tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arend P. van der Veen" <apvanderv...@acm.org>
Subject Re: PHP Security Vulnerability???
Date Sun, 16 Sep 2007 13:25:26 GMT
Martin Gainty wrote:
> Good Evening Aren
> 
> Do you have data on this 'magic_quotes_gpc'  vulnerability
> Thanks for the headsup--
> 
> Martin--
> ----- Original Message -----
> From: "Arend P. van der Veen" <apvanderveen@att.net>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Friday, September 14, 2007 11:14 PM
> Subject: Re: PHP Security Vulnerability???
> 
> 
>> Joseph Millet wrote:
>>> you've must have got a phpinfo() page running somewhere ....
>>> you can grep your www directory for that one ...
>>>
>>> JJ
>>>
>>> On 9/12/07, Arend P. van der Veen <apvanderveen@att.net> wrote:
>>>> Wade Chandler wrote:
>>>>> Does it give you any paths to this PHP application? I haven't seen
>>>> anything like it from scanners
>>>>> on my server.
>>>>>
>>>>> Wade
>>>>>
>>>>> --- "Arend P. van der Veen" <apvanderveen@att.net> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I recently setup a server using Tomcat 5.5 on FreeBSD 6.2.  I thought
> I
>>>>>> had everything locked down.
>>>>>>
>>>>>> I run a nessus scan and found a strange Vulnerability.  It says that
>>>> states:
>>>>>> The remote web server contains a PHP application that is affected
by
>>>>>> multiple vulnerabilities.
>>>>>>
>>>>>> I am not using PHP.  Has anyone else seen this?
>>>>>>
>>>>>> Thanks,
>>>>>> Arend
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>> Hi Wade,
>>>>
>>>> I have tomcat sitting on 127.0.0.1:8080 (http) and 127.0.0.1:8081
>>>> (https) and use ipfw to forward from port 80 and 443 respectively.
> Could
>>>> this part of my problem?  I am wondering if this is some kind of false
>>>> positive.  Following is an excerpt from the Nessus Scan Report:
>>>>
>>>> ******************************************************************
>>>> Synopsis :
>>>>
>>>> The remote web server contains a PHP application that is affected by
>>>> multiple vulnerabilities.
>>>>
>>>> Description :
>>>>
>>>> The remote host is running phpSysInfo, a PHP application that parses
>>>> the /proc entries on Linux/Unix systems and displays them in HTML.
>>>>
>>>> The installed version of phpSysInfo on the remote host has a design
>>>> flaw in its globalization layer such that the script's variables can
>>>> be overwritten independent of PHP's 'register_globals' setting. By
>>>> exploiting this issue, an attacker may be able to read arbitrary files
>>>> on the remote host (if PHP's 'magic_quotes_gpc' setting is off) and
>>>> even execute arbitrary PHP code, both subject to the privileges of the
>>>> web server user id.
>>>>
>>>> In addition, the application fails to sanitize user-supplied input
>>>> before using it in dynamically-generated pages, which can be used to
>>>> conduct cross-site scripting and HTTP response splitting attacks.
>>>>
>>>> See also :
>>>>
>>>> http://www.hardened-php.net/advisory_222005.81.html
>>>>
>>>> Solution :
>>>>
>>>> Upgrade to phpSysInfo 2.4.1 or later.
>>>>
>>>> Risk factor :
>>>>
>>>> Low / CVSS Base Score : 2.3
>>>> (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
>>>> CVE : CVE-2003-0536, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348
>>>> BID : 7286, 15396, 15414
>>>> Nessus ID : 20215
>>>> ***********************************************************************
>>>>
>>>> Thanks,
>>>> Arens
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>> Hi,
>>
>> This turned out to be a false positive.
>>
>> I use /cgi-bin as a url-pattern for a servlet mapping:
>>
>>      <servlet-mapping>
>>          <servlet-name>ProxyServlet</servlet-name>
>>          <url-pattern>/cgi-bin/*</url-pattern>
>>      </servlet-mapping>
>>
>> I essentially was sending references to cgi-bin to apache listening on
>> the loopback.  I also set a security-constraint for this url-pattern.
>> Finally, I set the login-conf to form based authentication.  When Nessus
>> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
>> error of 200 even though it did not exist.  Not sure why.  But Nessus
>> assumed that the 200 meant that it existed.  When I switched the login
>> configuration to basic authentication the problem went away.  This had
>> something to do with form based authentication.
>>
>> A finally found that if a simply changing the URL binding to from
>> cgi-bin to xyz.  Now with form based authentication everything works.
>>
>> Thanks,
>> Arend
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
Hi Martin,

I can supply you a couple of things:

1.  Tomcat access logs showing the Nessus attack that generated the problem.
2.  A detailed description of my configuration that generated the error 
and what I did to fix it.
3.  A sample app that generates the problem.
4.  All of the above.

Please let me know what you want and I will forward it to you.

Thanks,
Arend


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message