-
Notifications
You must be signed in to change notification settings - Fork 78
/
chopchop.yml
767 lines (766 loc) · 28.8 KB
/
chopchop.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
---
insecure: false
plugins:
- endpoint: "/status.shtml"
checks:
- name: GENEREX UPS
match:
- 'UPS Status:'
remediation: Make sure that GENEREX UPS access is restricted & monitored
description: GENEREX UPS is accessible | don't move this rule to avoid client timeout
severity: "Medium"
- endpoint: "/"
checks:
- name : GLPI vulnerable version
match:
- '<title>GLPI - Authentification</title>'
- 'title="Powered by Teclib and contributors" class="copyright">GLPI Copyright'
no_match :
- 'src="/public/lib/base.min.js?v=9.5.3"'
remediation: Upgrade GLPI in latest version
description: GLPI vulnerable version detected
status_code: 200
severity: "High"
- name : PACS NGI GXD5
match:
- '<title>GXD5 Pacs Connexion utilisateur</title>'
remediation: Make sure that PACS NGI GXD5 access is restricted & monitored
description: PACS NGI GXD5 detected
status_code: 200
severity: "High"
- name: AudioCodes SIP Gateway
match:
- 'AudioCodes'
- '<H2>Web Login</H2>'
remediation: Make sure that AudioCodes SIP Gateway access is restricted & monitored
description: AudioCodes SIP Gateway detected
severity: "Informational"
- name: HP Printer
headers:
- "Server:Virata-EmWeb/R6_2_1"
remediation: Make sure that HP Printer access is restricted & monitored
description: HP Printer is accessible
status_code: 200
severity: "Low"
- name: Printer (Lexmark, Dell, Toshiba, Sindoh)
headers:
- "Server:Lexmark_Web_Server"
remediation: Make sure that Printer access is restricted & monitored
description: Printer (Lexmark, Dell, Toshiba, Sindoh) is accessible
status_code: 200
severity: "Low"
- name: Microsoft-IIS/7.0 - Windows Server 2003/2008
headers:
- "Server:Microsoft-IIS/7.0"
remediation: Upgrade to maintened version
description: Microsoft-IIS/7.0 - Windows Server 2003/2008
severity: "Informational"
- name: Microsoft-IIS/7.5 - Windows Server 2003/2008
headers:
- "Server:Microsoft-IIS/7.5"
remediation: Upgrade to maintened version
description: Microsoft-IIS/7.5 - Windows Server 2003/2008
severity: "Informational"
- name: GE ViewPoint
match:
- '<title>ViewPoint System Status'
remediation: Make sure that GE ViewPoint System Status access is restricted & monitored
description: GE ViewPoint System Status is accessible / sensitive information leaking
status_code: 200
severity: "Low"
- name: Ascom IP-DECT Base Station
match:
- '<select product="Ascom IP-DECT Base Station"'
remediation: Make sure that Ascom IP-DECT Base Station access is restricted & monitored
description: Ascom IP-DECT Base Station is accessible
status_code: 200
severity: "Informational"
- name: EMC Unisphere
match:
- 'Unisphere<br>'
remediation: Make sure that EMC Unisphere access is restricted & monitored
description: EMC Unisphere is accessible
status_code: 200
severity: "Low"
- name: F-Secure Policy Manager Server
match:
- '<title>F-Secure Policy Manager Server</title>'
remediation: Make sure that F-Secure Policy Manager Server access is monitored
description: F-Secure Policy Manager Server is accessible
status_code: 200
severity: "Informational"
- name: Apache2 Debian Default Page
match:
- '<title>Apache2 Debian Default Page: It works</title>'
remediation: Remove the symbolic link from the Apache default configuration
description: Detects the presence of a default Apache page
severity: "Informational"
- name: Cisco IOS
headers:
- "Server:cisco-IOS"
remediation: Make sure that Cisco IOS access is restricted & monitored
description: Cisco IOS is accessible
severity: "Low"
- name: Odin
match:
- '<h1 title="Operations Automation">'
remediation: Make sure that Odin service automation access is restricted & monitored
description: Odin service automation is accessible
severity: "Informational"
- name: Nordex Control
headers:
- "Server:Jetty/3.1.8 (Windows 2000 5.0 x86)"
remediation: Make sure that Nordex Control access is restricted & monitored
description: Nordex Control is accessible
severity: "Low"
- name: EIG GaugeTech Electricity Meter
headers:
- "Server:EIG Embedded Web Server"
remediation: Make sure that EIG GaugeTech Electricity Meter access is restricted & monitored
description: EIG GaugeTech Electricity Meter is accessible
severity: "Low"
- name: Weave Scope
match:
- '<title>Weave Scope</title>'
remediation: Make sure that Weave Scope access is restricted & monitored
description: Weave Scope is accessible
severity: "Medium"
- name: NETAVIS Observer
match:
- '<title>NETAVIS Observer'
remediation: Make sure that NETAVIS Observer access is restricted & monitored
description: NETAVIS Observer is accessible
severity: "Informational"
- name: Jenkins
match:
- "hudson"
remediation: Monitor access to your jenkins instance.
