database administrators have the ability to directly access or query databases. • Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).. 0. 4/20/2015. 10.

(15) 15.1.1 Scan Report ­ Executive Summary. 15.1.1 ERS Scan Report - Executive Summary for Bomgar QA Audited on April 20, 2015. Page 1.

(16) 15.1.1 Scan Report ­ Executive Summary. Part 1. Scan Information Scan Customer Company:. ASV Company:. Date scan was completed: April 20, 2015. Scan expiration date: July 19, 2015. Part 2a. Asset and Vulnerabilities Compliance Overview.   * An exploit is regarded as "published" if it is available from Metasploit or listed in the Exploit Database. Actual remediation times may differ based on organizational workflows.. Part 2b. Component Compliance Summary 10.10.29.179. Part 3a. Vulnerabilities Noted for each IP Address 10.10.29.179 IP Address. Vulnerabilities Noted per IP address. 10.10.29.179 protocol: tcp port: 443. Undefined CVE, Failure to Restrict URL Access. Severity Level high. CVSS Score 10.0. Compliance Status. Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability False Positive noted by Jonathan:. Page 2.

(17) 15.1.1 Scan Report ­ Executive Summary instance: /login/session_policy/:id/import 10.10.29.179 protocol: tcp port: 443 instance: /login/login. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /login/group_policy/:id/import. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/util/loginAutoFocus.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 Undefined CVE, Failure to Restrict URL protocol: tcp Access port: 443 instance: /app/js/util/language_selector.js. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/util/ie_tags.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/util/es5_support.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/lib/split.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/lib/require.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/lib/es5-shim.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/admin/main.js. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. Page 3.

(18) 15.1.1 Scan Report ­ Executive Summary 10.10.29.179 protocol: tcp port: 443 instance: /app/img/loading-spinner.svg. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/img/globe.svg. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/img/bomgar_logo.svg. Undefined CVE, Failure to Restrict URL Access. high. 10.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /login/status. Undefined CVE, Missing HttpOnly Flag From Cookie. medium. 5.0. False Positive noted by Jonathan:. 10.10.29.179 Undefined CVE, Missing Secure Flag From protocol: tcp SSL Cookie port: 443 instance: /login/customer_notice/send/:id. medium. 5.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /login/status. Undefined CVE, Missing Secure Flag From SSL Cookie. medium. 5.0. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/instructions/customer. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/instructions/clickonce. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/instructions/applet. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/instructions/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 4.

(19) 15.1.1 Scan Report ­ Executive Summary port: 443 instance: /portal/check-rep/ 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/web.config. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/web-inf/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/servlet/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/readme.txt. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.swf. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.shtml. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.php3. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.old. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 5.

(20) 15.1.1 Scan Report ­ Executive Summary 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.jsp. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.html. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.htm. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.chtml. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.cgi. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.cfm. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.bak. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/index.aspx. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 6.

(21) 15.1.1 Scan Report ­ Executive Summary instance: /portal/access-keyconfirmation/index.asp 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.wml. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.shtml. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.jsp. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.html. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.htm. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.aspx. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/default.asp. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/adovbs.inc. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 7.

(22) 15.1.1 Scan Report ­ Executive Summary 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/adojavas.inc. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_txt/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_shm/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_script/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_pvt/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_log/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_cnf/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/_vti_bot/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 8.

(23) 15.1.1 Scan Report ­ Executive Summary instance: /portal/access-keyconfirmation/_vti_bin/ 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/Web.sitemap. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/WS_FTP.LOG. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/WEB-INF/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/Trace.axd. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/README.TXT. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/README. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/DEADJOE. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/%3f.jsp. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 9.

(24) 15.1.1 Scan Report ­ Executive Summary 10.10.29.179 protocol: tcp port: 443 instance: /portal/access-keyconfirmation/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /help. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /download_client_connector/. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /download_client_connector. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /content/public.css. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /content/portal.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /content/mobile.css. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /content/lib/jquery.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /content/issue_form.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /content/ie9_public.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan: Page 10.

(25) 15.1.1 Scan Report ­ Executive Summary protocol: tcp port: 443 instance: /content/common.css 10.10.29.179 protocol: tcp port: 443 instance: /content/access_key_input.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /check_access_key.ns. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /check_access_key. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/util/loginAutoFocus.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 Undefined CVE, Click Jacking protocol: tcp port: 443 instance: /app/js/util/language_selector.js. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/util/ie_tags.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/util/es5_support.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/lib/split.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/lib/require.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 11.

