Developer Report
Acunetix Security Audit
2023-05-07

Generated by Acunetix

Scan of glark.ru

Scan details

Scan information
Start time 2023-05-07T17:49:18.640305+03:00
Start url http://glark.ru/
Host glark.ru
Scan time 47 minutes, 22 seconds
Profile Full Scan
Server information Apache/2.4.54 (Debian)
Responsive True
Server OS Unix
Server technologies PHP
Application build 15.5.230326230

Threat level

Acunetix Threat Level 2

One or more medium-severity type vulnerabilities have been discovered by the scanner. You should investigate each of these vulnerabilities to ensure they will not escalate to more severe problems.

Alerts distribution

Total alerts found 26
High 0
Medium 3
Low 7
Informational 16

Alerts summary

Unencrypted connection

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score: 5.4
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
CVSS2Base Score: 5.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-319
Affected itemsVariation
Web Server 1

User credentials are sent in clear text

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 4.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-523
Affected itemsVariation
Web Server 1

Vulnerable JavaScript libraries

Classification
CVSS3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 6.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
CVSS2Base Score: 6.4
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-937
Affected itemsVariation
Web Server 1

Clickjacking: CSP frame-ancestors missing

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Base Score: 5.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CVSS2Base Score: 4.3
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-1021
Affected itemsVariation
Web Server 1

Clickjacking: X-Frame-Options header

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Base Score: 5.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CVSS2Base Score: 4.3
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-1021
Affected itemsVariation
Web Server 1

Cookies with missing, inconsistent or contradictory properties

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-284
Affected itemsVariation
Web Server 1

Cookies without HttpOnly flag set

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-1004
Affected itemsVariation
Web Server 1

Possible sensitive directories

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-200
Affected itemsVariation
Web Server 1

Session token in URL

Classification
CVSS3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-200
Affected itemsVariation
Web Server 2

Content Security Policy (CSP) not implemented

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-1021
Affected itemsVariation
Web Server 1

Content Security Policy Misconfiguration

Classification
CWECWE-16
Affected itemsVariation
Web Server 5

Error page web server version disclosure

Classification
CVSS3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-200
Affected itemsVariation
Web Server 1

No HTTP Redirection

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-16
Affected itemsVariation
Web Server 1

Outdated JavaScript libraries

Classification
CVSS3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: High
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-937
Affected itemsVariation
Web Server 7

Permissions-Policy header not implemented

Classification
CVSS3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWECWE-1021
Affected itemsVariation
Web Server 1

Alerts details

Unencrypted connection

Severity Medium
Reported by module /RPA/no_https.js

Description

This scan target was connected to over an unencrypted connection. A potential attacker can intercept and modify data sent and received from this site.

Impact

Possible information disclosure.

Recommendation

The site should send and receive data over a secure (HTTPS) connection.

Affected items

Web Server
Verified vulnerability
Details
Request headers
GET / HTTP/1.1 Referer: http://glark.ru/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

User credentials are sent in clear text

Severity Medium
Reported by module /Crawler/12-Crawler_User_Credentials_Plain_Text.js

Description

User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.

Impact

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

Recommendation

Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).

Affected items

Web Server
Details
Forms with credentials sent in clear text:
  • http://glark.ru/phpmyadmin/ 
    Form name: login_form
Form action: index.php
Form method: POST
Password input: pma_password
  • http://glark.ru/phpmyadmin/index.php 
    Form name: login_form
Form action: index.php
Form method: POST
Password input: pma_password
  • http://glark.ru/login.lm 
    Form name: <empty>
Form action: <empty>
Form method: POST
Password input: password
  • http://glark.ru/reg.lm 
    Form name: <empty>
Form action: <empty>
Form method: POST
Password input: password
  • http://glark.ru/phpmyadmin/ajax.php 
    Form name: login_form
Form action: index.php
Form method: POST
Password input: pma_password
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Vulnerable JavaScript libraries

Severity Medium
Reported by module /deepscan/javascript_library_audit_deepscan.js

Description

You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.

