MLM bug in router

- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:          202.67.9.166
+ Target Hostname:    flexterkita.com
+ Target Port:        80
+ Start Time:        2009-05-22 11:16:56
---------------------------------------------------------------------------
+ Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.8
- Root page / redirects to: ./?pg=home
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.8
+ mod_ssl/2.2.11 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8e-fips-rhel5 appears to be outdated (current is at least 0.9.8i) (may depend on server version)
+ mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082.
+ OSVDB-637: GET /~root - Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ OSVDB-0: GET /cgi-sys/formmail.pl : Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ OSVDB-0: GET /cgi-sys/guestbook.cgi : May allow attackers to execute commands as the web daemon.
+ OSVDB-0: GET /cgi-sys/Count.cgi : This may allow attackers to execute arbitrary commands on the server
+ OSVDB-3233: GET /mailman/listinfo : Mailman was found on the server.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: GET /cgi-sys/entropysearch.cgi : Default CGI, often with a hosting manager of some sort. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: GET /cgi-sys/FormMail-clone.cgi : Default CGI, often with a hosting manager of some sort. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: GET /cgi-sys/mchat.cgi : Default CGI, often with a hosting manager of some sort. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: GET /cgi-sys/scgiwrap : Default CGI, often with a hosting manager of some sort. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: GET /img-sys/ : Default image directory should not allow directory listing.
+ OSVDB-3092: GET /java-sys/ : Default Java directory should not allow directory listing.
+ Default account found for 'Bandmin' at /bandwidth/index.cgi (ID '1502', PW '1502'). X-Micro WLAN 11b router
- Successfully authenticated to realm "Bandmin".

+ Default account found for 'Bandmin' at /bandwidth/index.cgi (ID '1502', PW '1502'). X-Micro WLAN 11b router
- Successfully authenticated to realm "Bandmin".  <<<<  router user name+password << cari yang mana user, yang mana password