(26) 15.1.1 Scan Report ­ Executive Summary instance: /app/js/lib/es5-shim.js 10.10.29.179 protocol: tcp port: 443 instance: /app/js/lib/angular/angularcsp.css. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 Undefined CVE, Click Jacking protocol: tcp port: 443 instance: /app/js/admin/misc/certificate_directive.c ss. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/js/admin/main.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/img/loading-spinner.svg. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/img/globe.svg. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/img/bomgar_logo.svg. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/css/private.css. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/css/login.css. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /app/css/ie8.css. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. Page 12.

(27) 15.1.1 Scan Report ­ Executive Summary port: 443 instance: /app/css/common.css 10.10.29.179 protocol: tcp port: 443 instance: /api/start_session.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /api/start_session. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /api/content/core.js. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443 instance: /. Undefined CVE, Click Jacking. medium. 4.3. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 443. Undefined CVE, SHA-1-based Signature in TLS/SSL Server X.509 Certificate. low. 2.6. False Positive noted by Jonathan:. 10.10.29.179 protocol: tcp port: 80 instance: HTTP. Undefined CVE, A running service was discovered. low. 0.0. 10.10.29.179 protocol: tcp port: 443 instance: HTTPS. Undefined CVE, A running service was discovered. low. 0.0. Part 3b. Special Notes by IP Address NOTE 1 - Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note. NOTE 2 - Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and confirm it is either implemented securely per Appendix D or disabled/removed. Please consult your ASV if you have questions about this Special Note. Page 13.

(28) 15.1.1 Scan Report ­ Executive Summary. NOTE 3 - Note to scan customer: Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, please 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Please consult your ASV if you have questions about this Special Note. NOTE 4 - Note to customer: As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by the PCI DSS.. Page 14.

(29) Web Application Scan Results 04/20/2015. Target Site: Port: Starting URI: Authentication:. security2.bomgar.com 443 /login Not Attempted. Report Summary Application Title:. Bomgar. Site:. security2.bomgar.com. Port:. 443. Starting URI:. /login. Authentication Title: Login Company:. Bomgar Corporation. User:. Jonathan Conerly. Scan Type:. On Demand. Scan Status:. Finished. Scan Title:. 15.1.1ERS. Scan Date:. 04/20/2015 at 19:35:08. Reference:. scan/1429558515.53761. Scanner Appliance: 64.39.105.90 (Scanner 7.13.41-1, Vulnerability Signatures 2.2.989-2) Duration:. 00:24:46. Detailed Results 74.112.243.110 (bci243-110.bcims.net,-). Ubuntu / Linux 3.x. Potential Vulnerabilities (2) X-Frame-Options header is not set. port 443/tcp. VULNERABILITY DETAILS CVSS Base Score: CVSS Temporal Score: Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150081 Web Application 04/12/2014. THREAT: X-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.. IMPACT: Attacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed. Web Application Scan Results. page 1.

(30) SOLUTION: Set the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.. RESULT: url: https://security2.bomgar.com/help?show_help=help_session_keys variants: 2 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key?access_key_pretty=1& matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/ matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/download_client_connector matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN. X-Frame-Options header is not set. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS CVSS Base Score: CVSS Temporal Score: Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150081 Web Application 04/12/2014. THREAT: X-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.. IMPACT: Attacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed.. SOLUTION: Set the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.. RESULT: url: https://security2.bomgar.com/help?show_help=help_session_keys variants: 2 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key?access_key_pretty=1& matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/. Web Application Scan Results. page 2.

(31) matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/download_client_connector matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: https://security2.bomgar.com/check_access_key matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN. Information Gathered (17) Operating System Detected VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 2 45017 Information gathering 02/09/2005. THREAT: Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report.. 1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below.. Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned.. 2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB).. 3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.. 4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system. sysDescr" for the operating system.. IMPACT: Not applicable SOLUTION: Not applicable RESULT: Operating System. Technique. ID. Ubuntu / Linux 3.x. TCP/IP Fingerprint. U5933:80. Connection Error Occurred During Web Application Scan Web Application Scan Results. port 443/tcp page 3.

