Task #14478
closedSecurity Vulnerability Notification
0%
Description
Hi!
An automated scan by the TUM IT Security team has discovered 14 vulnerabilities in your network (org:ASE).
If you have questions about the procedure or your scan results, please contact
it-sicherheit@tum.de
Please fix the reported issues as soon as you can.
Regards
ITO Systems Group
Report text of Greenbone Security Assistant:
############################################################
host: vmbhatotia165.in.tum.de, ip: 131.159.89.189, - port: -¶
- 5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
- 2024-07-15T21:17:13Z - b9204534-7c7f-4786-94ce-df68891e889f - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):
Set-Cookie: XSRF-TOKEN=eyJpdiI6Inh3Q1Q5Y3o2ZnQ5OUZGZ1pwVWU0Rnc9PSIsInZhbHVlIjoiWFM4M3BxaXA4Z0V1RzdoVUpJbWlwTlEwTjQyVHRFb1NVYXAyT1Fzc3NMMzBueVY4N2Ewd3k3OFJrZkNwMEV6T0Ywcm1YT0d4WEZ1Z1owWkhwLy9hbXhhYjhSOTJCNXB2cUpLUWZ4R0VCcDFwREpORkdsZVN4eExKVjgvS0FuYjMiLCJtYWMiOiIxZWJhMzYwMzJkNjA2NmMxZjJjMmM2ZTVkNzZhYzVkY2NkYTFlYTcxOWNjMjliNzhkMWExZmYxZmYxM2FhYTZhIiwidGFnIjoiIn0%3D; expires=Wed, 24 Jul 2024 04:35:03 GMT; Max-Age=replaced; path=/; secure
is/are missing the "HttpOnly" cookie attribute.
solution (Mitigation):
-
Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
an override for this result if there is none (this can't be checked automatically by this VT)
- Evaluate / do an own assessment of the security impact on the web server / application and create
############################################################
host: vmbhatotia165.cs.tum.edu, ip: 131.159.89.189, - port: -¶
- 5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
- 2024-07-15T21:17:13Z - 9d8c71b9-fa26-4f28-9a6d-ba5f0a84db81 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):
Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik15Tk1NSk40dFB4S095elBOVVlKY2c9PSIsInZhbHVlIjoiQ3JHWENoR0hCUm9OZUZxc0xLUWYrYURNd2NrYWZCZytWTnladGxvU0xpN2xlNWNmU2c3NW9iY3lxOGl6ekJjRHlTbEx0eGpKZm9sSXFtdk90V3lqeUU3dlorei82dXVVc3o3TFYvdzVDdzlYTTNxUm9kd1pEazBNRmdQcTh0RnYiLCJtYWMiOiI0MDExNzExZjcyOWZiNDRkNWQ5NWUwNTJkNDgwMjQ0ODdiNDFmZjFjYTUyZGYyOGJhOWU4YmFiNzc5MjE4NmIzIiwidGFnIjoiIn0%3D; expires=Wed, 24 Jul 2024 04:35:04 GMT; Max-Age=replaced; path=/; secure
is/are missing the "HttpOnly" cookie attribute.
solution (Mitigation):
-
Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
an override for this result if there is none (this can't be checked automatically by this VT)
- Evaluate / do an own assessment of the security impact on the web server / application and create
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, - port: -¶
- 5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
- 2024-07-15T21:17:13Z - ca4eeebb-e5fb-46f2-a096-241c2eb67158 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):
Set-Cookie: XSRF-TOKEN=eyJpdiI6IjA5T2haTDZvcDdZeWY1T0N4Zy9ad2c9PSIsInZhbHVlIjoiVUovcWx6NWQveUh4dEw3WEdlKzJJS2VKeGZvQmd1cjVpNkt2OFhJVHlKT29YRTMvMStkS25QdkdyK243blk0eHRKdlJhd3cxT3JOQUNyTWFOV2Z5RVp2SHJ6djhuTE5ZaTYvajh5UlpuRHVQKzNvL2Q0Z1k5ZUJOWmhoRysrcmoiLCJtYWMiOiI1NDM1MWRhOTI3YWRkNzQyYmYzZWYzYmMwZDhlMmRmMGVmNzg0YjAyNDliOGI3NjFiMDM3ZTJmMGRmMWQyYThhIiwidGFnIjoiIn0%3D; expires=Wed, 24 Jul 2024 04:35:04 GMT; Max-Age=replaced; path=/; secure
is/are missing the "HttpOnly" cookie attribute.