description: Checks that the domain is not a Jenkins instance
severity: "Informational"
headers:
- "Cache-Control:no-cache,no-store,must-revalidate"
- name: BigIPServer
remediation: Encrypt sticky cookie to avoid leaking internal IPs
description: Detects the presence of unencrypted sticky cookies that allow to retrieve internal Ips
severity: "Medium"
headers:
- "Set-Cookie:BIGipServer"
- name: TakeOver
match:
- "There is no app configured at that hostname"
- "NoSuchBucket"
- "No Such Account"
- "You're Almost There"
- "a GitHub Pages site here"
- "this shop is currently unavailable"
- "There's nothing here"
- "The site you were looking for couldn't be found"
- "The request could not be satisfied"
- "project not found"
- "Your Cnamesettings"
- "The resource that you are attempting to access does not exist or you don't have the necessary permissions to view it."
- "Domain mapping upgrade for this domain not found"
- "The feed has not been found"
- "This UserVoice subdomain is currently available!"
remediation: Delete the DNS record as soon as possible
description: Detects the possibility of DNS Takeover
severity: High
- name: AsmxWebservices
match:
- ".asmx"
remediation: Monitor that webservices are well monitored.
description: Checks the presence of webservices in the page
severity: "Informational"
- name: Gitlab instance
match:
- "GitLab</title>"
remediation: Make sure that access to Gitlab is properly monitored
description: Checks if a Gitlab instance exists
severity: "Low"
- name: Apache2 Ubuntu Default Page
match:
- "Apache2 Ubuntu Default Page"
remediation: Remove the symbolic link from the Apache default configuration
description: Detects the presence of a default Apache page
severity: "Informational"
- name: Drupal CMS
match:
- "drupal"
- '"sites/'
- '"core/'
remediation: Check that the version is the last one available on the vendor's website
description: Get the Drupal version of the site
severity: "Low"
- name: Status Code 500
status_code: 500
remediation: Check that the server has not completely fallen into error
description: Check return code 500
severity: "Low"
- name: Iis
headers:
- "Server:Microsoft-IIS/6.0"
remediation: Patch the server as soon as possible
description: Checks that the server is an IIS 6.0
severity: "Informational"
- name: Indexof
match:
- "Index of"
remediation: Implementing rules at the application server level to prevent directory listing
description: Checks that the domain root does not return a file/folder list
severity: "Low"
- name: IndexOf2
match:
- "<dir>"
remediation: Implementing rules at the application server level to prevent directory listing
description: Checks that the domain root does not return a file/folder list (simple encoding)
severity: "Low"
- name: MySQLError
match:
- 'You have an error in your SQL syntax'
remediation: Do not display MySQL errors on web pages
description: Checks that MySQL errors are not displayed
severity: "Medium"
- name: NginxDefaultPage
match:
- 'Welcome to nginx!'
