Pastebin.com - Printed Paste ID: https://pastebin.com/

1. Password Transmitted Over HTTP
2. Url http://www.heidymodel.com/amember_remote/index.php?v=-6&url=/members/&referer=
3. Form target action
4. Classification
5. PCI 2.0 6.5.4 PCI 1.2 6.5.9 OWASP A9 CWE 319 CAPEC 65 WASC 04 Vulnerability Details
6. Netsparker identified that password data is sent over HTTP.
7. Impact
8. If an attacker can intercept network traffic he/she can steal users credentials.
9.  
10. Cookie Not Marked As HttpOnly
11. Url http://www.heidymodel.com/amember_remote/index.php?v=-6&url=/members/&referer=
12. Identified Cookie PHPSESSID
13. Classification
14. CWE 16 CAPEC 107 WASC 15 Vulnerability Details
15. Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.
16. Impact
17. During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.
18.  
19. Auto Complete Enabled
20. Url http://www.heidymodel.com/amember_remote/index.php?v=-6&url=/members/&referer=
21. Identified Field Name amember_remote_login
22. Classification
23. CWE 16 WASC 15 Vulnerability Details
24. "Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".
25. Impact
26. Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.
27.  
28. PHP Version Disclosure
29. Certainty
30. Url http://www.heidymodel.com/
31. Extracted Version 5.2.9
32. Classification
33. PCI 1.2 6.5.6 OWASP A6 CWE 16 CAPEC 170 WASC 45 Vulnerability Details
34. Netsparker identified that the target web server is disclosing the PHP version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.
35. Impact
36. An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
37.  
38. [Possible] Internal Path Leakage (*nix)
39. Certainty
40. Url http://www.heidymodel.com/amember_remote/index.php?v=-6&url=/members/&referer=3
41. Identified Internal Path(s) /proc/self/fd/2\0.php
42. Parameter Name amember_remote_login
43. Parameter Type Post
44. Attack Pattern ../../../../../../../../../../proc/self/fd/2.php
45. Classification
46. PCI 1.2 6.5.6 CWE 200 CAPEC 118 WASC 13 Vulnerability Details
47. Netsparker identified an internal path in the document.
48. Impact
49. There is no direct impact however this information can help an attacker either to identify other vulnerabilities or during the exploitation of other identified vulnerabilities.
50.  
51. [Possible] Internal Path Leakage (*nix)
52. Certainty
53. Url http://www.heidymodel.com/amember_remote/
54. Identified Internal Path(s) /proc/self/fd/2\0.php
55. Parameter Name amember_remote_login
56. Parameter Type Post
57. Attack Pattern ../../../../../../../../../../proc/self/fd/2.php
58. Classification
59. PCI 1.2 6.5.6 CWE 200 CAPEC 118 WASC 13 Vulnerability Details
60. Netsparker identified an internal path in the document.
61. Impact
62. There is no direct impact however this information can help an attacker either to identify other vulnerabilities or during the exploitation of other identified vulnerabilities.