solution (Mitigation):
-
Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
an override for this result if there is none (this can't be checked automatically by this VT)
- Evaluate / do an own assessment of the security impact on the web server / application and create
############################################################
host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶
- 5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
- 2024-07-15T21:26:09Z - 8d05d421-8aee-4633-951a-643a991de2ae - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:
Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root root@vmbhatotia124.in.tum.de 1656435832 +0200 clone: from git://git.moodle.org/moodle.git
1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root root@vmbhatotia124.in.tum.de 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE
cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root root@vmbhatotia124.in.tum.de 1675437321 +0100 pull: Fast-forward
a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root root@vmbhatotia124.in.tum.de 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE
cb6dc699b8ed9d29dcd9cd400fb96647a471e87a 9557a525696b2e7eeef49a95d3eacb7be374a71a root root@vmbhatotia124.in.tum.de 1720609520 +0200 checkout: moving from cb6dc699b8ed9d29dcd9cd400fb96647a471e87a to MOODLE_404_STABLE
9557a525696b2e7eeef49a95d3eacb7be374a71a 033858e2491fd79c54e511f3177eca2990877ee6 root root@vmbhatotia124.in.tum.de 1720610070 +0200 checkout: moving from MOODLE_404_STABLE to v4.1.2
033858e2491fd79c54e511f3177eca2990877ee6 7dcfaa79f78e100fcb0b52f4e99d13f354ca0f23 root root@vmbhatotia124.in.tum.de 1720610124 +0200 checkout: moving from 033858e2491fd79c54e511f3177eca2990877ee6 to v4.3.5
Used regex: ^[a-f0-9]{40} [a-f0-9]{40}
URL: https://vmbhatotia124.in.tum.de/.git/logs/HEAD
Match: [core]
[remote "origin"]
[branch "MOODLE_311_STABLE"]
[branch "MOODLE_400_STABLE"]
[branch "MOODLE_404_STABLE"]
Used regex: ^[(core|receive|(remote|branch) .+)]$
URL: https://vmbhatotia124.in.tum.de/.git/config
Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://vmbhatotia124.in.tum.de/.git/info/exclude
Match: DIRC
Used regex: ^DIRC
URL: https://vmbhatotia124.in.tum.de/.git/index
Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://vmbhatotia124.in.tum.de/.git/description
Match: ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle
ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle
20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle
fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle
cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle
91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle
572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle
c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle
6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle
9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle
cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle
928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle
e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle
97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle
54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle
aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle
382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle
0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle
3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle
375a1163378f4fd5af36aa633c08c0431c9ad74b not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle
92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle
45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle
ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle
9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle
22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle
940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle
3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle
49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle
1a1d59ef61d75f6e553feccbc8feb62bca7dcd9f not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle
b5f4e0ce3dde78633696f892a0844574d43af4d0 not-for-merge branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle
f9c5802f4ec72894f8722a9fe8dc3c2b917afd1a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle
34b34aed9c707d37202da7bb80603a87dac77f0e not-for-merge branch 'MOODLE_402_STABLE' of git://git.moodle.org/moodle
fd32ceac7ccb45ea3dace04ba0766f775756deda not-for-merge branch 'MOODLE_403_STABLE' of git://git.moodle.org/moodle
9557a525696b2e7eeef49a95d3eacb7be374a71a not-for-merge branch 'MOODLE_404_STABLE' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'main' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'master' of git://git.moodle.org/moodle
Used regex: ^[a-f0-9]{40}\s+(not-for-merge\s+)?branch
URL: https://vmbhatotia124.in.tum.de/.git/FETCH_HEAD
Match: cda2e481342ba0644f665ff8e91342abb009192a
Used regex: ^[a-f0-9]{40}$
URL: https://vmbhatotia124.in.tum.de/.git/ORIG_HEAD
solution (Mitigation):
Restrict access to the SCM files/folders for authorized systems
only.
############################################################
host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶
- 5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
- 2024-07-15T20:58:25Z - 1f788d95-1e7a-4ebe-bba5-5a42e3447260 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):
Set-Cookie: MoodleSession=replaced; path=/; secure
is/are missing the "HttpOnly" cookie attribute.
solution (Mitigation):
-
Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
an override for this result if there is none (this can't be checked automatically by this VT)
- Evaluate / do an own assessment of the security impact on the web server / application and create
############################################################
host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶
- 5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
- 2024-07-15T21:27:40Z - 43fc543e-9965-45f6-9be7-1fd8a682b56e - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:
Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root root@vmbhatotia124.in.tum.de 1656435832 +0200 clone: from git://git.moodle.org/moodle.git
1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root root@vmbhatotia124.in.tum.de 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE
cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root root@vmbhatotia124.in.tum.de 1675437321 +0100 pull: Fast-forward
a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root root@vmbhatotia124.in.tum.de 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE
cb6dc699b8ed9d29dcd9cd400fb96647a471e87a 9557a525696b2e7eeef49a95d3eacb7be374a71a root root@vmbhatotia124.in.tum.de 1720609520 +0200 checkout: moving from cb6dc699b8ed9d29dcd9cd400fb96647a471e87a to MOODLE_404_STABLE
9557a525696b2e7eeef49a95d3eacb7be374a71a 033858e2491fd79c54e511f3177eca2990877ee6 root root@vmbhatotia124.in.tum.de 1720610070 +0200 checkout: moving from MOODLE_404_STABLE to v4.1.2
033858e2491fd79c54e511f3177eca2990877ee6 7dcfaa79f78e100fcb0b52f4e99d13f354ca0f23 root root@vmbhatotia124.in.tum.de 1720610124 +0200 checkout: moving from 033858e2491fd79c54e511f3177eca2990877ee6 to v4.3.5
Used regex: ^[a-f0-9]{40} [a-f0-9]{40}
URL: https://vmbhatotia124.cs.tum.edu/.git/logs/HEAD
Match: [core]
[remote "origin"]
[branch "MOODLE_311_STABLE"]
[branch "MOODLE_400_STABLE"]
[branch "MOODLE_404_STABLE"]
Used regex: ^[(core|receive|(remote|branch) .+)]$
URL: https://vmbhatotia124.cs.tum.edu/.git/config
Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://vmbhatotia124.cs.tum.edu/.git/info/exclude
Match: DIRC
Used regex: ^DIRC
URL: https://vmbhatotia124.cs.tum.edu/.git/index
Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://vmbhatotia124.cs.tum.edu/.git/description
Match: ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle
ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle
20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle
fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle
cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle
91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle
572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle
c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle
6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle
9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle
cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle
928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle
e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle
97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle
54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle
aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle
382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle
0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle
3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle
375a1163378f4fd5af36aa633c08c0431c9ad74b not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle
92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle
45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle
ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle
9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle
22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle
940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle
3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle
49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle
1a1d59ef61d75f6e553feccbc8feb62bca7dcd9f not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle
b5f4e0ce3dde78633696f892a0844574d43af4d0 not-for-merge branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle
f9c5802f4ec72894f8722a9fe8dc3c2b917afd1a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle
34b34aed9c707d37202da7bb80603a87dac77f0e not-for-merge branch 'MOODLE_402_STABLE' of git://git.moodle.org/moodle
fd32ceac7ccb45ea3dace04ba0766f775756deda not-for-merge branch 'MOODLE_403_STABLE' of git://git.moodle.org/moodle
9557a525696b2e7eeef49a95d3eacb7be374a71a not-for-merge branch 'MOODLE_404_STABLE' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'main' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'master' of git://git.moodle.org/moodle
Used regex: ^[a-f0-9]{40}\s+(not-for-merge\s+)?branch
URL: https://vmbhatotia124.cs.tum.edu/.git/FETCH_HEAD
Match: cda2e481342ba0644f665ff8e91342abb009192a
Used regex: ^[a-f0-9]{40}$
URL: https://vmbhatotia124.cs.tum.edu/.git/ORIG_HEAD
solution (Mitigation):
Restrict access to the SCM files/folders for authorized systems
only.