remediation: Delete symbolic link from Nginx default configuration
description: Checks that the default Nginx site is not accessible
severity: "Low"
- name: Osticket
match:
- 'Helpdesk software - powered by osTicket'
remediation: Check that the passwords used are robust
description: Checks that the domain is not an OS Ticket instance
severity: "Informational"
- name: PHP open code
match:
- '<?php'
remediation: Delete unused code and check that PHP is correctly configured
description: Checks for the presence of code not interpreted by PHP
status_code: 200
severity: "Medium"
- name: PHP fopen function error
match:
- 'failed to open stream'
remediation: Check that the application is running correctly
description: Detects the presence of php errors via the fopen call
severity: "Low"
- endpoint: "/.git/config"
checks:
- name: Git exposed
status_code: 200
match:
- "[branch"
- "[remote"
- "[core]"
- "[user]"
remediation: Do not deploy .git folder on production servers
description: Checks that the GIT repository is accessible from the site
severity: "High"
- endpoint: "/crossdomain.xml"
checks:
- name: wildcard
match:
- 'domain="*" />'
remediation: Delete wildcards from xml files
description: Checks for the presence of a crossdomain.xml file with a wildcard for the domain
severity: "High"
- endpoint: "/manager/html"
checks:
- name: tomcat manager
status_code: 401
remediation: Disable this interface in production
description: Checks that under /manager/html the Tomcat administration interface is not accessible
severity: "Medium"
- endpoint: "/.htpasswd"
checks:
- name: .htpasswd not interpreted
match:
- ":"
remediation: Delete file and reset leaky passwords
description: Checks for the presence of an .htpasswd file at the root of the domain
severity: "Medium"
status_code: 200
no_match:
- "<a"
- "</"
- endpoint: "/.htaccess"
checks:
- name: .htaccess not interpreted
match:
- "RewriteRule"
remediation: Check that no sensitive information is present on the .htaccess
description: Checks the presence of an .htaccess file at the root of the domain
status_code: 200
severity: "Low"
- endpoint: "/idontexist"
checks:
- name: detailed 404 page
match:
- "Detailed Error Information"
status_code: 404
remediation: Delete the verbose mode on the whole application
description: Detects the presence of the verbose mode when in error
severity: "Low"
- endpoint: "/cgi-bin/test/test.cgi"
checks:
- name: standard test.cgi page
match:
- "HTTP_ACCEPT"
remediation: Delete the basic files of a Tomcat installation
description: Checks for the presence of a test.cgi file
severity: "Low"
status_code: 200
- endpoint: "/adminer.php"
checks:
- name: Adminer php file
match:
- "Authentification - Adminer"
remediation: Check that only a person with a strong password can use this file
description: Discovery of a PHP file to administer the database
severity: "Low"
- endpoint: "/login"
checks:
- name: Login Page Apostrophe
match:
- '<form action="/login" method="post">'
remediation: Check that the administration interfaces are well protected
description: Detects the presence of a login page using the Apostrophe Framework (from Digital Factory)
severity: "Informational"
- name: Grafana
match:
- "isGrafanaAdmin"
remediation: Check that the passwords used are robust
description: Check access to Grafana administration
severity: "Informational"
- endpoint: "/user/login"
checks:
- name: eZ Publish Admin Panel
match:
- "Log in to the Administration Interface of eZ Publish"
remediation: Check that the passwords used are robust
description: Check access to the eZ Publish administration
severity: "Low"
- endpoint: "/fckeditor/editor/filemanager/browser/default/browser.html"
checks:
- name: FckEditor
match:
- "Resources Browser"
remediation: Put authentication on this form
description: Check access to a wysiwyg fckeditor
severity: "High"
- endpoint: "/.idea/workspace.xml"
checks:
- name: Idea WorkSpace
match:
- "<project"
remediation: Delete file
description: Checks the access of some developer's settings
severity: "High"
- endpoint: "/install.php"
checks:
