tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arend P. van der Veen" <apvanderv...@att.net>
Subject Re: PHP Security Vulnerability???
Date Sat, 15 Sep 2007 03:14:24 GMT
Joseph Millet wrote:
> you've must have got a phpinfo() page running somewhere ....
> you can grep your www directory for that one ...
> 
> JJ
> 
> On 9/12/07, Arend P. van der Veen <apvanderveen@att.net> wrote:
>> Wade Chandler wrote:
>>> Does it give you any paths to this PHP application? I haven't seen
>> anything like it from scanners
>>> on my server.
>>>
>>> Wade
>>>
>>> --- "Arend P. van der Veen" <apvanderveen@att.net> wrote:
>>>
>>>> Hi,
>>>>
>>>> I recently setup a server using Tomcat 5.5 on FreeBSD 6.2.  I thought I
>>>> had everything locked down.
>>>>
>>>> I run a nessus scan and found a strange Vulnerability.  It says that
>> states:
>>>> The remote web server contains a PHP application that is affected by
>>>> multiple vulnerabilities.
>>>>
>>>> I am not using PHP.  Has anyone else seen this?
>>>>
>>>> Thanks,
>>>> Arend
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>> Hi Wade,
>>
>> I have tomcat sitting on 127.0.0.1:8080 (http) and 127.0.0.1:8081
>> (https) and use ipfw to forward from port 80 and 443 respectively. Could
>> this part of my problem?  I am wondering if this is some kind of false
>> positive.  Following is an excerpt from the Nessus Scan Report:
>>
>> ******************************************************************
>> Synopsis :
>>
>> The remote web server contains a PHP application that is affected by
>> multiple vulnerabilities.
>>
>> Description :
>>
>> The remote host is running phpSysInfo, a PHP application that parses
>> the /proc entries on Linux/Unix systems and displays them in HTML.
>>
>> The installed version of phpSysInfo on the remote host has a design
>> flaw in its globalization layer such that the script's variables can
>> be overwritten independent of PHP's 'register_globals' setting. By
>> exploiting this issue, an attacker may be able to read arbitrary files
>> on the remote host (if PHP's 'magic_quotes_gpc' setting is off) and
>> even execute arbitrary PHP code, both subject to the privileges of the
>> web server user id.
>>
>> In addition, the application fails to sanitize user-supplied input
>> before using it in dynamically-generated pages, which can be used to
>> conduct cross-site scripting and HTTP response splitting attacks.
>>
>> See also :
>>
>> http://www.hardened-php.net/advisory_222005.81.html
>>
>> Solution :
>>
>> Upgrade to phpSysInfo 2.4.1 or later.
>>
>> Risk factor :
>>
>> Low / CVSS Base Score : 2.3
>> (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
>> CVE : CVE-2003-0536, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348
>> BID : 7286, 15396, 15414
>> Nessus ID : 20215
>> ***********************************************************************
>>
>> Thanks,
>> Arens
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 

Hi,

This turned out to be a false positive.

I use /cgi-bin as a url-pattern for a servlet mapping:

     <servlet-mapping>
         <servlet-name>ProxyServlet</servlet-name>
         <url-pattern>/cgi-bin/*</url-pattern>
     </servlet-mapping>

I essentially was sending references to cgi-bin to apache listening on 
the loopback.  I also set a security-constraint for this url-pattern. 
Finally, I set the login-conf to form based authentication.  When Nessus 
tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http 
error of 200 even though it did not exist.  Not sure why.  But Nessus 
assumed that the 200 meant that it existed.  When I switched the login 
configuration to basic authentication the problem went away.  This had 
something to do with form based authentication.

A finally found that if a simply changing the URL binding to from 
cgi-bin to xyz.  Now with form based authentication everything works.

Thanks,
Arend

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message