Our company website (www.acuigen.com) is currently using DNN version 08.00.00 (809). We host the site using IIS 8.5.
Recently we had a full external IP scan done using Nessus and it came back with some Low/Medium results for the website. As I don't have much knowledge of web development issues or how to fix them, it would be fantastic if some experts could have a look at these and give some support/solutions. I have access to the SuperUser account and I'm looking to re-mediate these issues ASAP.
1. CGI Generic HTML Injections (quick test)
Severity: 2 / Medium
The remote web server hosts CGI scripts that fail to adequately sanitize request
able to cause arbitrary HTML to be executed in a user's browser within the
security context of the affected site. The remote web server may be vulnerable
to IFRAME injections or cross-site scripting attacks : - IFRAME injections allow
'virtual defacement' that might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks. - XSS are extensively tested
by four other scripts. - Some applications (e.g. web forums) authorize a subset
of HTML without any ill effect. In this case, ignore this warning.
2. Nuked-Klan index.php Multiple Module Vulnerabilities
Severity: 2 /
Description: Nuked-klan 1.3b fails to sanitize
user-supplied input to several parameters before using them in the 'Team',
'News', and 'Liens' modules to display dynamic HTML. An attacker may leverage
these issues to launch cross-site scripting attacks against the affected host.
In addition to this, another flaw may allow an attacker to obtain the physical
path of the directory in which the application is installed.
3. phpCMS parser.php file Parameter XSS
Severity: 2 /
Description: The remote host runs phpCMS, a content
management system written in PHP. This version is vulnerable to cross-site
scripting due to a lack of sanitization of user-supplied data in parser.php
script. Successful exploitation of this issue may allow an attacker to execute
malicious script code on a vulnerable server.
4. Web Server HTTP Header Internal IP Disclosure (is this one to do with DNN? I can look into the IIS or Firewall settings if need be)
Severity: 1 /
Description: This may expose internal IP addresses that
are usually hidden or masked behind a Network Address Translation (NAT) Firewall
or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its
default configuration. This may also affect other web servers, web applications,
web proxies, load balancers and through a variety of misconfigurations related
If anyone has any solutions to the 4 numbered problems, then please reply to this thread or PM me directly.