############################################################
host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶
- 5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
- 2024-07-15T20:58:25Z - daf1058b-2f50-442a-b606-7c8ee0783017 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):
Set-Cookie: MoodleSession=replaced; path=/; secure
is/are missing the "HttpOnly" cookie attribute.
solution (Mitigation):
-
Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
an override for this result if there is none (this can't be checked automatically by this VT)
- Evaluate / do an own assessment of the security impact on the web server / application and create
############################################################
host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶
- 5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
- 2024-07-15T21:27:09Z - 439d3c96-876b-4afb-82d5-f2262c0f7068 - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:
Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root root@vmbhatotia124.in.tum.de 1656435832 +0200 clone: from git://git.moodle.org/moodle.git
1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root root@vmbhatotia124.in.tum.de 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE
cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root root@vmbhatotia124.in.tum.de 1675437321 +0100 pull: Fast-forward
a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root root@vmbhatotia124.in.tum.de 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE
cb6dc699b8ed9d29dcd9cd400fb96647a471e87a 9557a525696b2e7eeef49a95d3eacb7be374a71a root root@vmbhatotia124.in.tum.de 1720609520 +0200 checkout: moving from cb6dc699b8ed9d29dcd9cd400fb96647a471e87a to MOODLE_404_STABLE
9557a525696b2e7eeef49a95d3eacb7be374a71a 033858e2491fd79c54e511f3177eca2990877ee6 root root@vmbhatotia124.in.tum.de 1720610070 +0200 checkout: moving from MOODLE_404_STABLE to v4.1.2
033858e2491fd79c54e511f3177eca2990877ee6 7dcfaa79f78e100fcb0b52f4e99d13f354ca0f23 root root@vmbhatotia124.in.tum.de 1720610124 +0200 checkout: moving from 033858e2491fd79c54e511f3177eca2990877ee6 to v4.3.5
Used regex: ^[a-f0-9]{40} [a-f0-9]{40}
URL: https://moodle.ase.in.tum.de/.git/logs/HEAD
Match: [core]
[remote "origin"]
[branch "MOODLE_311_STABLE"]
[branch "MOODLE_400_STABLE"]
[branch "MOODLE_404_STABLE"]
Used regex: ^[(core|receive|(remote|branch) .+)]$
URL: https://moodle.ase.in.tum.de/.git/config
Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://moodle.ase.in.tum.de/.git/info/exclude
Match: DIRC
Used regex: ^DIRC
URL: https://moodle.ase.in.tum.de/.git/index
Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://moodle.ase.in.tum.de/.git/description
Match: ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle
ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle
20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle
fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle
cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle
91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle
572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle
c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle
6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle
9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle
cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle
928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle
e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle
97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle
54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle
aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle
382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle
0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle
3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle
375a1163378f4fd5af36aa633c08c0431c9ad74b not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle
92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle
45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle
ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle
9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle
22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle
940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle
3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle
49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle
1a1d59ef61d75f6e553feccbc8feb62bca7dcd9f not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle
b5f4e0ce3dde78633696f892a0844574d43af4d0 not-for-merge branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle
f9c5802f4ec72894f8722a9fe8dc3c2b917afd1a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle
34b34aed9c707d37202da7bb80603a87dac77f0e not-for-merge branch 'MOODLE_402_STABLE' of git://git.moodle.org/moodle
fd32ceac7ccb45ea3dace04ba0766f775756deda not-for-merge branch 'MOODLE_403_STABLE' of git://git.moodle.org/moodle
9557a525696b2e7eeef49a95d3eacb7be374a71a not-for-merge branch 'MOODLE_404_STABLE' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'main' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'master' of git://git.moodle.org/moodle
Used regex: ^[a-f0-9]{40}\s+(not-for-merge\s+)?branch
URL: https://moodle.ase.in.tum.de/.git/FETCH_HEAD
Match: cda2e481342ba0644f665ff8e91342abb009192a
Used regex: ^[a-f0-9]{40}$
URL: https://moodle.ase.in.tum.de/.git/ORIG_HEAD
solution (Mitigation):
Restrict access to the SCM files/folders for authorized systems
only.