(32) VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 2 150018 Web Application 05/15/2009. THREAT: Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. IMPACT: Some of the links were not crawled or scanned. Results may be incomplete or incorrect. SOLUTION: Investigate the root cause of failure accessing the listed links. RESULT: Links that led to unexpected errors: https://security2.bomgar.com/download_client_connector?issue_menu=1&customer_nam e=John&customer_company=John&customer_desc=John&=&custom_attributes=&download=1. Connection Error Occurred During Web Application Scan. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 2 150018 Web Application 05/15/2009. THREAT: Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. IMPACT: Some of the links were not crawled or scanned. Results may be incomplete or incorrect. SOLUTION: Investigate the root cause of failure accessing the listed links. RESULT: Links that led to unexpected errors: https://security2.bomgar.com/download_client_connector?issue_menu=1&customer_nam e=John&customer_company=John&customer_desc=John&=&custom_attributes=&download=1. DNS Host Name VULNERABILITY DETAILS Severity: QID: Category: Web Application Scan Results. 1 6 Information gathering page 4.

(33) CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 01/01/2000. THREAT: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. RESULT: IP address. Host name. 74.112.243.110. bci243-110.bcims.net. Host Scan Time VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 45038 Information gathering 11/19/2004. THREAT: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. RESULT: Scan duration: 1481 seconds Start time: Mon, Apr 20 2015, 19:36:00 GMT End time: Mon, Apr 20 2015, 20:00:41 GMT. Scan Diagnostics. port 443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150021 Web Application 01/16/2009. THREAT: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. IMPACT: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Web Application Scan Results. page 5.

(34) SOLUTION: No action is required. RESULT: Ineffective Session Protection. no tests enabled. HSTS Analysis no tests enabled. Permanent Redirect HSTS Analysis no tests enabled. Collected 33 links overall. Batch #0 Path manipulation: estimated time < 10 minutes (115 tests, 22 inputs) Path manipulation: 115 vulnsigs tests, completed 938 requests, 18 seconds. Completed 938 requests of 2530 estimated requests (37.0751%). All tests completed. WSEnumeration no tests enabled. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 2 inputs) Batch #1 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 7 seconds. Completed 92 requests of 92 estimated requests (100%). All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs) Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 seconds. Completed 18 requests of 54 estimated requests (33.3333%). All tests completed. Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs) Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 8 seconds. Completed 22 requests of 22 estimated requests (100%). All tests completed. Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 138 estimated requests (66.6667%). All tests completed. Batch #2 Form parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 Form parameter manipulation (no auth): 46 vulnsigs tests, completed 598 requests, 79 seconds. Completed 598 requests of 138 estimated requests (433.333%). All tests completed. Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 secon ds. Completed 18 requests of 81 estimated requests (22.2222%). All tests completed. Batch #2 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 81 requests, 45 seconds. Completed 81 requests of 81 estimated requests (100%). All tests completed. Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 9 seconds. Completed 22 requests of 33 estimated requests (66.6667%). All tests completed. Batch #2 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 Form field time-based tests (no auth): 11 vulnsigs tests, completed 99 requests, 58 seconds. Completed 99 requests of 33 estimated requests (300%). All tests completed. HTTP call manipulation no tests enabled. SSL Downgrade. no tests enabled. Open Redirect no tests enabled. CSRF no tests enabled. Static Session ID no tests enabled. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 19 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. Completed 0 requests of 19 estimated requests (0%). All tests completed. Batch #4 Cookie manipulation: estimated time < 10 minutes (33 tests, 2 inputs) Batch #4 Cookie manipulation: 33 vulnsigs tests, completed 180 requests, 21 seconds. Completed 180 requests of 990 estimated requests (18.1818%). XSS optimization removed 360 links. All tests completed. Batch #4 Header manipulation: estimated time < 10 minutes (33 tests, 15 inputs) Batch #4 Header manipulation: 33 vulnsigs tests, completed 272 requests, 27 seconds. Completed 272 requests of 990 estimated requests (27.4747%). XSS optimization removed 360 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 15 inputs) Batch #4 shell shock detector: 1 vuln sigs tests, completed 16 requests, 3 seconds. Completed 16 requests of 15 estimated requests (106.667%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 3 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 4 requests, 1 seconds. Completed 4 requests of 3 estimated requests (133.333%). All tests completed. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute (0 tests, 10 inputs) Batch #5 HTTP Time Bandit: 0 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Total requests made: 2665 Average server response time: 0.37 seconds Most recent links: 200 https://security2.bomgar.com/help?show_help=help_issues_menu 200 https://security2.bomgar.com/help?show_help=help_rep_list 200 https://security2.bomgar.com/help?show_help=help_session_keys 302 https://security2.bomgar.com/login 200 https://security2.bomgar.com/login/login 200 https://security2.bomgar.com/login/login 200 https://security2.bomgar.com/check_access_key?access_key_pretty=1& 302 https://security2.bomgar.com/login/login -FORMDATA_token=icxUtEo8ur1OcxSEYOXnookg1HKK3oKToVJ21LaP&fake_password=password&username=John&password=password 200 https://security2.bomgar.com/download_client_connector -FORMDATA-. Web Application Scan Results. page 6.

