roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anil Gangolli <a...@busybuddha.org>
Subject Re: security issue
Date Fri, 09 Sep 2011 15:34:38 GMT

It is not clear from these messages what the complaint is.   The 
messages seem to be about having detected a version of Websphere 
Application Server with a known security issue.   They do not seem 
related to Roller.  You should ask your auditors for clarification.

Also, at the end of these messages, there is a snippet of JSP code that 
may have been exposed because you have edited the index.jsp and 
introduced a syntax issue.

--a.


On 9/8/11 3:31 PM, Joe Faith wrote:
> Hi
>
>
> I'm using roller version 4.0.1 on tomcat 5.5.30 to run the blog on a small
> ecommerce site. We have been security scanned for PCI (credit card)
> accreditation, and this exposed the following issue. I'm not sure what the
> problem is here, or what the fix might be. Would upgrading to roller 5.0
> help (I've been putting this off!)
>
>
> Any help would be gratefully received.
>
>
> thanks
>
> Joe
>
> fundraisingskills.co.uk
>
>
> --
>
>
>
> we will need an explanation for the 200 OK.
>
> GET /news/index.jsp HTTP/1.0
> Host: n0nex1st
>
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Last-Modified: Tue, 06 Sep 2011 10:37:00 GMT
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 139127
> Date: Wed, 07 Sep 2011 19:21:43 GMT
> Connection: close
>
> vulnerability report:
>
>
>
> TCP
>
> 443
>
> https
>
> *5*
>
> Description: WebSphere JSP source disclosure in web document root
> 62-233-100-162.easydservers.com62.233.100 .162Linux 2.6.18 Sep 05 20:45:46
> 2011newSeverity: Area of Concern CVE:
> CVE-2005-1112<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1112>
>   5.01423new11Impact: Multiple vulnerabilities could allow a malicious user
> to crash the server, or obtain unauthorized access, or obtain sensitive
> information. Background: IBM WebSphere is e-business infrastructure
> software. One component of the WebSphere product line, WebSphere Application
> Server (WAS) is a Java-based environment for building e-business
> applications. Resolution WebSphere Application Server 7.0.x should be
> [http://www-01.ibm.com/support/docview.w
> ss?uid=swg27014463<http://www-01.ibm.com/support/docview.wss?uid=swg27014463>]
> upgraded to 7.0.0.15 or higher. WebSphere Application Server 6.1.x should be
> [http://www-01.ibm.com/support/docview.w
> ss?uid=swg27007951<http://www-01.ibm.com/support/docview.wss?uid=swg27007951>]
> upgraded to version 6.1.0.37 or higher. WebSphere Application Server 6.0.x
> should be [http://www-01.ibm.com/support/docview.w
> ss?uid=swg27006876<http://www-01.ibm.com/support/docview.wss?uid=swg27006876>]
> upgraded to version 6.0.2.43 or higher. WebSphere Application Server 5.1.x
> should be [http://www-1.ibm.com/support/docview.ws
> s?uid=swg27006879<http://www-1.ibm.com/support/docview.wss?uid=swg27006879>]
> upgraded to a version higher than 5.1.1.19. WebSphere Application Server 5.0
> through 5.0.2.10 should be upgraded to version 5.0.2.11. Install
> [http://www-1.ibm.com/support/docview.ws
> s?rs=180&context=SSEQTP&q=PQ62144&uid=swg2
> 4001610<http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610>]
> PQ62144 (supersedes PQ62249) for WebSphere 4.0.3 to remove the buffer
> overflow vulnerability, and move JSP files outside the document root of the
> web server. Install [http://www-1.ibm.com/support/docview.ws
> s?rs=180&context=SSEQTP&q=PQ81278&uid=swg2
> 4005943<http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278&uid=swg24005943>]
> PQ81278 for WebSphere 5.0 through 5.0.2.1 to remove the XML Attribute
> Parsing Denial of Service vulnerability. Vulnerability Details: Service:
> https Sent: GET  /news/index.jsp HTTP/1.0 Host: n0nex1st Received:
> ?href="http://www.facebook.com/share.php
> ?u=<%=<http://www.facebook.com/share.php?u=%3C%25=>  request.getRequestURL()
> %>"
> [Hide]
>


Mime
View raw message