Flymusic Penetration Testing Report V1.1 [614185]

CONFIDENTIAL
EVALUATION AND SECURITY REVIEW FOR FLYMUSIC Report restrictions: This report contains confidential information about FlyMusic, its employees and its information systems.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 2 CONTENTS 1. Methodology …………………………………………………………………………………………………………………………………….. 3 2. Vulnerability Clasification ……………………………………………………………………………………………………………………. 4 3. Vulnerabilities discovered overview ……………………………………………………………………………………………………… 5 4. Executive Summary and recomandations ……………………………………………………………………………………………… 6 5. Finding Details …………………………………………………………………………………………………………………………………… 8 6. Recommendations ……………………………………………………………………………………………………………………………. 25

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 3 1. METHODOLOGY Our penetration testing methodology is described in the diagram bellow:
1. Planning phase 1. Scope & Strategy of the assignment is determined 2. Existing security policies, standards are used for defining the scope 2. Discovery phase 1. Collect as much information as possible about the system including data in the system, user names and even passwords. This is also called as FINGERPRINTING 2. Scan and Probe into the ports 3. Check for vulnerabilities of the system 3. Attack Phase (OPTIONAL) 1. Find exploits for various vulnerabilities You need necessary security Privileges to exploit the system 4. Reporting Phase 1. Report must contain detailed findings 2. Risks of vulnerabilities found and their Impact on business 3. RECOMANDATIONs and solutions, if any

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 4 2. VULNERABILITY CLASIFICATION High Risk The vulnerability represents a grave problem which requires immediate attention. It constitutes a major risk that can lead to serious security breaches, financial and image losses as well as prolonged service interruptions. Medium Risk Represents moderate risk, and requires problem remediation in a reasonable amount of time. Impact is limited but insufficient security controls may lead a more serious breach Low Risk Low risk and priority usually referring to routine operations. No major impact on security. Informational: Represents an observation whose impact could not be determined for the moment but which must be brought to the attention of the company

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 5 3. VULNERABILITIES DISCOVERED OVERVIEW Below is a summary of the findings discovered:

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 6 4. EXECUTIVE SUMMARY AND RECOMANDATIONS This by no means constitutes an exhaustive list of vulnerabilities or attack avenues, but provides a good baseline for the possible vectors targeted by most external security attackers. Scope: The assessment performed was focused on FlyMusic public infrastructure. The attacker was modeled after a regular Internet user with no previous knowledge of the company. The only information provided was the website address fly-music.ro. The specific systems and subnets tested are indicated in the next section titled “Target Systems”. The findings in this report reflect the conditions found during the testing, and do not ne necessarily reflect current conditions. Target Systems: The following table lists all external IPs that were targeted during this assessment: IP ADDRESSES 176.126.202.126 We identified the following websites\URLs: Ø fly-music.ro Ø blog.fly-music.ro Ø muzikia.ro Ø netmusic.ro Ø fly-music.hu Ø flysound.ro Ø axinti.ro