(35) issue_menu=1&customer_name=John&customer_company=John&customer_desc=John& 200 https://security2.bomgar.com/login/login Scan launched using PCI WAS stand-alone mode.. External Links Discovered. port 443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150010 Web Application 10/19/2007. THREAT: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. RESULT: Number of links: 2 http://www.bomgar.com/ http://www.bomgar.com/products. Scan Diagnostics. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150021 Web Application 01/16/2009. THREAT: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. IMPACT: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. SOLUTION: No action is required. RESULT: Ineffective Session Protection. no tests enabled. HSTS Analysis no tests enabled. Permanent Redirect HSTS Analysis no tests enabled. Collected 32 links overall. Batch #0 Path manipulation: estimated time < 10 minutes (115 tests, 21 inputs) Path manipulation: 115 vulnsigs tests, completed 913 requests, 18 seconds. Completed 913 requests of 2415 estimated requests (37.8054%). All tests completed. WSEnumeration no tests enabled. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 2 inputs) Batch #1 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 92 estimated requests (100%). All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs) Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 3 seconds. Completed 18 requests of 54 estimated requests (33.3333%). All tests completed.. Web Application Scan Results. page 7.

(36) Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs) Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 9 seconds. Completed 22 requests of 22 estimated requests (100%). All tests completed. Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 138 estimated requests (66.6667%). All tests completed. Batch #2 Form parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 Form parameter manipulation (no auth): 46 vulnsigs tests, completed 598 requests, 79 seconds. Completed 598 requests of 138 estimated requests (433.333%). All tests completed. Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 secon ds. Completed 18 requests of 81 estimated requests (22.2222%). All tests completed. Batch #2 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 81 requests, 43 seconds. Completed 81 requests of 81 estimated requests (100%). All tests completed. Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 8 seconds. Completed 22 requests of 33 estimated requests (66.6667%). All tests completed. Batch #2 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 Form field time-based tests (no auth): 11 vulnsigs tests, completed 99 requests, 59 seconds. Completed 99 requests of 33 estimated requests (300%). All tests completed. HTTP call manipulation no tests enabled. SSL Downgrade. no tests enabled. Open Redirect no tests enabled. CSRF no tests enabled. Static Session ID no tests enabled. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 18 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. Completed 0 requests of 18 estimated requests (0%). All tests completed. Batch #4 Cookie manipulation: estimated time < 10 minutes (33 tests, 2 inputs) Batch #4 Cookie manipulation: 33 vulnsigs tests, completed 180 requests, 19 seconds. Completed 180 requests of 990 estimated requests (18.1818%). XSS optimization removed 360 links. All tests completed. Batch #4 Header manipulation: estimated time < 10 minutes (33 tests, 15 inputs) Batch #4 Header manipulation: 33 vulnsigs tests, completed 272 requests, 27 seconds. Completed 272 requests of 990 estimated requests (27.4747%). XSS optimization removed 360 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 15 inputs) Batch #4 shell shock detector: 1 vuln sigs tests, completed 16 requests, 2 seconds. Completed 16 requests of 15 estimated requests (106.667%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 3 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 4 requests, 2 seconds. Completed 4 requests of 3 estimated requests (133.333%). All tests completed. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute (0 tests, 10 inputs) Batch #5 HTTP Time Bandit: 0 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Total requests made: 2640 Average server response time: 0.37 seconds Most recent links: 200 https://security2.bomgar.com/help?show_help=help_issues_menu 200 https://security2.bomgar.com/help?show_help=help_rep_list 200 https://security2.bomgar.com/help?show_help=help_session_keys 302 https://security2.bomgar.com/login 200 https://security2.bomgar.com/login/login 200 https://security2.bomgar.com/login/login 200 https://security2.bomgar.com/check_access_key?access_key_pretty=1& 302 https://security2.bomgar.com/login/login -FORMDATA_token=xKGjWXLhvE3YkRQZpfi4JptkorReeBywZ0dkwHVH&fake_password=password&username=John&password=password 200 https://security2.bomgar.com/download_client_connector -FORMDATAissue_menu=1&customer_name=John&customer_company=John&customer_desc=John& 200 https://security2.bomgar.com/login/login Scan launched using PCI WAS stand-alone mode.. External Links Discovered. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150010 Web Application 10/19/2007. THREAT: Web Application Scan Results. page 8.

