tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arend P. van der Veen" <>
Subject Re: PHP Security Vulnerability???
Date Mon, 17 Sep 2007 11:43:36 GMT
Wade Chandler wrote:
> --- "Arend P. van der Veen" <> wrote:
> ...
>>>> Hi,
>>>> This turned out to be a false positive.
>>>> I use /cgi-bin as a url-pattern for a servlet mapping:
>>>>      <servlet-mapping>
>>>>          <servlet-name>ProxyServlet</servlet-name>
>>>>          <url-pattern>/cgi-bin/*</url-pattern>
>>>>      </servlet-mapping>
>>>> I essentially was sending references to cgi-bin to apache listening on
>>>> the loopback.  I also set a security-constraint for this url-pattern.
>>>> Finally, I set the login-conf to form based authentication.  When Nessus
>>>> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
>>>> error of 200 even though it did not exist.  Not sure why.  But Nessus
>>>> assumed that the 200 meant that it existed.  When I switched the login
>>>> configuration to basic authentication the problem went away.  This had
>>>> something to do with form based authentication.
>>>> A finally found that if a simply changing the URL binding to from
>>>> cgi-bin to xyz.  Now with form based authentication everything works.
>>>> Thanks,
>>>> Arend
> ...
>> Hi Martin,
>> I can supply you a couple of things:
>> 1.  Tomcat access logs showing the Nessus attack that generated the problem.
>> 2.  A detailed description of my configuration that generated the error 
>> and what I did to fix it.
>> 3.  A sample app that generates the problem.
>> 4.  All of the above.
>> Please let me know what you want and I will forward it to you.
>> Thanks,
>> Arend
> I meant to write before, and it slipped my mind. The reason this occurs with form based
> authentication is because form based authentication is a pure server side thing. It doesn't
> the client...oh hey, by the way, I'm going to need you to authenticate. Instead it sends
back an
> actual web page which happens to ask the user to login. So, the scanner tried to hit
the URL it
> thought would have phpinfo (anything else under that path should give the same results),
and it
> did in fact get returned a valid HTML page, yet not anything related to phpinfo. This
sounds like
> a bug in the scanner though as it should analyze the return and not whether something
was just
> returned or not. Someone might have their server setup to return a page which explains
this is not
> available if on an external NIC port and if on an internal one to return the actual phpinfo.
> Wade
> ==================
> Wade Chandler
> Software Engineer and Developer
> Netbeans Community and Dream Team Member:
> Check out Netbeans at:
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:
This matches what I see.  Can I relay some of this information to Nessus 
in a bug report? Thanks for your help.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message