Impact

Consult References for more information.

Recommendation

Upgrade to the latest version.

Affected items

Web Server
Details
  • jQuery UI Datepicker 1.12.1
    • URL: http://glark.ru/phpmyadmin/
    • Detection method: The library's name and version were determined based on its dynamic behavior.
    • CVE-ID: CVE-2021-41182, CVE-2021-41183
    • Description: XSS in the 'altField' option of the Datepicker widget / XSS in '*Text' options of the Datepicker widget
    • References:
      • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
      • https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
      • https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Clickjacking: CSP frame-ancestors missing

Severity Low
Reported by module /httpdata/CSP_not_implemented.js

Description

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return a frame-ancestors directive in the Content-Security-Policy header which means that this website could be at risk of a clickjacking attack. The frame-ancestors directives can be used to indicate whether or not a browser should be allowed to render a page inside a frame. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Impact

The impact depends on the affected web application.

Recommendation

Configure your web server to include a CSP header with frame-ancestors directive and an X-Frame-Options header. Consult Web references for more information about the possible values for this header.

References

OWASP Clickjacking
CSP: frame-ancestors
The X-Frame-Options response header

Affected items

Web Server
Details
Paths without CSP frame-ancestors:
  • http://glark.ru/phpmyadmin/

  • http://glark.ru/phpmyadmin/index.php

  • http://glark.ru/phpmyadmin/url.php

  • http://glark.ru/phpmyadmin/ajax.php

Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Clickjacking: X-Frame-Options header

Severity Low
Reported by module /httpdata/X_Frame_Options_not_implemented.js

Description

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server did not return an X-Frame-Options header with the value DENY or SAMEORIGIN, which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into untrusted sites.

Impact

The impact depends on the affected web application.

Recommendation

Configure your web server to include an X-Frame-Options header and a CSP header with frame-ancestors directive. Consult Web references for more information about the possible values for this header.

References

The X-Frame-Options response header
Clickjacking
OWASP Clickjacking
Frame Buster Buster

Affected items

Web Server
Details
Paths without secure XFO header:
  • http://glark.ru/

  • http://glark.ru/changelog.lm

  • http://glark.ru/index.php

  • http://glark.ru/core/

  • http://glark.ru/core/data/

  • http://glark.ru/contacts.lm

  • http://glark.ru/help.lm

  • http://glark.ru/login.lm

  • http://glark.ru/reg.lm

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_444444_256x240.png"

  • http://glark.ru/phpmyadmin/doc/html/index.html

  • http://glark.ru/phpmyadmin/doc/html/search.html

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_555555_256x240.png"

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_777620_256x240.png"

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_777777_256x240.png"

  • http://glark.ru/phpmyadmin/doc/html/bookmarks.html

  • http://glark.ru/phpmyadmin/doc/html/charts.html

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_cc0000_256x240.png"

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_ffffff_256x240.png"

  • http://glark.ru/phpmyadmin/doc/html/config.html

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/

Request headers
GET / HTTP/1.1 Referer: http://glark.ru/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Cookies with missing, inconsistent or contradictory properties

Severity Low
Reported by module /RPA/Cookie_Validator.js

Description

At least one of the following cookies properties causes the cookie to be invalid or incompatible with either a different property of the same cookie, of with the environment the cookie is being used in. Although this is not a vulnerability in itself, it will likely lead to unexpected behavior by the application, which in turn may cause secondary security issues.

Impact

Cookies will not be stored, or submitted, by web browsers.

Recommendation

Ensure that the cookies configuration complies with the applicable standards.