(37) The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. RESULT: Number of links: 2 http://www.bomgar.com/ http://www.bomgar.com/products. Cookies Collected. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150028 Web Application 01/16/2009. THREAT: The cookies listed in the Results section were received from the web application during the crawl phase. IMPACT: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. SOLUTION: Review cookie values to ensure that sensitive information such as passwords are not present within them. RESULT: Total cookies: 2 ns_sl=eyJpdiI6Inc4RFVYSmIxXC93UHE3NEpXNmlkU2t0R01WXC9xYmpcL2htdU5sVEFrV1Q2Mkk9Ii widmFsdWUiOiIwZmxcLzNpQTBHNEJDWEJ1VG95cFJkM1UrWk5LR1ByUkpMTmN1NDdLWWh1VHE1eWw2bl ZCa1pwcWlzWlBkdFMwbDlYNWJzelNNR3VnVXBOTGkzN0l2eGc9PSIsIm1hYyI6ImIzZDQzMGM0ZTYzND kyOWI0MTNjZGU2MjUzYWU0NjExZjVkYjgwNzllYTdlZjFhYjY2ZGJjMjdjYzRjMmJmMTUifQ%3D%3D; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/login ns_s=cfd99b939cb2a24663a29e3fd53ef4833487391f; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/help?show_help=help_rep_list. Links Crawled. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150009 Web Application 04/14/2015. THREAT: The list of unique links crawled and HTML forms submitted by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list and requests for the same link made as an anonymous and authenticated user. RESULT:. Web Application Scan Results. page 9.

(38) Duration of crawl phase (seconds): 83.00 Number of links: 15 (This number excludes form requests and links re-requested during authentication.) http://security2.bomgar.com/api http://security2.bomgar.com/app http://security2.bomgar.com/app/css http://security2.bomgar.com/app/js http://security2.bomgar.com/app/js/admin http://security2.bomgar.com/app/js/util https://security2.bomgar.com/ https://security2.bomgar.com/check_access_key https://security2.bomgar.com/check_access_key?access_key_pretty=1& https://security2.bomgar.com/download_client_connector https://security2.bomgar.com/help?show_help=help_issues_menu https://security2.bomgar.com/help?show_help=help_rep_list https://security2.bomgar.com/help?show_help=help_session_keys https://security2.bomgar.com/login https://security2.bomgar.com/login/login. Web Application Authentication Not Attempted. security2.bomgar.com:443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150006 Web Application 10/19/2007. THREAT: Web application authentication was enabled for the scan, but it was not performed for this particular host. The scan was not performed for the host because a login page was not discovered, or a login page was discovered that submits via HTTP and the credentials may only be submitted via HTTPS. IMPACT: Vulnerabilities that require authentication may not be detected. SOLUTION: To allow Web application authentication to this host, create an authentication record that includes this target's virtual host. If the Web application does not support HTTPS, then the option profile may not forbid transmission of credentials over non-encrypted (i.e. clear text) connections. RESULT: Application authentication was specified, but no login forms were discovered during the crawl.. Cookies Collected. port 443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150028 Web Application 01/16/2009. THREAT: The cookies listed in the Results section were received from the web application during the crawl phase. IMPACT: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. Web Application Scan Results. page 10.

