After migrating my site to another cloud, I ran a few tests (again) and the results… are bad !
A few highlights of what I have found, including domain, server and software vulnerabilities.
https://pentest-tools.com/website-vulnerability-scanning/website-scanner#
Overall risk level: High
Risk Level | CVSS | CVE | Summary | Exploit | Affected software |
7.5 | CVE-2020-11984 | Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | N/A | http_server 2.4.38 | |
7.5 | CVE-2021-26691 | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | N/A | http_server 2.4.38 | |
7.2 | CVE-2019-0211 | In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. | N/A | http_server 2.4.38 | |
6.8 | CVE-2020-35452 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow | N/A | http_server 2.4.38 | |
6.4 | CVE-2019-10082 | In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. | N/A | http_server 2.4.38 |
Fix: Update Apache Server to a higher version
Directory listing is enabled
Fix: add the next lines of code to the apache config files. In this case in the “/etc/apache2/sites-available/default-ssl.conf” folder
<Directory /{YOUR DIRECTORY}>
Options FollowSymLinks
</Directory>
Hide server information
Show the minimum details about the server and technologies used in the website
Apache server settings: Server HTTP Header as Prod
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
Security-headers-x-frame-options
“Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.“
Control of the headers for each page is necessary to prevent unwanted scripts.
The domain lacks a DMARC policy.
To avoid fake emails senders
fix: DMARC generator