Professional Documents
Culture Documents
Penetration Test Result Summary - Web Site Vulnerabilities
Penetration Test Result Summary - Web Site Vulnerabilities
addresses
• https://chengetedzai.co.zw/wp-load.php
• https://chengetedzai.co.zw/wp-links-opml.php
• https://chengetedzai.co.zw/wp-cron.php
• Etc. Description
RISK
An attacker can access critical functionalities, or conduct brute-force attacks,
authentication bypass, which might give him unauthorized administrative access
disclosing/modifying confidential data.
RECOMMENDATIONS
All access to sensitive pages should have an access list with restriction to specific
users & IP addresses.
All server files (.php, .txt, .rules, .htaccsess etc.) should be unreachable from the web
at the exception of js, css, png, jpeg, ico and other client side files and scripts.
The official website is hosted on a shared server with several other web application
RISKS
If any site on the server was compromised, it might ease at-tackers’ access over the
sites hosted on the same server including CDC website.
A malicious customer can purchase the same plan from a shared hosting provider
and use his site to gain access to other sites on the server.
Hardening of the server and access to the configuration files cannot be controlled by
CDC.
RECOMMENDATION
Host the official website on a virtual private server.
OBSERVATION: Vulnerable PHP version
https://chengetedzai.co.zw Description
According to its banner, the PHP mentioned running on the remote hosts are affected by
the numerous vulnerabilities mainly related to remote code execution, DoS, XSS etc.
RISK
The current installed version is affected by several vulnerabilities such as denial of
service, cross-site request forgery, XSS etc.
RECOMMENDATION
As per the vendor advisory, upgrade the relevant PHP to its latest stable version
(8.1.4 on the 27th of March 2022).
https://chengetedzai.co.zw
• Client Portal:
o POST /client-portal/login
o POST /client-portal/register
o POST /client-portal/forgot
• Contact form
o POST /wp-json/contact-form-7/v1/contact-forms/5/feedback
• Request form
RISKS
A malicious attacker can launch a brute force attack on the mentioned functionalities
leading to:
- Denial Of Service
RECOMMENDATION
Implement anti brute-force mechanism such as CAPTCHA and/or limit the number of
requests being sent.
OBSERVATION: User Enumeration
Functionalities:
• WordPress:
• Client Portal:
This vulnerability exposes users of the application without being blocked. The response of
the server proves the existence of the user or not.
RISKS
A malicious unauthenticated attacker can identify user accounts without being
blocked, by enumerating all possible users. This attack is possible by launching a
brute force attack on the mentioned functionalities and enumerate all possible
users.
RECOMMENDATIONS
Unify the server response errors on each mentioned functionality.
• https://chengetedzai.co.zw/wp-login.php
• https://chengetedzai.co.zw/wp-login.php?action=lostpassword Description
When a parameter is entered in a form and the form is submitted, the browser saves it.
Thereafter when the form is displayed, the field is filled in automatically.
RISKS
An attacker with local access could obtain the clear text username or other
parameters from the browser cache that can be combined with more techniques
and used in future attacks. (Such as brute force attack and denial of service of the
user in question).
RECOMMENDATIONS
All parameters’ auto complete should be disabled. To disable autocomplete, you
may use a code similar to:
<INPUT TYPE="username" AUTOCOMPLETE="off">
https://chengetedzai.co.zw (95.111.227.164)
The web gateway traffic is not encrypted with a 2nd layer of encryption with no HSTS
enforced.
RISKS
An attacker may be able to break the SSL encryption by man in the middle attack and
tamper with the data.
RECOMMENDATIONS
Enforce HSTS and/or encrypt all traffic using 2nd layer encryption
OBSERVATION: Weak SSL Versions Protocol Detection and Weak SSL Block Size Cipher
suites
• 197.211.212.152:443 (chengetedzai.com)
It was noted that the servers accept connection TLS v1.0 and TLS v1.1 with weak ciphers
(AES, CAMELLIA128) exposed to several known vulnerabilities. It is recommended to disable
these protocols and ciphers and use TLS v1.2 / TLS v1.3 instead with strong ciphers only.
RISKS
An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or
decrypt communications between the affected service and clients.
RECOMMENDATIONS
Disable TLSv1.0, TLSv1.1 and restrict the usage TLS v1.2 instead.
Disable AES, DES, RC4 cipher suites and use only high strength ciphers (combination
of AES and GCM).
OBSERVATION: ROBOTS.TXT
95.111.227.164 (chengetedzai.co.zw)
The robots.txt contains critical directories exposed publicly, as shown below:
https://chengetedzai.co.zw/robots.txt
Robots file asks Search Engine Robots and Spiders to crawl referenced links from the
website. It is important to note that if critical directories and paths are not accessible
neither referenced inside the website, there won’t be any need to include them inside this
file.
RECOMMENDATIONS
Disallow all paths and whitelist needed paths.
Robots.txt should be reviewed and fine-tuned in order to prevent any malicious user
from enumerating hidden pages.
https://chengetedzai.co.zw/wp-login.php
RECOMMENDATIONS
It is recommended to whitelist access to the administrative login page to authorized IPs
only.
Additionally, it is recommended to implement the following:
Implement a dynamic second factor authentication.
Implement HSTS and/or 2nd layer of encryption.
Implement a rotating on screen virtual keyboard.
Include account lockout for brute force protection.
https://chengetedzai.co.zw/?rest_route=/wp/v2/
The screenshot below shows the administrator user of the WordPress Web application:
https://chengetedzai.co.zw.com/?rest_route=/wp/v2/users/
RISK
An attacker can take advantage of the disclosed username to launch a brute force
attack on the login page and take full access (unauthorized) of the WordPress CMS.
RECOMMENDATIONS
Hide/remove and forbid access to such directories and pages.
RECOMMENDATIONS
It is recommended to remove the metadata related to CMS from all pages and ban
access to core php files.
Even though the WordPress is the latest stable one, it is recommended to keep the
version updated with the relevant patches.
https://chengetedzai.co.zw/wp-load.php
It is important to note that many php core files related to WordPress CMS are accessible.
RECOMMENDATIONS
Restrict access to those files and/or when requested to redirect them to a non-
existing page.
Similarly affected:
• • Client Portal:
POST /client-portal/login
POST /client-portal/forgot
• • Contact form:
POST /wp-json/contact-form-7/v1/contact-forms/5/feedback
• • Request form:
POST /wp-json/ json/contact-form-7/v1/contact-forms/5/feedback
RECOMMENDATIONS
Implement anti brute-force mechanism, such as CAPTCHA, and/or limit the number
of requests being sent.
Forgot Password: Upon accessing the “Forgot Password” functionality, the response reveals
that the user exists as shown below:
Response for invalid User
Client Portal
4.10.2.1 Forgot password
Upon accessing the “Forgot Password” functionality, the response reveals that the user
exists as shown below:
jQuery
jQuery UI
RECOMMENDATIONS
It is recommended to upgrade the Bootstrap to its latest stable version.
It is important to note that the jQuery and jQuery UI are patched. However, it is
recommended to keep the software updated and patched.
WordPress
WordPress login page
RECOMMENDATION
As best practice, it is recommended to disable autocomplete option on all fields