tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wade Chandler <hwadechandler-apa...@yahoo.com>
Subject Re: PHP Security Vulnerability???
Date Sun, 16 Sep 2007 14:08:33 GMT
--- "Arend P. van der Veen" <apvanderveen@acm.org> wrote:
...
> >>>>
> >> Hi,
> >>
> >> This turned out to be a false positive.
> >>
> >> I use /cgi-bin as a url-pattern for a servlet mapping:
> >>
> >>      <servlet-mapping>
> >>          <servlet-name>ProxyServlet</servlet-name>
> >>          <url-pattern>/cgi-bin/*</url-pattern>
> >>      </servlet-mapping>
> >>
> >> I essentially was sending references to cgi-bin to apache listening on
> >> the loopback.  I also set a security-constraint for this url-pattern.
> >> Finally, I set the login-conf to form based authentication.  When Nessus
> >> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
> >> error of 200 even though it did not exist.  Not sure why.  But Nessus
> >> assumed that the 200 meant that it existed.  When I switched the login
> >> configuration to basic authentication the problem went away.  This had
> >> something to do with form based authentication.
> >>
> >> A finally found that if a simply changing the URL binding to from
> >> cgi-bin to xyz.  Now with form based authentication everything works.
> >>
> >> Thanks,
> >> Arend
> >>
...
> Hi Martin,
> 
> I can supply you a couple of things:
> 
> 1.  Tomcat access logs showing the Nessus attack that generated the problem.
> 2.  A detailed description of my configuration that generated the error 
> and what I did to fix it.
> 3.  A sample app that generates the problem.
> 4.  All of the above.
> 
> Please let me know what you want and I will forward it to you.
> 
> Thanks,
> Arend
> 

I meant to write before, and it slipped my mind. The reason this occurs with form based
authentication is because form based authentication is a pure server side thing. It doesn't
tell
the client...oh hey, by the way, I'm going to need you to authenticate. Instead it sends back
an
actual web page which happens to ask the user to login. So, the scanner tried to hit the URL
it
thought would have phpinfo (anything else under that path should give the same results), and
it
did in fact get returned a valid HTML page, yet not anything related to phpinfo. This sounds
like
a bug in the scanner though as it should analyze the return and not whether something was
just
returned or not. Someone might have their server setup to return a page which explains this
is not
available if on an external NIC port and if on an internal one to return the actual phpinfo.

Wade


==================
Wade Chandler
Software Engineer and Developer

Netbeans Community and Dream Team Member:
http://wiki.netbeans.org/wiki/view/NetBeansDreamTeam

Check out Netbeans at:
http://www.netbeans.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message