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 7 Overview: During our penetration test we discovered several vulnerabilities described in this report. We did not exploit the findings, but these vulnerabilities would have had a major impact on day to day activities if they have been exploited by a malicious attacker. During the assessment, we did not perform DDoS testing. Internal assessment was also not carried out. Furthermore, the findings in this report reflect the conditions found during our testing and do not necessarily reflect current conditions.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 8 5. FINDINGS DETAILS
5.1 Clear text submission of password RESOURCE(S) Affected fly-music.ro blog.fly-music.ro muzikia.ro netmusic.ro fly-music.hu flysound.ro DESCRIPTION The application allows for user login using no encryption (TLS). This means user credentials can be sniffed by an attacker who is suitable positioned on the network. RECOMANDATION Use SSL on the entire website.
5.2 Password disclosure: Insecure Password Reset Action RESOURCE(S) Affected fly-music.ro muzikia.ro netmusic.ro fly-music.hu DESCRIPTION When a user resets an account password an email is sent. The email contains the password in clear text. RECOMANDATION Force the user to change the password on the first login after password reset.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 9
5.3 Reset password link validity RESOURCE(S) Affected fly-music.ro muzikia.ro netmusic.ro fly-music.hu DESCRIPTION When a user resets an account password an email with a reset password link is sent. This link does not have an expiration date and can be reused several times. RECOMANDATION Disable user password reset link after it is used or after a short period of time.
5.4 Weak Password Policy RESOURCE(S) Affected fly-music.ro muzikia.ro netmusic.ro fly-music.hu DESCRIPTION The enforced policy password is very weak.
RECOMANDATION Enforce a strong policy for passwords. Implement a two factor authentication system.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 10
5.5 cPANEL administration interface publicly accessible RESOURCE(S) Affected 176.126.202.126, port 2083 DESCRIPTION The cPanel interface is publicly available.
RECOMANDATION Restrict access to interface from Internet.
5.6 LightSpeed Webconsole publicly accessible – SOLVED RESOURCE(S) Affected 176.126.202.126, port 7080 DESCRIPTION The LightSpeed Webconsole interface is publicly available.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 11
RECOMANDATION Restrict access to interface from Internet.
5.7 WordPress administration page publicly accessible RESOURCE(S) Affected blog.fly-music.ro DESCRIPTION The WordPress administration interface is publicly available.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 12 RECOMANDATION Restrict access to interface from Internet.
5.8 Brute-Forcible login RESOURCE(S) Affected fly-music.ro fly-music.hu flysound.ro muzikia.ro netmusic.ro blog.fly-music.ro DESCRIPTION There is no protection against automated login attempts. A large number of authentication attempts can be performed at a fast rate. RECOMANDATION Limit the number of authentication attempts by: Ø Enforce a strong policy management Ø Using CAPTCHA functionality to limit automated login attempts Ø Blocking IP addresses that perform many logins attempts in a short amount of time Ø Blocking accounts for a limited period of time Additional information: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
5.9 Brute force attack against WordpressXMLRPC RESOURCE(S) Affected http://blog.fly-music.ro/xmlrpc.php DESCRIPTION The main weaknesses associated with XML-RPC are: • Brute force attacks: Attackers try to login to WordPress using xmlrpc.php with as many

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 13 username/password combinations as they can enter. • Denial of Service Attacks via Pingback: attackers can send Pingback requests through xmlrpc.php
RECOMANDATION Restrict access to xmlrpc.php
5.10 Outdated PrestaShop Version RESOURCE(S) Affected fly-music.ro fly-music.hu flysound.ro muzikia.ro netmusic.ro DESCRIPTION We identified that the above online shop are using an outdated version of PrestaShop. PrestaShop version: 1.5.6.2 RECOMANDATION Update to the latest stable PrestaShop version.
5.11 Outdated software with multiple vulnerabilities RESOURCE(S) Affected 176.126.202.126

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 14 DESCRIPTION During the penetration test we discovered that on the servers are running this versions of software: Ø Linux 2.6.32 Ø BIND 9.8.2rc1 Ø EXIM 4.89_1 The vulnerabilities for these software versions are listed below: Ø BIND 9.8.2rc1 https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-127585/ISC-Bind-9.8.2.html Ø ISC BIND: A Winsock API Bug Can Cause a Side-Effect Affecting BIND ACLs (CVE-2013-6230) Ø ISC BIND: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9 (CVE-2012-3817) Ø ISC BIND: A specially crafted Resource Record could cause named to terminate (CVE-2012-4244) Ø ISC BIND: Specially crafted DNS data can cause a lockup in named (CVE-2012-5166) Ø ISC BIND: BIND 9 servers using DNS64 can be crashed by a crafted query (CVE-2012-5688) Ø ISC BIND: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named (CVE-2013-2266) Ø ISC BIND: A specially crafted query can cause BIND to terminate abnormally (CVE-2013-4854) Ø ISC BIND: A Defect in Delegation Handling Can Be Exploited to Crash BIND (CVE-2014-8500) Ø ISC BIND: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure (CVE-2015-5477) Ø ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620) Ø ISC BIND: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c (CVE-2015-5722) Ø ISC BIND: Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request (CVE-2016-2776) Ø ISC BIND: BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ (CVE-2012-5689) Ø Linux 2.6.32 https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/version_id-91578/Linux-Linux-Kernel-2.6.32.html Ø EXIM 4.89_1 https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/version_id-216694/Exim-Exim-4.89.html RECOMANDATION Upgrade the software version.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 15
5.12 Use Self Generated SSL Certificates RESOURCE(S) Affected 176.126.202.126, port 7080 DESCRIPTION While both certificates, Self-Signed SSL Certificates and certificates that are signed by a Trusted Certificate Authority, offer encryption, they are not equal. The biggest problem with a self-signed certificate, is a man-in-the-middle attack. Even if the user is 100% sure that he is the correct website and he completely trust the site (an email server in our case), someone could intercept the connection and present him with their own self-signed certificate. The user would think that he is using a secure connection with his email server, but he is really using a secure connection to an attacker's email server. The perpetrator could discover the user login credentials and many other sensitive information. Users accustomed to ignoring warnings on internal sites may be inclined to ignore warnings on public sites as well, leaving them, and your organization, vulnerable to malware and other threats. Using a Trusted CA Signed SSL Certificate is going to garner no browser warnings, rather the browser will display all the visual indicators that come with a working SSL Certificate. That means the user will see the padlock and either a green HTTPS or a green address bar with the organization’s name in it. These all indicate that website is safe. RECOMANDATION Purchase a SSL certificates or use Lets Encrypt.
5.13 Multiple SSL vulnerabilities RESOURCE(S) Affected 176.126.202.126 DESCRIPTION Old SSL version in place. The above IP runs outdated SSL versions which are vulnerable to various issues as detailed below: Ø X.509 Certificate Subject CN Does Not Match the Entity Name -port 993 severe Ø TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication -port 993,995 severe