References

MDN | Set-Cookie
Securing cookies with cookie prefixes
Cookies: HTTP State Management Mechanism
SameSite Updates - The Chromium Projects
draft-west-first-party-cookies-07: Same-site Cookies

Affected items

Web Server
Verified vulnerability
Details
List of cookies with missing, inconsistent or contradictory properties:
  • http://glark.ru/

    Cookie was set with: 
    Set-Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; path=/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=7fi9asgvdrnrvd7cu9ajdjpg2a; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/

    Cookie was set with: 
    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/

    Cookie was set with: 
    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/

    Cookie was set with: 
    Set-Cookie: pma_lang=en; expires=Tue, 06-Jun-2023 14:52:37 GMT; Max-Age=2592000; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=hiql1bl0qlb20san8jkvo366th; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=u4l8cs7b1jckimrafjc551db0o; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=4mte91ieijqi5o5vis43rtfssa; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=4pfhnolq4br0trg8ujt9du180d; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=nq6e8fdcbq3mt3qlpgiq04i2pa; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/js/messages.php

    Cookie was set with: 
    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/js/messages.php

    Cookie was set with: 
    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=dggco80plk4lhedcp5pblac0fr; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: pma_lang=sq; expires=Tue, 06-Jun-2023 14:56:35 GMT; Max-Age=2592000; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=r09e0grin74k8f4h94ds8kb6dm; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=ei0nc4fh25rclmgv8hcicv0quh; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=3sg3cvb31ep1se851tvuaahsj8; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=fhvbvavnal8qod92gsr494e1i3; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

  • http://glark.ru/phpmyadmin/index.php

    Cookie was set with: 
    Set-Cookie: phpMyAdmin=csandkbc0loc2ec0b137bq63t4; path=/phpmyadmin/; HttpOnly

    This cookie has the following issues:
     - Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and sometimes unexpected defaults. It is therefore recommended to add a SameSite attribute with an appropriate value of either "Strict", "Lax", or "None".

Request headers
GET / HTTP/1.1 Referer: http://glark.ru/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Cookies without HttpOnly flag set

Severity Low
Reported by module /RPA/Cookie_Without_HttpOnly.js

Description

One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.

Impact

Cookies can be accessed by client-side scripts.

Recommendation

If possible, you should set the HttpOnly flag for these cookies.

Affected items

Web Server
Verified vulnerability
Details
Cookies without HttpOnly flag set:
  • http://glark.ru/ 

    Set-Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; path=/

  • http://glark.ru/phpmyadmin/ 

    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/ 

    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/index.php 

    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/index.php 

    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/js/messages.php 

    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/js/messages.php 

    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/url.php 

    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/url.php 

    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/ajax.php 

    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/ajax.php 

    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/js/whitelist.php 

    Set-Cookie: goto=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

  • http://glark.ru/phpmyadmin/js/whitelist.php 

    Set-Cookie: back=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/phpmyadmin/

Request headers
GET / HTTP/1.1 Referer: http://glark.ru/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Possible sensitive directories

Severity Low
Reported by module /Scripts/PerFolder/Possible_Sensitive_Directories.script

Description

One or more possibly sensitive directories were found. These resources are not directly linked from the website. This check looks for common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of these directories could help an attacker to learn more about his target.

Impact

These directories may expose sensitive information that could help a malicious user to prepare more advanced attacks.

Recommendation

Restrict access to these directories or remove them from the website.

References

Web Server Security and Database Server Security

Affected items

Web Server
Details
Possible sensitive directories:
  • http://glark.ru/phpmyadmin
Request headers
GET /phpmyadmin/ HTTP/1.1 Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Session token in URL

Severity Low
Reported by module /RPA/Session_Token_In_Url.js

Description

This application contains one or more pages with what appears to be a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referer header.

Impact

Possible sensitive information disclosure.

Recommendation

The session should be maintained using cookies (or hidden input fields).

