Scan report for "esasampoerna.com"

Membership level: Free member
Nikto scan (max 60 sec) (nikto -host esasampoerna.com -maxtime 60)
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          104.236.202.132
+ Target Hostname:    esasampoerna.com
+ Target Port:        80
+ Start Time:         2024-07-11 01:21:03 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.9.
+ Root page / redirects to: /eng/home/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /favicon.ico: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.4.7 appears to be outdated (current is at least 2.4.58). Apache 2.2.34 is the EOL for the 2.x branch.
+ /lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist.
+ /prd.i/pgen/: Has MS Merchant Server 1.0.
+ /cms/typo3conf/: This may contain sensitive TYPO3 files.
+ /site/typo3conf/: This may contain sensitive TYPO3 files.
+ /typo/typo3conf/: This may contain sensitive TYPO3 files.
+ /typo3/typo3conf/: This may contain sensitive TYPO3 files.
+ /webcart/carts/: This may allow attackers to read credit card data. Reconfigure to make this dir not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html
+ /webcart/config/: This may allow attackers to read credit card data. Reconfigure to make this dir not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html
+ /webcart/orders/: This may allow attackers to read credit card data. Reconfigure to make this dir not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html
+ /_vti_txt/_vti_cnf/: FrontPage directory found.
+ /level/16/exec/: CISCO HTTP service allows remote execution of commands. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0537
+ /com/novell/: Novell web server allows directory listing. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2106
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /lib/: Directory indexing found.
+ /lib/: This might be interesting.
+ /phpMyAdmin/changelog.php:X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /phpMyAdmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 0.
+ /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /site/iissamples/: This might be interesting.
+ /adv/gm001-mc/: This might be interesting: has been seen in web logs from an unknown scanner.
+ /moregroupware/modules/webmail2/inc/: This might be interesting: has been seen in web logs from an unknown scanner.
+ /_private/_vti_cnf/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_bin/_vti_cnf/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_cnf/_vti_cnf/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_log/_vti_cnf/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /webapp/admin/_pages/_bc4jadmin/: Oracle JSP files. See: CWE-552
+ /_pages/_demo/: Oracle JSP file. See: CWE-552
+ /_pages/_webapp/_jsp/: Oracle JSP file. See: CWE-552
+ /_pages/_demo/_sql/: Oracle JSP file. See: CWE-552
+ /OA_HTML/_pages/: Oracle JSP file. See: CWE-552
+ /OA_HTML/META-INF/: Oracle Applications portal pages found.
+ /OA_JAVA/Oracle/: Oracle Applications portal pages found.
+ /OA_HTML/jsp/: Oracle Applications portal page found. See: CWE-552
+ /cehttp/property/: Sterling Commerce Connect Direct configuration files.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://cirt.net/public/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /v2/painel/: Admin login page/section found.
+ /wordpress/wp-admin/: Admin login page/section found.
+ /wordpress/wp-login/: Admin login page/section found.
+ /3rdparty/phpMyAdmin/: phpMyAdmin directory found.
+ /phpMyAdmin/: phpMyAdmin directory found.
+ /3rdparty/phpmyadmin/: phpMyAdmin directory found.
+ /.tools/phpMyAdmin/current/: phpMyAdmin directory found.
+ /adfs/ls/?wa=wsignout1.0: Active Directory Federation Services sign out page found.
+ /adfs/ls/?wa=wsignin1.0&wtrealm=http://www.cirt.net/: Active Directory Federation Services sign in page found.
+ /adfs/services/trust/proxymexhttpget/: Active Directory Federation Services page found. See: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview
+ /FederationMetadata/2007-06/: Active Directory Federation Services page found. See: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview
+ /dyn/admin/: Admin page found; possibly Oracle ATG.
+ /manage/Logs/: Covertix SmartCipher Console Login and Web Service Log directory detected.
+ /_layouts/images/: FrontPage/Sharepointfile available.
+ /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ 7962 requests: 0 error(s) and 59 item(s) reported on remote host
+ End Time:           2024-07-11 01:21:34 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Color Scheme
Target
esasampoerna.com
Scan method
Nikto scan (max 60 sec)
Run command
nikto -host esasampoerna.com -maxtime 60
Scan time
31s
Quick report
Order full scan ($79/one time)
Scan date
11 Jul 2024 01:21
Copy scan report
Download report
Remove scan result
$
Some firewalls blocks Nikto. For get true positive results add nikto.online IP addresses (172.96.166.66-172.96.166.70 or CIDR 172.96.166.64/29) to the whitelist
[scan_method]
Visibility:
Scan method: