bt nikto # ./nikto.pl -h www.skilled.com.au
---------------------------------------------------------------------------
- Nikto 2.01/2.01 - cirt.net
+ Target IP: 144.140.33.197
+ Target Hostname: www.skilled.com.au
+ Target Port: 80
+ Start
Time:
2008-03-17 21:
14:
09---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.0
- Retrieved X-Powered-By
header: ASP.NET
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD
+ OSVDB
-877: HTTP method
('Allow' Header):
'TRACE' is typically only used
for debugging and sho
uld be disabled. This message does not mean it is vulnerable to XST.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ OSVDB
-877: HTTP method
('Public' Header):
'TRACE' is typically only used
for debugging and sh
ould be disabled. This message does not mean it is vulnerable to XST.
+ Microsoft-IIS/5.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
+ OSVDB-0: GET /servlet/com.unify.servletexec.UploadServlet : This servlet allows attackers to
upload files to the server.
+ OSVDB-0: GET /servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter : Allaire Coldfusion allows
jsp source viewed through a vulnerable SSI call.
+ OSVDB-0: GET /servlet/SchedulerTransfer : PeopleSoft SchedulerTransfer servlet found, which m
ay allow remote command execution. See http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp
?oid=21999
+ OSVDB-0: GET /servlet/sunexamples.BBoardServlet : This default servlet lets attackers execute
arbitrary commands.
+ OSVDB-0: GET /junk.aspx : ASP.net reveals its version in invalid .aspx error messages.
+ OSVDB-0: GET /servlet/SessionManager : IBM WebSphere reconfigure servlet (user=servlet, password=mana
ger). All default code should be removed from servers.
+ OSVDB-0: GET /servlet/allaire.jrun.ssi.SSIFilter : Allaire Coldfusion allows jsp source viewed throug
h a vulnerable SSI call, see MPSB01-12 http://www.macromedia.com/devnet/security/security_zone/mpsb01-1
2.html.
+ OSVDB
-3092: GET /_vti_pvt/deptodoc.btr : FrontPage
file found. This may contain useful information.
+ OSVDB
-3092: GET /_vti_pvt/doctodep.btr : FrontPage
file found. This may contain useful information.
+ OSVDB-473: GET /_vti_pvt/access.cnf : Contains HTTP server-specific access control information, remov
e or ACL if FrontPage is not being used.
+ OSVDB-473: GET /_vti_pvt/service.cnf : Contains meta-information about the web server, remove or ACL
if FrontPage is not being used.
+ OSVDB
-473: GET /_vti_pvt/services.cnf : Contains the
list of subwebs, remove or ACL
if FrontPage is n
ot being used. May reveal server version if Admin has changed it.
+ OSVDB
-473: GET /_vti_pvt/
linkinfo.cnf : IIS
file shows http links on and off site. Might show host tr
ust relationships and other machines on network.
+ OSVDB-877: TRACK / : TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http:
//www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurit
y.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3233: GET /servlet/Counter : JRun default servlet found. All default code should be removed fro
m servers.
+ OSVDB-3233: GET /servlet/DateServlet : JRun default servlet found. All default code should be removed
from servers.
+ OSVDB-3233: GET /servlet/FingerServlet : JRun default servlet found. All default code should be remov ed from servers.
+ OSVDB-3233: GET /servlet/HelloWorldServlet : JRun default servlet found. All default code should be r emoved from servers.
+ OSVDB-3233: GET /servlet/SessionServlet : JRun or Netware WebSphere default servlet found. All defaul t code should be removed from servers.
+ OSVDB-3233: GET /servlet/SimpleServlet : JRun default servlet found (possibly Websphere). All default code should be removed from servers.
+ OSVDB-3233: GET /servlet/SnoopServlet : JRun, Netware Java Servlet Gateway, or WebSphere default serv let found. All default code should be removed from servers.
+ OSVDB-3233: GET /servlet/AdminServlet : Netware Web Search Server (adminservlet) found. All default c ode should be removed from web servers.
+ OSVDB-3233: GET /servlet/gwmonitor : Netware Gateway monitor found. All default code should be remove d from web servers.
+ OSVDB
-3233: GET /servlet/PrintServlet : Novell Netware
default servlet found. All
default code should be removed from the
system.
+ OSVDB
-3233: GET /servlet/SearchServlet : Novell Netware
default servlet found. All
default code shoul d be removed from the
system.
+ OSVDB-3233: GET /servlet/ServletManager : Netware Java Servlet Gateway found. Default user id is serv let, default password is manager. All default code should be removed from Internet servers.
+ OSVDB
-3233: GET /servlet/sq1cdsn : Novell Netware
default servlet found. All
default code should be r emoved from the
system.
+ OSVDB-3233: GET /servlet/sqlcdsn : Netware SQL connector found. All default code should be removed fr om web servers.
+ OSVDB-3233: GET /servlet/webacc : Netware Enterprise and/or GroupWise web access found. All default c ode should be removed from Internet servers.
+ OSVDB-3233: GET /servlet/webpub : Netware Web Publisher found. All default code should be removed fro m web servers.
+ OSVDB-3233: GET /OA_HTML/jsp/fnd/fndhelp.jsp?dbc=/u01/oracle/prodappl/fnd/11.5.0/secure/dbprod2_prod.dbc : Oracle Applications help page found.
+ 4343 items checked: 38 item(s) reported on remote host
+
End Time:
2008-03-17 21:
28:
52 (883 seconds
)---------------------------------------------------------------------------
+ 1 host(s) tested