Affected items

Web Server
Details
Pages with session token in URL:
  • http://glark.ru/phpmyadmin/index.php?db=1&lang=sq&table=1&token=3d675c5a507329586f7d59735e36242e (token)
  • http://glark.ru/phpmyadmin/index.php?db=1&lang=ar&table=1&token=3d675c5a507329586f7d59735e36242e (token)
  • http://glark.ru/phpmyadmin/index.php?db=1&lang=en&table=1&token=3d675c5a507329586f7d59735e36242e (token)
Request headers
GET /phpmyadmin/index.php?db=1&lang=sq&table=1&token=3d675c5a507329586f7d59735e36242e HTTP/1.1 Referer: http://glark.ru/phpmyadmin/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; phpMyAdmin=nq6e8fdcbq3mt3qlpgiq04i2pa; pma_lang=en Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
Pages with session token in URL:
  • http://glark.ru/phpmyadmin/index.php?db=1&lang=sq&table=1&token=635b354b2e396c79762a4d5038233677 (token)
  • http://glark.ru/phpmyadmin/index.php?db=1&lang=sq&table=1&token=237e355978216477642a4f765a732624 (token)
Request headers
GET /phpmyadmin/index.php?db=1&lang=sq&table=1&token=635b354b2e396c79762a4d5038233677 HTTP/1.1 Referer: http://glark.ru/phpmyadmin/index.php Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; phpMyAdmin=5bh38lppp9vb4sa9cia1f7r2lr; pma_lang=ar Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Content Security Policy (CSP) not implemented

Severity Informational
Reported by module /httpdata/CSP_not_implemented.js

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following: 



Content-Security-Policy:

    default-src 'self';

    script-src 'self' https://code.jquery.com;


It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.

Impact

CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks, attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks, and others.

Recommendation

It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page.

References

Content Security Policy (CSP)
Implementing Content Security Policy

Affected items

Web Server
Details
Paths without CSP header:
  • http://glark.ru/

  • http://glark.ru/changelog.lm

  • http://glark.ru/index.php

  • http://glark.ru/core/

  • http://glark.ru/core/data/

  • http://glark.ru/contacts.lm

  • http://glark.ru/help.lm

  • http://glark.ru/login.lm

  • http://glark.ru/reg.lm

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_444444_256x240.png"

  • http://glark.ru/phpmyadmin/doc/html/index.html

  • http://glark.ru/phpmyadmin/doc/html/search.html

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_555555_256x240.png"

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_777620_256x240.png"

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_777777_256x240.png"

  • http://glark.ru/phpmyadmin/doc/html/bookmarks.html

  • http://glark.ru/phpmyadmin/doc/html/charts.html

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_cc0000_256x240.png"

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_ffffff_256x240.png"

  • http://glark.ru/phpmyadmin/doc/html/config.html

  • http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/

Request headers
GET / HTTP/1.1 Referer: http://glark.ru/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Content Security Policy Misconfiguration

Severity Informational
Reported by module /httpdata/content_security_policy.js

Description

Acunetix evaluated the scan target's Content Security Policies, checked for misconfigurations and potentially unintended side-effects of otherwise valid configurations, and offers the following suggestions on how to change existing policies for improved security and maximum compatibility.

Impact

Consult References for more information.

Recommendation

See alert details for available remediation advice.

References

Using Content Security Policy (CSP) to Secure Web Applications
The dangers of incorrect CSP implementations
Leverage Browser Security Features to Secure Your Website