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 16 Ø TLS/SSL Server Supports DES and IDEA Cipher Suites -port 993,995 severe Ø TLS/SSL Server is enabling the BEAST attack – port 993,005, 2078,443, 2096, 465, 7080 severe Ø TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) – port 993,995,443 severe Ø TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) – port 993,995 severe Ø TLS Server Supports TLS version 1.0 – port 993,005, 2078,443, 2096, 465, 7080, 587, 110 severe Ø TLS Server Supports TLS version 1.1 – port 993,005, 2078,443, 2096, 465, 7080, 587, 110 severe Ø TLS/SSL Server Supports The Use of Static Key Ciphers – port 993,005, 2078,443, 2096, 465, 7080 severe RECOMANDATION Disable support for encryption protocol versions that are known to be vulnerable. Update systems. See more at: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
5. 14 POP3, IMAP and FTP credentials transmitted unencrypted RESOURCE(S) Affected 176.126.202.126 DESCRIPTION During the pentest we discovered that POP3, IMAP and FTP ports were open on 176.126.202.126. Suppose the user is retrieving messages using POP3 or IMAP than the client application passes the username and password to the server, which authenticates the user, and sends back the messages. If the user is not using SSL/TLS, then the entire conversation, including the message and credentials, are in plaintext and anyone watching the network traffic can intercept the entire communication. RECOMANDATION Disable POP3, IMAP and FTP plaintext authentication.
5.15 SMTP server VRFY vulnerability

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 17 RESOURCE(S) Affected 176.126.202.126 – port 25, 587 DESCRIPTION The SMTP VRFY command allows and attacker to verify whether a system can deliver mail to a particular user. This command can be used to learn about valid usernames on the targeted system. RECOMANDATION Disable SMTP server EXPN and VRFY commands.
5.16 Username enumeration for online shops RESOURCE(S) Affected fly-music.ro fly-music.hu flysound.ro muzikia.ro netmusic.ro DESCRIPTION The create a new account and forgot password page allows enumeration of valid usernames. When a nonexistent username tries to login the server will reply with information about account existence. This allows an attacker to guess valid user accounts.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 18
As a proof of concept the following usernames were discovered: Ø admin@fly-music.ro Ø tiberiu.horvat@fly-music.ro Ø florin@fly-music.ro Ø contact@muzikia.ro Ø comenzi@netmusic.ro RECOMANDATION Use general error messages that do not allow for username guessing such as "If account is valid a password reset was sent to the registered email address".
5.17 WordPress Usernames disclosure RESOURCE(S) Affected http://blog.fly-music.ro DESCRIPTION We were able to get the login users : Ø flyadmin Ø alex-tomafly-music-ro Ø marius-aluncaritefly-music-ro Ø eduard-hincufly-music-ro