(39) SOLUTION: Review cookie values to ensure that sensitive information such as passwords are not present within them. RESULT: Total cookies: 2 ns_sl=eyJpdiI6IlRUeDJrcUdBeHZKVGtzK3JtaG9mUmRwd3NscUhPNkVMdGNWTnBuN1pQazg9Iiwidm FsdWUiOiJyTVBodmM0d0wxVlJPM21mQXBQUDUzOEM0eVhrVWdYR0JlVFwvdlBDRjlGaUFnYlh3VDZyaW pCTnhNQTQwdkU1MTFEQjFFTDI2Y3NFRFZ2eTlER1Fxd1E9PSIsIm1hYyI6ImMwZDY0YjVjYjI3MzE4NT FkNWZjNjc0ZTc0NjEyNjU5Yjc5YWE5ZWZkMjg2NDYwZDM3OWExM2Q0N2UwYmNjYmYifQ%3D%3D; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/login ns_s=069c1a5966c24be92811aabcead42402c270ea4d; secure; HttpOnly; path=/ First set at URL: https://security2.bomgar.com/help?show_help=help_rep_list. Links Crawled. port 443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 150009 Web Application 04/14/2015. THREAT: The list of unique links crawled and HTML forms submitted by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list and requests for the same link made as an anonymous and authenticated user. RESULT: Duration of crawl phase (seconds): 84.00 Number of links: 16 (This number excludes form requests and links re-requested during authentication.) http://security2.bomgar.com/api http://security2.bomgar.com/app http://security2.bomgar.com/app/css http://security2.bomgar.com/app/js http://security2.bomgar.com/app/js/admin http://security2.bomgar.com/app/js/util http://security2.bomgar.com/favicon.ico https://security2.bomgar.com/ https://security2.bomgar.com/check_access_key https://security2.bomgar.com/check_access_key?access_key_pretty=1& https://security2.bomgar.com/download_client_connector https://security2.bomgar.com/help?show_help=help_issues_menu https://security2.bomgar.com/help?show_help=help_rep_list https://security2.bomgar.com/help?show_help=help_session_keys https://security2.bomgar.com/login https://security2.bomgar.com/login/login. Web Application Authentication Not Attempted. port 443/tcp. VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference:. Web Application Scan Results. 1 150006 Web Application -. page 11.

(40) Bugtraq ID: Last Update:. 10/19/2007. THREAT: Web application authentication was enabled for the scan, but it was not performed for this particular host. The scan was not performed for the host because a login page was not discovered, or a login page was discovered that submits via HTTP and the credentials may only be submitted via HTTPS. IMPACT: Vulnerabilities that require authentication may not be detected. SOLUTION: To allow Web application authentication to this host, create an authentication record that includes this target's virtual host. If the Web application does not support HTTPS, then the option profile may not forbid transmission of credentials over non-encrypted (i.e. clear text) connections. RESULT: Application authentication was specified, but no login forms were discovered during the crawl.. Open TCP Services List VULNERABILITY DETAILS Severity: QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Last Update:. 1 82023 TCP/IP 06/15/2009. THREAT: The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.. The Results section displays the port number (Port), the default service listening on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected). IMPACT: Unauthorized users can exploit this information to test vulnerabilities in each of the open services. SOLUTION: Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site. RESULT: Port. IANA Assigned Ports/Services. Description. Service Detected. 80. www. World Wide Web HTTP. http. 443. https. http protocol over TLS/SSL. http over ssl. OS On Redirected Port. Host Names Found VULNERABILITY DETAILS Severity: QID: Category: CVE ID:. Web Application Scan Results. 1 45039 Information gathering -. page 12.

(41) Vendor Reference: Bugtraq ID: Last Update:. 02/14/2005. THREAT: The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query. RESULT: Host Name. Source. bci243-110.bcims.net. FQDN. Web Application Scan Results. page 13.

(42) Appendices Option Profile Scan Mode:. Crawl and test for vulnerabilities. Limit Scan to Starting URI:. No. Max URIs to scan:. 300. Form Submission:. Both GET & POST Method. Header Injection:. -. Blacklist URLs:. -. Scanned TCP Ports:. None. Scanned UDP Ports:. None. Scan Dead Hosts:. Off. Load Balancer Detection:. Enabled. Password Brute Forcing:. Standard. Vulnerability Detection:. Partial. Windows Authentication:. Disabled. SSH Authentication:. Disabled. Oracle Authentication:. Disabled. SNMP Authentication:. Disabled. Perform 3-way Handshake:. Off. Overall Performance:. Custom. Hosts to Scan in Parallel-External Scanner:. 1. Hosts to Scan in Parallel-Scanner Appliances: 1 Processes to Run in Parallel-Total:. 10. Processes to Run in Parallel-HTTP:. 5. Packet (Burst) Delay:. Medium. Advanced Hosts Discovery:. TCP Standard Scan, UDP Standard Scan, ICMP On. Ignore RST packets:. Off. Ignore firewall-generated SYN-ACK packets:. Off. Do not send ACK or SYN-ACK packets during host discovery: Off. Web Application Scan Results. page 14.

(43)

References

Related documents