############################################################
host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶
- 5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
- 2024-07-15T20:58:25Z - 6fb18832-8acb-47ff-b160-07bbf21cafad - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):
Set-Cookie: MoodleSession=replaced; path=/; secure
is/are missing the "HttpOnly" cookie attribute.
solution (Mitigation):
-
Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
an override for this result if there is none (this can't be checked automatically by this VT)
- Evaluate / do an own assessment of the security impact on the web server / application and create
############################################################
host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, - port: -¶
- 5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
- 2024-07-15T21:26:40Z - f59d15da-1be6-46c6-8823-54c3225bf6d0 - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:
Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root root@vmbhatotia124.in.tum.de 1656435832 +0200 clone: from git://git.moodle.org/moodle.git
1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root root@vmbhatotia124.in.tum.de 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE
cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root root@vmbhatotia124.in.tum.de 1675437321 +0100 pull: Fast-forward
a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root root@vmbhatotia124.in.tum.de 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE
cb6dc699b8ed9d29dcd9cd400fb96647a471e87a 9557a525696b2e7eeef49a95d3eacb7be374a71a root root@vmbhatotia124.in.tum.de 1720609520 +0200 checkout: moving from cb6dc699b8ed9d29dcd9cd400fb96647a471e87a to MOODLE_404_STABLE
9557a525696b2e7eeef49a95d3eacb7be374a71a 033858e2491fd79c54e511f3177eca2990877ee6 root root@vmbhatotia124.in.tum.de 1720610070 +0200 checkout: moving from MOODLE_404_STABLE to v4.1.2
033858e2491fd79c54e511f3177eca2990877ee6 7dcfaa79f78e100fcb0b52f4e99d13f354ca0f23 root root@vmbhatotia124.in.tum.de 1720610124 +0200 checkout: moving from 033858e2491fd79c54e511f3177eca2990877ee6 to v4.3.5
Used regex: ^[a-f0-9]{40} [a-f0-9]{40}
URL: https://moodle.ase.cs.tum.edu/.git/logs/HEAD
Match: [core]
[remote "origin"]
[branch "MOODLE_311_STABLE"]
[branch "MOODLE_400_STABLE"]
[branch "MOODLE_404_STABLE"]
Used regex: ^[(core|receive|(remote|branch) .+)]$
URL: https://moodle.ase.cs.tum.edu/.git/config
Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://moodle.ase.cs.tum.edu/.git/info/exclude
Match: DIRC
Used regex: ^DIRC
URL: https://moodle.ase.cs.tum.edu/.git/index
Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://moodle.ase.cs.tum.edu/.git/description
Match: ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle
ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle
20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle
fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle
cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle
91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle
572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle
c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle
6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle
9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle
cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle
928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle
e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle
97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle
54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle
aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge bra...
Files