Affected items

Web Server
Verified vulnerability
Details
  • An Unsafe Content Security Policy (CSP) Directive in Use
    • First observed on: http://glark.ru/phpmyadmin/
    • CSP Value: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none';
    • CSP Source: header
    • Summary: Acunetix detected that one of following CSP directives is used: unsafe-eval, unsafe-inline. By using unsafe-eval, you allow the use of string evaluation functions like eval. By using unsafe-inline, you allow the execution of inline scripts, which almost defeats the purpose of CSP. When this is allowed, it's very easy to successfully exploit a Cross-site Scripting vulnerability on your website.
    • Impact: An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully.
    • Remediation: If possible remove unsafe-eval and unsafe-inline from your CSP directives.
    • References:
      • N/A
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Verified vulnerability
Details
  • default-src Used in Content Security Policy (CSP)
    • First observed on: http://glark.ru/phpmyadmin/
    • CSP Value: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none';
    • CSP Source: header
    • Summary: Acunetix detected that you used default-src in CSP directive. It is important to know that default-src cannot be used as a fallback for the functions below: base-uri, form-action, frame-ancestors, plugin-types, report-uri, sandbox
    • Impact: N/A
    • Remediation: N/A
    • References:
      • N/A
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Verified vulnerability
Details
  • Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive
    • First observed on: http://glark.ru/phpmyadmin/
    • CSP Value: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none';
    • CSP Source: header
    • Summary: Acunetix detected that wildcard was used in domain portion of a CSP directive.
    • Impact: This means you trust all of the subdomains of this domain, if this is the case there is no impact.
    • Remediation: If you trust all of the subdomains and if this is necessary then you do not need to take any actions. However if this is not the case replace the wildcard with the only subdomain that you trust.
    • References:
      • N/A
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Verified vulnerability
Details
  • Multiple Content Security Policy (CSP) Implementation Detected
    • First observed on: http://glark.ru/phpmyadmin/
    • CSP Value: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none';
    • CSP Source: header
    • Summary: Acunetix detected that multiple CSP declaration types were implemented in the page for backward compatibility.
    • Impact: Using multiple CSP implementations together might cause CSP directives to not work as intended.
    • Remediation: Remove these deprecated implementations: X-Content-Security-Policy, X-Webkit-CSP
    • References:
      • N/A
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Verified vulnerability
Details
  • data: Used in a Content Security Policy (CSP) Directive
    • First observed on: http://glark.ru/phpmyadmin/
    • CSP Value: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' data: *.tile.openstreetmap.org;object-src 'none';
    • CSP Source: header
    • Summary: Acunetix detected data: use in a CSP directive.
    • Impact: An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully by using data: protocol.
    • Remediation: Remove data: sources from your CSP directives.
    • References:
      • N/A
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Error page web server version disclosure

Severity Informational
Reported by module /Scripts/PerServer/Error_Page_Path_Disclosure.script

Description

Application errors or warning messages may disclose sensitive information about an application's internal workings to an attacker.

Acunetix found the web server version number and a list of modules enabled on the target server. Consult the 'Attack details' section for more information about the affected page.

Impact

Error messages information about an application's internal workings may be used to escalate attacks.

Recommendation

Properly configure the web server not to disclose information about an application's internal workings to the user. Consult the 'Web references' section for more information.

References

Custom Error Responses (Apache HTTP Server)
server_tokens (Nginx)
Remove Unwanted HTTP Response Headers (Microsoft IIS)

Affected items

Web Server
Details
Request headers
GET /NHu3FCq6N0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

No HTTP Redirection

Severity Informational
Reported by module /target/http_redirections.js

Description

It was detected that your web application uses HTTP protocol, but doesn't automatically redirect users to HTTPS.

Impact

In some circumstances, it could be used for a man-in-the-middle (MitM) attack

Recommendation

It's recommended to implement best practices of HTTP Redirection into your web application. Consult web references for more information

References

HTTP Redirections

Affected items

Web Server
Details
Request headers
GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Outdated JavaScript libraries

Severity Informational
Reported by module /deepscan/javascript_library_audit_deepscan.js

Description

You are using an outdated version of one or more JavaScript libraries. A more recent version is available. Although your version was not found to be affected by any security vulnerabilities, it is recommended to keep libraries up to date.

Impact

Consult References for more information.

Recommendation

Upgrade to the latest version.

