Greetings!
I've did a basicly scan on trentahost website and I've found some vulnerabilities which is possible to be exploited, and possible gaining the root access, among others seriously threats. I would like to know if you allow me to do a deep scan, and if you want the list of what I already got in that 15 minutes of basicly scan. All I want to do is helping you to make the security of your company better, and in return I would accept a humble and fair contribution.
@Leao
As I haven't got any reply from the support or from Freezia after reporting some vulnerabilities on @TrentaHost
I'll post some of the vulnerabilities I've found on their website so they'll pay attention, I'm not posting the most important vulnerabilities but I'll show a bit of their bad security.
#XML-RPC
https://trentahost.com/xmlrpc.php
This one could be exploited to do remote command/code injection/execution, and more.
https://www.exploit-db.com/exploits/1078/
https://www.exploit-db.com/exploits/1083/
XML-RPC is using for PHP XML parser. It is vulnerable to XML entity expansion attack and other XML Payload attacks. It causes CPU & memory exhaustion and Website’s database to reach maximum no.of.open connections. May be site becoming unavailable or unresponsive state (Denial of service Occurs.).
There's also way to gain root access by exploiting this vulnerability.
https://null-byte.wonderhowto.com/ho...l-rpc-0174864/
Service Info: Host: main.trentahost.com; OS: Red Hat Enterprise Linux 6; CPE: cpe:/o:redhat:enterprise_linux:6
WordPress version 4.8.2Code:PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 25/tcp filtered smtp 53/tcp open domain ISC BIND 9.8.2rc1 80/tcp open http LiteSpeed httpd 110/tcp open pop3 Dovecot pop3d 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http LiteSpeed httpd 445/tcp filtered microsoft-ds 465/tcp open ssl/smtp Exim smtpd 4.89 587/tcp open smtp Exim smtpd 4.89 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d
[!] Upload directory has directory listing enabled: https://trentahost.com/wp-content/uploads/
[!] Includes directory has directory listing enabled: https://trentahost.com/wp-includes/
WordPress Login.: https://trentahost.com/wp-admin/Code:[+] Interesting header: LINK: <https://trentahost.com/wp-json/>; rel="https://api.w.org/" [+] Interesting header: LINK: <https://trentahost.com/>; rel=shortlink [+] Interesting header: SERVER: LiteSpeed [+] Interesting header: SET-COOKIE: wfvt_4132048724=59e3afb77bd76; expires=Sun, 15-Oct-2017 19:27:59 GMT; Max-Age=1800; path=/; secure; httponly [+] Interesting header: X-POWERED-BY: PHP/5.6.28 [+] XML-RPC Interface available under: https://trentahost.com/xmlrpc.php [!] Upload directory has directory listing enabled: https://trentahost.com/wp-content/uploads/ [!] Includes directory has directory listing enabled: https://trentahost.com/wp-includes/ [+] WordPress version 4.8.2 (Released on 2017-09-19) identified from advanced fingerprinting [!] 1 vulnerability identified from the version number [!] Title: WordPress 2.3-4.8.2 - Host Header Injection in Password Reset Reference: https://wpvulndb.com/vulnerabilities/8807 Reference: https://exploitbox.io/vuln/WordPress...2017-8295.html Reference: http://blog.dewhurstsecurity.com/201...dvisories.html Reference: https://core.trac.wordpress.org/ticket/25239 Reference: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2017-8295 [+] WordPress theme in use: infographer - v1.5 [+] Name: infographer - v1.5 | Location: https://trentahost.com/wp-content/themes/infographer/ | Style URL: https://trentahost.com/wp-content/th...pher/style.css | Theme Name: Infographer | Theme URI: http://demo.qodeinteractive.com/infographer/ | Description: Infographer Theme | Author: Qode Interactive | Author URI: http://www.qodeinteractive.com/ [+] Enumerating plugins from passive detection ... | 7 plugins found: [+] Name: advanced-iframe - v7.5 | Last updated: 2017-10-02T21:34:00.000Z | Location: https://trentahost.com/wp-content/pl...vanced-iframe/ | Readme: https://trentahost.com/wp-content/pl...ame/readme.txt [!] The version is out of date, the latest version is 7.5.1 [+] Name: css3_web_pricing_tables_grids | Location: https://trentahost.com/wp-content/pl..._tables_grids/ | Readme: https://trentahost.com/wp-content/pl...ids/readme.txt [!] Directory listing is enabled: https://trentahost.com/wp-content/pl..._tables_grids/ [+] Name: foobar | Location: https://trentahost.com/wp-content/plugins/foobar/ | Readme: https://trentahost.com/wp-content/pl...bar/readme.txt [!] Directory listing is enabled: https://trentahost.com/wp-content/plugins/foobar/ [+] Name: interactive-world-maps | Location: https://trentahost.com/wp-content/pl...ve-world-maps/ [!] Directory listing is enabled: https://trentahost.com/wp-content/pl...ve-world-maps/ [+] Name: livicons-shortcodes | Location: https://trentahost.com/wp-content/pl...ns-shortcodes/ [+] Name: logos-showcase | Location: https://trentahost.com/wp-content/pl...ogos-showcase/ [!] Directory listing is enabled: https://trentahost.com/wp-content/pl...ogos-showcase/ [+] Name: revslider | Location: https://trentahost.com/wp-content/plugins/revslider/ [!] We could not determine a version so all vulnerabilities are printed out [!] Title: WordPress Slider Revolution Local File Disclosure Reference: https://wpvulndb.com/vulnerabilities/7540 Reference: http://blog.sucuri.net/2014/09/slide...exploited.html Reference: http://packetstormsecurity.com/files/129761/ Reference: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2015-1579 Reference: https://www.exploit-db.com/exploits/34511/ Reference: https://www.exploit-db.com/exploits/36039/ [i] Fixed in: 4.1.5 [!] Title: WordPress Slider Revolution Shell Upload Reference: https://wpvulndb.com/vulnerabilities/7954 Reference: https://whatisgon.wordpress.com/2014...vulnerability/ Reference: https://www.rapid7.com/db/modules/ex...upload_execute Reference: https://www.exploit-db.com/exploits/35385/ [i] Fixed in: 3.0.96
MailMan: http://trentahost.com/mailman/listinfo - exploit: https://www.exploit-db.com/exploits/28570/ (there's lot more stuff could be done with mailman)