- name: Install Script PHP
match:
- "To start over"
remediation: Delete install.php file
description: Checks the presence of a PHP installation script
severity: "Low"
- endpoint: "/administrator"
checks:
- name: Joomla admin interface
match:
- 'action="/administrator/index.php"'
remediation: Check that the passwords used are robust
description: Check access to Joomla's administration interface
severity: "Informational"
- endpoint: "/https://example.com//"
checks:
- name: OpenRedirect
match:
- 'Example Domain'
remediation: Patch open redirect vulnerability
description: Detects the presence of Open Redirect type vulnerabilities
severity: "Low"
- endpoint: "/phpinfo.php"
checks:
- name: PHPInfo
match:
- 'phpinfo()'
remediation: Disable phpinfo() in PHP.ini
description: Checks that the phpinfo() function is accessible
severity: "Low"
- endpoint: "/phpmyadmin"
checks:
- name: PHPMyAdmin
match:
- '<title>phpMyAdmin'
remediation: Make sure that PHPMyAdmin access is monitored
description: Checks that under /phpmyadmin a PHPMyAdmin instance is not accessible
status_code: 200
severity: "Low"
- endpoint: "/server-status"
checks:
- name: Server Status
match:
- 'Waiting for Connection'
remediation: Disable this feature in Apache
description: Checks that under /server-status of Apache information is accessible
severity: "Low"
- endpoint: "/examples/jsp/snp/snoop.jsp"
checks:
- name: Snoop
match:
- 'Request Information'
remediation: Delete basic files of a Tomcat installation
description: Detects the presence of snoop.jsp files (default files in a Tomcat install)
severity: "Informational"
- endpoint: "/actuator/health"
checks:
- name: SPringbootActuator
match:
- '{"status"'
headers:
- "Content-Type:application/json"
remediation: Disable this feature or protect access
description: Checks that under /actuator/health information is not disclosed by Springboot
severity: "Low"
status_code: 200
- endpoint: "/health"
checks:
- name: SpringbootActuator
match:
- '{"status"'
headers:
- "Content-Type:application/json"
remediation: Disable this feature or protect access
description: Checks that under /health information is not disclosed by Springboot
severity: "Low"
status_code: 200
- endpoint: "/.svn/wc.db"
checks:
- name: SVN db
headers:
- 'Content-Type:application/octet-stream'
remediation: Do not deploy .svn on production servers
description: Checks if an SVN database is publicly accessible
status_code: 200
severity: "High"
- endpoint: "/.svn/entries"
checks:
- name: SVN db
headers:
- 'Content-Type:application/octet-stream'
remediation: Do not deploy .svn on production servers
description: Checks if an SVN database is publicly accessible
status_code: 200
severity: "High"
- endpoint: "/web.config"
checks:
- name: Web Config
match:
- '<configuration>'
remediation: Check that no sensitive information is present in the web.config
description: Checks that the web.config configuration file of the ASP.net server is not accessible
severity: "Low"
- endpoint: "/wp-login.php"
checks:
- name: Wordpress Login Page
all_match:
- 'wp-login.php" method="post"'
- '<body class="login login-action-login wp-core-ui'
remediation: Set up an.htaccess to avoid exposing the admin interface unnecessarily
description: Checks that under /wp-login the Worpress connection interface is not accessible
severity: "Informational"
- endpoint: "/wp-links-opml.php"
checks:
- name: WpLinksOpml
match:
- 'generator="WordPress'
remediation: Be sure the wordpress uses the latest version
description: Retrieves the Wordpress version of the site
severity: "Informational"
- endpoint: "/jmx-console/"
checks:
- name: JMX Console
match:
- "service=MainDeployer"
remediation: Alter configurations to deny external access.
description: JMX Console displays an index with all available services. Authentication can be bypassed by intruder.
severity: "Medium"
- endpoint: "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
checks:
- name: F5 BIG-IP - CVE-2020-5902
match:
- '{"output":'
remediation: Apply patch - F5 K52145254
description: Remote Code Execution on Administration Web interface TMUI.