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 19 Ø florin-luchian Ø tiberiu-horvat Ø alin-vatavu RECOMANDATION Secure WordPress to not leak login usernames.
5.18 Outdated software: LiveZilla RESOURCE(S) Affected www.fly-music.ro/livesupport/index.php DESCRIPTION During the mission we discovered that LiveZilla version is 3.1.8.5. This version presents numerous vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-10386/Livezilla.html

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 20 RECOMANDATION Upgrade the software version.
5.19 Cookie security RESOURCE(S) Affected http://www.fly-music.ro/ http://www.muzikia.ro/ http://www.netmusic.ro/ http://www.fly-music.hu/ http://www.flysound.ro/ DESCRIPTION During the penetration test we discovered that cookies are not configured with both “secure” and “httpOnly” flags. The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. RECOMANDATIONS Set cookies with “secure” and “httpOnly” flags.
5.20 Information disclosure: default installation files RESOURCE(S) Affected http://www.fly-music.ro/README.md http://www.muzikia.ro/README.md http://www.netmusic.ro/README.md http://www.fly-music.hu/README.md http://www.flysound.ro/README.md http://blog.fly-music.ro/readme.html

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 21 DESCRIPTION Default installation files can give an attacker information about the target.

RECOMANDATIONS Remove default installation files.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 22
5.21 Remove unused scripts RESOURCE(S) Affected http://fly-music.ro/track.php DESCRIPTION Unused script could offer attackers important information that could be used in different attacks:
RECOMANDATIONS Remove unused scripts.
5.22 Information disclosure : Banner grabbing RESOURCE(S) Affected 176.126.202.126 DESCRIPTION Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. An intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. 220-extreme01.octosquid.com ESMTP Exim 4.89_1 #1 Tue, 08 May 2018 08:50:10 +0300 220–––- Welcome to Pure-FTPd [privsep] [TLS] –––- RECOMANDATIONS Remove banners from all published ports.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 23
5.23 Information Leakage: Fingerprint LightSpeed – SOLVED RESOURCE(S) Affected https://fly-music.ro:7080/docs/webconsole.html DESCRIPTION From default installation files we were able to discover LightSpeed version:
RECOMANDATIONS Remove default installation files.
5.24 Information Leakage: Fingerprint LightSpeed –SOLVED RESOURCE(S) Affected https://fly-music.ro:7080/docs/webconsole.html DESCRIPTION From default installation files we were able to discover LightSpeed version:

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 24 RECOMANDATIONS Remove default installation files.

Fly Music Penetration Testing Security Assessment
CONFIDENTIAL 25 6. RECOMMENDATIONS To protect against the vulnerabilities discovered we recommend the following: Ø Protect the internal network and the web applications with a Web Application Firewall, Next Generation Firewall and Intrusion Detection/Prevention system Ø Implement a secure cabled and wireless network in all the physical locations Ø Keep all the software up to date Ø Train employees regarding Social Engineering attacks For the first two we recommend an integrated solution from Fortinet. FortiWeb's web application firewalls provide advanced features that defend web applications from known and zero-day threats. Using an advanced multi-layered and correlated approach, FortiWeb provides complete security for your web-based applications at the heart of FortiWeb is its behavior-based detection engine that intelligently detects threats that stray from normal patterns and takes action block attackers before they can do any damage. Fortinet WAF technology: Ø Maximizes the detection and catch rate for known and unknown threats Ø Minimizes false alerts (false positives) and adapts to continually evolving web applications Ø Ensures broader adoption through ease of use and minimal performance impact Ø Protect the layers behind the web application (web server itself, technologies used to create the web applications etc. For example, PHP and Java have vulnerabilities. But these aren’t tools you can always update as this (act) could break the actual application. FortiGate firewalls provide high performance, consolidated advanced security and granular visibility for broad protection across the entire digital attack surface. FortiGate enterprise firewalls reduce complexity and improve overall security posture by providing full visibility into users, devices, applications and threats on the network, with the ability to apply advanced threat protection anywhere in the network. Fortinet Wi-Fi Solutions can upgrade the security for the internal network. They can seamlessly integrate with the Fortigate Firewall to provide a full protection for users.