Affected items

Web Server
Details
  • jQuery 3.5.1
    • URL: http://glark.ru/phpmyadmin/
    • Detection method: The library's name and version were determined based on its dynamic behavior.
    • References:
      • https://code.jquery.com/
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
  • jQuery UI Dialog 1.12.1
    • URL: http://glark.ru/phpmyadmin/
    • Detection method: The library's name and version were determined based on its dynamic behavior.
    • References:
      • https://jqueryui.com/download/
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
  • jQuery UI Tooltip 1.12.1
    • URL: http://glark.ru/phpmyadmin/
    • Detection method: The library's name and version were determined based on its dynamic behavior.
    • References:
      • https://jqueryui.com/download/
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
  • bootstrap.js 4.5.2
    • URL: http://glark.ru/phpmyadmin/
    • Detection method: The library's name and version were determined based on its dynamic behavior.
    • References:
      • https://github.com/twbs/bootstrap/releases
Request headers
GET /phpmyadmin/ HTTP/1.1 Referer: http://glark.ru/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
  • Underscore.js 1.9.1
    • URL: http://glark.ru/phpmyadmin/doc/html/_static/underscore.js
    • Detection method: The library's name and version were determined based on the file's contents.
    • References:
      • https://github.com/jashkenas/underscore/tags
Request headers
GET /phpmyadmin/doc/html/_static/underscore.js HTTP/1.1 Referer: http://glark.ru/phpmyadmin/doc/html/index.html Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; phpMyAdmin=1sqtki3n4uhu1mb2squ59p96jc; pma_lang=en Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
  • JavaScript Cookie 2.2.1
    • URL: http://glark.ru/phpmyadmin/js/vendor/js.cookie.js
    • Detection method: The library's name and version were determined based on the file's contents.
    • References:
      • https://github.com/js-cookie/js-cookie/releases
Request headers
GET /phpmyadmin/js/vendor/js.cookie.js HTTP/1.1 Referer: http://glark.ru/phpmyadmin/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; phpMyAdmin=m2den2pl709mfslhcgjiuk18pd; pma_lang=en Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive
Web Server
Details
  • jQuery Migrate 3.1.0
    • URL: http://glark.ru/phpmyadmin/js/vendor/jquery/jquery-migrate.js
    • Detection method: The library's name and version were determined based on the file's syntax fingerprint.
    • References:
      • https://github.com/jquery/jquery-migrate/releases
Request headers
GET /phpmyadmin/js/vendor/jquery/jquery-migrate.js HTTP/1.1 Referer: http://glark.ru/phpmyadmin/ Cookie: PHPSESSID=1kdka0iohj6lmno6evg9ukqvla; phpMyAdmin=m2den2pl709mfslhcgjiuk18pd; pma_lang=en Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Permissions-Policy header not implemented

Severity Informational
Reported by module /httpdata/permissions_policy.js

Description

The Permissions-Policy header allows developers to selectively enable and disable use of various browser features and APIs.

Impact

Recommendation

References

Permissions-Policy / Feature-Policy (MDN)
Permissions Policy (W3C)

Affected items

Web Server
Details
Locations without Permissions-Policy header:
  • http://glark.ru/
  • http://glark.ru/changelog.lm
  • http://glark.ru/index.php
  • http://glark.ru/apps/
  • http://glark.ru/core/
  • http://glark.ru/phpmyadmin/
  • http://glark.ru/phpmyadmin/index.php
  • http://glark.ru/core/data/
  • http://glark.ru/media/icons/dark/
  • http://glark.ru/media/images/
  • http://glark.ru/media/
  • http://glark.ru/media/css/dark/
  • http://glark.ru/media/icons/
  • http://glark.ru/contacts.lm
  • http://glark.ru/media/fonts/
  • http://glark.ru/help.lm
  • http://glark.ru/login.lm
  • http://glark.ru/media/css/
  • http://glark.ru/phpmyadmin/url.php
  • http://glark.ru/reg.lm
  • http://glark.ru/media/js/
Request headers
GET / HTTP/1.1 Referer: http://glark.ru/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: glark.ru Connection: Keep-alive