status_code: 200
severity: "High"
- endpoint: "/tmui/login.jsp"
checks:
- name: F5 BIG-IP - TMUI
match:
- "<title>BIG-IP"
remediation: Make sure that F5 BIG-IP - TMUI access is monitored
description: Checks that under /tmui a F5 BIG-IP TMUI is not accessible
severity: "Low"
- endpoint: "/images/imgpaper.png"
checks:
- name: Possible Trickbot Trojan Payload hosting imgpaper.png on Apache
headers:
- 'Content-Type:image/png'
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /images/imgpaper.png
status_code: 200
severity: "High"
- name: Trickbot Trojan Payload hosting imgpaper.png on Nginx
headers:
- 'Content-Type:application/octet-stream'
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /images/imgpaper.png
status_code: 200
severity: "High"
- endpoint: "/images/cursor.png"
checks:
- name: Possible Trickbot Trojan Payload hosting cursor.png on Apache
headers:
- 'Content-Type:image/png'
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /images/cursor.png
status_code: 200
severity: "High"
- name: Trickbot Trojan Payload hosting cursor.png on Nginx
headers:
- 'Content-Type:application/octet-stream'
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /images/cursor.png
status_code: 200
severity: "High"
- endpoint: "/images/redcar.png"
checks:
- name: Possible Trickbot Trojan Payload hosting redcar.png on Apache
headers:
- 'Content-Type:image/png'
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /images/redcar.png
status_code: 200
severity: "High"
- name: Trickbot Trojan Payload hosting redcar.png on Nginx
headers:
- 'Content-Type:application/octet-stream'
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /images/redcar.png
status_code: 200
severity: "High"
- endpoint: "/ico/VidT6cErs"
checks:
- name: Possible Trickbot Trojan Payload hosting VidT6cErs
no_match:
- '<!DOCTYPE html>'
- '<head>'
headers:
- "Accept-Ranges:bytes"
remediation: Make sure your system isn't compromised
description: Possible Trickbot Trojan Payload hosting in /ico/VidT6cErs
status_code: 200
severity: "High"
- endpoint: "/admin/libs/prettify-4-Mar-2013/prettify.css"
checks:
- name: Stormshield SNS Web Admin Console
headers:
- "Content-Type:text/css"
remediation: Make sure that Stormshield SNS Web Admin Console access is restricted & monitored
description: Stormshield SNS Web Admin Console is accessible
status_code: 200
severity: "Low"
- endpoint: "/auth"
checks:
- name: Stormshield Web Portal
match:
- '/data/flag-fr.jpg'
- '/data/i_auth.png'
remediation: Make sure that Stormshield Web Portal access is restricted & monitored
description: Stormshield Web Portal is accessible
status_code: 200
severity: "Informational"
- endpoint: "/ui"
checks:
- name: VMware ESXi
match:
- 'ng-app="esxUiApp"'
remediation: Make sure that VMware ESXi access is restricted & monitored
description: VMware ESXi is accessible
status_code: 200
severity: "Low"
- endpoint: "/vsphere-client"
checks:
- name: VMware vCenter
match:
- '<title>vSphere Web Client</title>'
remediation: Make sure that VMware vCenter access is restricted & monitored
description: VMware vCenter is accessible
status_code: 200
severity: "Low"
- endpoint: "/eai/index.html"
checks:
- name: Enovacom Suite V2
match:
- 'href="/eai/Ressources/Images/v2.ico"'
remediation: Make sure that EAI Enovacom Suite V2 access is restricted & monitored
description: EAI Enovacom Suite V2 is accessible
status_code: 200
severity: "Low"
- endpoint: "/mailscanner/login.php"
checks:
- name: MailWatch
match:
- '<title>MailWatch Login Page</title>'
remediation: Make sure that MailWatch access is monitored
description: MailWatch is accessible
status_code: 200
severity: "Low"
- endpoint: "/fog/management/index.php"
checks:
- name: FOG Project
match:
- '<title>Login</title>'
- '<b>FOG</b> Project'
remediation: Make sure that FOG Project access is monitored
description: FOG Project is accessible
