roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Faith <joedotfa...@gmail.com>
Subject security issue
Date Thu, 08 Sep 2011 22:31:33 GMT
Hi


I'm using roller version 4.0.1 on tomcat 5.5.30 to run the blog on a small
ecommerce site. We have been security scanned for PCI (credit card)
accreditation, and this exposed the following issue. I'm not sure what the
problem is here, or what the fix might be. Would upgrading to roller 5.0
help (I've been putting this off!)


Any help would be gratefully received.


thanks

Joe

fundraisingskills.co.uk


--



we will need an explanation for the 200 OK.

GET /news/index.jsp HTTP/1.0
Host: n0nex1st

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 06 Sep 2011 10:37:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 139127
Date: Wed, 07 Sep 2011 19:21:43 GMT
Connection: close

vulnerability report:



TCP

443

https

*5*

Description: WebSphere JSP source disclosure in web document root
62-233-100-162.easydservers.com62.233.100 .162Linux 2.6.18 Sep 05 20:45:46
2011newSeverity: Area of Concern CVE:
CVE-2005-1112<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1112>
 5.01423new11Impact: Multiple vulnerabilities could allow a malicious user
to crash the server, or obtain unauthorized access, or obtain sensitive
information. Background: IBM WebSphere is e-business infrastructure
software. One component of the WebSphere product line, WebSphere Application
Server (WAS) is a Java-based environment for building e-business
applications. Resolution WebSphere Application Server 7.0.x should be
[http://www-01.ibm.com/support/docview.w
ss?uid=swg27014463<http://www-01.ibm.com/support/docview.wss?uid=swg27014463>]
upgraded to 7.0.0.15 or higher. WebSphere Application Server 6.1.x should be
[http://www-01.ibm.com/support/docview.w
ss?uid=swg27007951<http://www-01.ibm.com/support/docview.wss?uid=swg27007951>]
upgraded to version 6.1.0.37 or higher. WebSphere Application Server 6.0.x
should be [http://www-01.ibm.com/support/docview.w
ss?uid=swg27006876<http://www-01.ibm.com/support/docview.wss?uid=swg27006876>]
upgraded to version 6.0.2.43 or higher. WebSphere Application Server 5.1.x
should be [http://www-1.ibm.com/support/docview.ws
s?uid=swg27006879<http://www-1.ibm.com/support/docview.wss?uid=swg27006879>]
upgraded to a version higher than 5.1.1.19. WebSphere Application Server 5.0
through 5.0.2.10 should be upgraded to version 5.0.2.11. Install
[http://www-1.ibm.com/support/docview.ws
s?rs=180&context=SSEQTP&q=PQ62144&uid=swg2
4001610<http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610>]
PQ62144 (supersedes PQ62249) for WebSphere 4.0.3 to remove the buffer
overflow vulnerability, and move JSP files outside the document root of the
web server. Install [http://www-1.ibm.com/support/docview.ws
s?rs=180&context=SSEQTP&q=PQ81278&uid=swg2
4005943<http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278&uid=swg24005943>]
PQ81278 for WebSphere 5.0 through 5.0.2.1 to remove the XML Attribute
Parsing Denial of Service vulnerability. Vulnerability Details: Service:
https Sent: GET  /news/index.jsp HTTP/1.0 Host: n0nex1st Received:
?href="http://www.facebook.com/share.php
?u=<%= <http://www.facebook.com/share.php?u=%3C%25=> request.getRequestURL()
%>"
[Hide]

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message