Scanned items (coverage report)

http://glark.ru/
http://glark.ru/apps/
http://glark.ru/captcha.lm
http://glark.ru/changelog.lm
http://glark.ru/contacts.lm
http://glark.ru/core/
http://glark.ru/core/data/
http://glark.ru/db_routines.php
http://glark.ru/help.lm
http://glark.ru/index.php
http://glark.ru/login.lm
http://glark.ru/media/
http://glark.ru/media/css/
http://glark.ru/media/css/dark/
http://glark.ru/media/css/dark/style.css
http://glark.ru/media/fonts/
http://glark.ru/media/fonts/RussianRailGRegular.otf
http://glark.ru/media/icons/
http://glark.ru/media/icons/dark/
http://glark.ru/media/images/
http://glark.ru/media/js/
http://glark.ru/phpmyadmin/
http://glark.ru/phpmyadmin/ajax.php
http://glark.ru/phpmyadmin/doc/
http://glark.ru/phpmyadmin/doc/html/
http://glark.ru/phpmyadmin/doc/html/_images/
http://glark.ru/phpmyadmin/doc/html/_sources/
http://glark.ru/phpmyadmin/doc/html/_sources/bookmarks.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/charts.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/config.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/copyright.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/credits.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/developers.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/faq.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/glossary.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/import_export.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/index.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/intro.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/other.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/privileges.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/relations.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/require.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/security.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/settings.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/setup.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/themes.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/transformations.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/two_factor.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/user.rst.txt
http://glark.ru/phpmyadmin/doc/html/_sources/vendors.rst.txt
http://glark.ru/phpmyadmin/doc/html/_static/
http://glark.ru/phpmyadmin/doc/html/_static/basic.css
http://glark.ru/phpmyadmin/doc/html/_static/classic.css
http://glark.ru/phpmyadmin/doc/html/_static/doctools.js
http://glark.ru/phpmyadmin/doc/html/_static/documentation_options.js
http://glark.ru/phpmyadmin/doc/html/_static/jquery.js
http://glark.ru/phpmyadmin/doc/html/_static/language_data.js
http://glark.ru/phpmyadmin/doc/html/_static/pygments.css
http://glark.ru/phpmyadmin/doc/html/_static/searchtools.js
http://glark.ru/phpmyadmin/doc/html/_static/underscore.js
http://glark.ru/phpmyadmin/doc/html/bookmarks.html
http://glark.ru/phpmyadmin/doc/html/charts.html
http://glark.ru/phpmyadmin/doc/html/config.html
http://glark.ru/phpmyadmin/doc/html/copyright.html
http://glark.ru/phpmyadmin/doc/html/credits.html
http://glark.ru/phpmyadmin/doc/html/developers.html
http://glark.ru/phpmyadmin/doc/html/faq.html
http://glark.ru/phpmyadmin/doc/html/genindex.html
http://glark.ru/phpmyadmin/doc/html/glossary.html
http://glark.ru/phpmyadmin/doc/html/import_export.html
http://glark.ru/phpmyadmin/doc/html/index.html
http://glark.ru/phpmyadmin/doc/html/intro.html
http://glark.ru/phpmyadmin/doc/html/other.html
http://glark.ru/phpmyadmin/doc/html/privileges.html
http://glark.ru/phpmyadmin/doc/html/relations.html
http://glark.ru/phpmyadmin/doc/html/require.html
http://glark.ru/phpmyadmin/doc/html/search.html
http://glark.ru/phpmyadmin/doc/html/searchindex.js
http://glark.ru/phpmyadmin/doc/html/security.html
http://glark.ru/phpmyadmin/doc/html/settings.html
http://glark.ru/phpmyadmin/doc/html/setup.html
http://glark.ru/phpmyadmin/doc/html/themes.html
http://glark.ru/phpmyadmin/doc/html/transformations.html
http://glark.ru/phpmyadmin/doc/html/two_factor.html
http://glark.ru/phpmyadmin/doc/html/user.html
http://glark.ru/phpmyadmin/doc/html/vendors.html
http://glark.ru/phpmyadmin/index.php
http://glark.ru/phpmyadmin/js/