status_code: 200
severity: "Low"
- endpoint: "/.well-known/security.txt"
checks:
- name: Security.txt
match:
- "Contact"
remediation: Great ! A Security.txt file for contact is present
description: Detects the presence of Security.txt file
status_code: 200
severity: "Informational"
- endpoint: "/XsEXPL"
checks:
- name: Xplore Web RIS
match:
- '<title>Xplore Exploitation</title>'
remediation: Make sure that Xplore Web RIS access is restricted & monitored
description: Xplore Web RIS is accessible
severity: "Informational"
- endpoint: "/zimbraAdmin"
checks:
- name: Zimbra Administration
match:
- 'Zimbra Collaboration Suite Web Client'
remediation: Make sure that Zimbra Administration access is restricted & monitored
description: Zimbra Administration is accessible
severity: "Low"
- endpoint: "/public/img/mongo-express-logo.png"
checks:
- name: Mongo Express
headers:
- 'Content-Type:image/png'
remediation: Make sure that Mongo Express access is restricted & monitored
description: Mongo Express is accessible
status_code: 200
severity: "High"
- endpoint: "/login.html"
checks:
- name: Polycom
headers:
- 'Server:lighttpd'
match:
- '<title>Polycom Login</title>'
remediation: Make sure that Polycom access is restricted & monitored
description: Polycom Video Conferencing is accessible
status_code: 200
severity: "Informational"
- endpoint: "/securityRealm/user/admin/search/index?q=a"
checks:
- name: Jenkins CVE-2018-1000861 (RCE)
match:
- 'Jenkins'
- '<title>Search for'
no_match:
- 'HTTP ERROR 404 Not Found'
remediation: Patch the server as soon as possible
description: Jenkins server is vulnerable to RCE CVE-2018-1000861
severity: "High"
- endpoint: "/?MAIN=TOPACCESS"
checks:
- name: TopAccess Toshiba MFP
match:
- '<!--<title class="clsTitle1">TopAccess</title>-->'
remediation: Make sure that TopAccess access is restricted & monitored
description: TopAccess Toshiba MFP is accessible
status_code: 200
severity: "Low"
- endpoint: "/ePrint/ePrintConfigDyn.xml"
checks:
- name: HP Printer
headers:
- 'Content-Type:text/xml'
remediation: Make sure that HP Printer access is restricted & monitored
description: HP Printer is accessible
status_code: 200
severity: "Low"
- endpoint: "/config.html"
checks:
- name: Zebra Label Printer
match:
- '<H1>Zebra Technologies'
remediation: Make sure that Zebra Label Printer access is restricted & monitored
description: Zebra Label Printer is accessible
status_code: 200
severity: "Low"
- endpoint: "/spip.php?page=login"
checks:
- name : SPIP admin interface
match:
- 'content="SPIP'
remediation: Make sure that SPIP admin interface access is restricted & monitored
description: SPIP admin interface is accessible
status_code: 200
severity: "Informational"
- name : SPIP vulnerable version
match:
- 'content="SPIP'
no_match :
- '3.2.4-1+deb10u3'
- '3.2.8'
- '3.1.14'
- '3.1.4-4~deb9u3build0.18.04.1'
remediation: Upgrade SPIP in latest version
description: SPIP vulnerable version detected
status_code: 200
severity: "High"
- endpoint: "/support/support.php"
checks:
- name : Xerox Printer
headers:
- "Server:Apache"
match:
- 'Xerox Corporation'
remediation: Make sure that Xerox Printer access is restricted & monitored
description: Xerox Printer is accessible
status_code: 200
severity: "Low"
- endpoint: "/cgi-bin/dynamic/topbar.html"
checks:
- name : Lexmark Printer
match:
- '<span class="top_prodname">Lexmark'
remediation: Make sure that Lexmark Printer access is restricted & monitored
description: Lexmark Printer is accessible
status_code: 200
severity: "Low"
- endpoint: "/felia/user/signin?source="
checks:
- name : Aklia Lisis - traçabilité patients
match:
- 'images/logos/logo-aklia-screen.png'
- 'utilisateur</label>'
- 'LISIS</title>'
remediation: Make sure that Aklia Lisis access is restricted & monitored
description: Aklia Lisis is accessible
status_code: 200
severity: "Low"