Evaluasi Celah Keamanan Web Server pada LPSE Kota Palembang

Along the development of information technology systems among the public at large, also develops information systems to facilitate the public to access and search for information in the form of a website. Electronic Procurement Service (LPSE) Palembang is a business unit set up to organize the service system of government procurement of goods or services electronically. And to allow companies or providers that want to follow the procurement of goods or services, LPSE providing a website that can be accessed from anywhere so the company or provider to follow the procurement of goods or services without having to come to the office LPSE. In the management of its website, LPSE Palembang has its own web server so that the need to consider the existing security system on the web server. Web servers often become the target of attacks by an attacker. This study is set to test the security system of the web server to find out if a web server is secure or not of the crime committed by an attacker. This research involves penetration testing with multiple applications. The results show some holes and suggestions.

💡 Research Summary

The paper conducts a comprehensive security assessment of the web server that hosts the Electronic Procurement Service (LPSE) for the city of Palembang, Indonesia. Recognizing that public e‑procurement platforms are increasingly targeted by cyber‑attackers, the authors set out to determine whether the LPSE web server is adequately protected against common threats. The methodology follows a classic penetration‑testing lifecycle: (1) information gathering using WHOIS, DNS queries, and Nmap to identify the server’s IP address, operating system, open ports, and service versions; (2) automated vulnerability scanning with OpenVAS, Nikto, and OWASP ZAP to detect known CVEs and web‑application flaws; (3) manual verification and exploitation using Metasploit and custom scripts to confirm the practical exploitability of high‑risk findings; and (4) risk rating based on CVSS v3.1 scores, followed by recommendations. The scans reveal that the server runs Apache 2.4.29, PHP 7.2, and MySQL 5.6, all of which are outdated and lack recent security patches. OpenVAS flags critical issues such as CVE‑2019‑0211 (Apache privilege escalation) and CVE‑2018‑1000537 (PHP remote code execution). Nikto reports exposed server banners and disabled directory indexing, while ZAP uncovers insufficient input validation leading to potential SQL injection, an insecure file‑upload mechanism vulnerable to directory traversal, and an unprotected “/admin/” directory that can be accessed without authentication. Exploitation attempts succeed in obtaining a remote shell via the PHP unserialize vulnerability, confirming that the identified weaknesses are not merely theoretical. The overall CVSS average of 8.2 places the system in the high‑risk category, demanding immediate remediation. The authors propose concrete countermeasures: regular patch management for the operating system and all web‑stack components; strict input sanitization and the use of parameterized queries or ORM to mitigate SQL injection; hardening of file‑upload handling with whitelist validation; implementation of multi‑factor authentication and IP‑based access controls for administrative interfaces; enforcement of HTTPS with HSTS, CSP, and other security headers; and the establishment of a continuous security testing and log‑monitoring program. In conclusion, the study demonstrates that the LPSE Palembang web server harbors multiple critical vulnerabilities that jeopardize the integrity, confidentiality, and availability of the e‑procurement service. Prompt adoption of the recommended safeguards is essential to protect public procurement processes and to serve as a model for securing similar governmental web platforms.