http://glark.ru/phpmyadmin/js/ajax.js
http://glark.ru/phpmyadmin/js/codemirror/
http://glark.ru/phpmyadmin/js/codemirror/addon/
http://glark.ru/phpmyadmin/js/codemirror/addon/lint/
http://glark.ru/phpmyadmin/js/codemirror/addon/lint/sql-lint.js
http://glark.ru/phpmyadmin/js/common.js
http://glark.ru/phpmyadmin/js/config.js
http://glark.ru/phpmyadmin/js/console.js
http://glark.ru/phpmyadmin/js/cross_framing_protection.js
http://glark.ru/phpmyadmin/js/database/
http://glark.ru/phpmyadmin/js/doclinks.js
http://glark.ru/phpmyadmin/js/drag_drop_import.js
http://glark.ru/phpmyadmin/js/error_report.js
http://glark.ru/phpmyadmin/js/functions.js
http://glark.ru/phpmyadmin/js/indexes.js
http://glark.ru/phpmyadmin/js/keyhandler.js
http://glark.ru/phpmyadmin/js/menu_resizer.js
http://glark.ru/phpmyadmin/js/messages.php
http://glark.ru/phpmyadmin/js/navigation.js
http://glark.ru/phpmyadmin/js/page_settings.js
http://glark.ru/phpmyadmin/js/rte.js
http://glark.ru/phpmyadmin/js/setup/
http://glark.ru/phpmyadmin/js/shortcuts_handler.js
http://glark.ru/phpmyadmin/js/vendor/
http://glark.ru/phpmyadmin/js/vendor/bootstrap/
http://glark.ru/phpmyadmin/js/vendor/bootstrap/bootstrap.bundle.min.js
http://glark.ru/phpmyadmin/js/vendor/codemirror/
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/hint/
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/hint/show-hint.css
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/hint/show-hint.js
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/hint/sql-hint.js
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/lint/
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/lint/lint.css
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/lint/lint.js
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/runmode/
http://glark.ru/phpmyadmin/js/vendor/codemirror/addon/runmode/runmode.js
http://glark.ru/phpmyadmin/js/vendor/codemirror/lib/
http://glark.ru/phpmyadmin/js/vendor/codemirror/lib/codemirror.css
http://glark.ru/phpmyadmin/js/vendor/codemirror/lib/codemirror.js
http://glark.ru/phpmyadmin/js/vendor/codemirror/mode/
http://glark.ru/phpmyadmin/js/vendor/codemirror/mode/sql/
http://glark.ru/phpmyadmin/js/vendor/codemirror/mode/sql/sql.js
http://glark.ru/phpmyadmin/js/vendor/jquery/
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery-migrate.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery-ui-timepicker-addon.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery-ui.min.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery.ba-hashchange-1.3.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery.debounce-1.0.5.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery.event.drag-2.2.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery.min.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery.mousewheel.js
http://glark.ru/phpmyadmin/js/vendor/jquery/jquery.validate.js
http://glark.ru/phpmyadmin/js/vendor/js.cookie.js
http://glark.ru/phpmyadmin/js/vendor/sprintf.js
http://glark.ru/phpmyadmin/js/vendor/tracekit.js
http://glark.ru/phpmyadmin/js/whitelist.php
http://glark.ru/phpmyadmin/sql/
http://glark.ru/phpmyadmin/themes/
http://glark.ru/phpmyadmin/themes/pmahomme/
http://glark.ru/phpmyadmin/themes/pmahomme/css/
http://glark.ru/phpmyadmin/themes/pmahomme/css/printview.css
http://glark.ru/phpmyadmin/themes/pmahomme/css/theme-rtl.css
http://glark.ru/phpmyadmin/themes/pmahomme/css/theme.css
http://glark.ru/phpmyadmin/themes/pmahomme/img/
http://glark.ru/phpmyadmin/themes/pmahomme/img/designer/
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_444444_256x240.png"
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_555555_256x240.png"
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_777620_256x240.png"
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_777777_256x240.png"
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_cc0000_256x240.png"
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/"images/ui-icons_ffffff_256x240.png"
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/images/
http://glark.ru/phpmyadmin/themes/pmahomme/jquery/jquery-ui.css
http://glark.ru/phpmyadmin/url.php
http://glark.ru/reg.lm
http://glark.ru/sql.php
http://glark.ru/tbl_indexes.php