tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arend P. van der Veen" <apvanderv...@acm.org>
Subject Re: PHP Security Vulnerability???
Date Mon, 17 Sep 2007 11:43:36 GMT
Wade Chandler wrote:
> --- "Arend P. van der Veen" <apvanderveen@acm.org> wrote:
> ...
>>>> Hi,
>>>>
>>>> This turned out to be a false positive.
>>>>
>>>> I use /cgi-bin as a url-pattern for a servlet mapping:
>>>>
>>>>      <servlet-mapping>
>>>>          <servlet-name>ProxyServlet</servlet-name>
>>>>          <url-pattern>/cgi-bin/*</url-pattern>
>>>>      </servlet-mapping>
>>>>
>>>> I essentially was sending references to cgi-bin to apache listening on
>>>> the loopback.  I also set a security-constraint for this url-pattern.
>>>> Finally, I set the login-conf to form based authentication.  When Nessus
>>>> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
>>>> error of 200 even though it did not exist.  Not sure why.  But Nessus
>>>> assumed that the 200 meant that it existed.  When I switched the login
>>>> configuration to basic authentication the problem went away.  This had
>>>> something to do with form based authentication.
>>>>
>>>> A finally found that if a simply changing the URL binding to from
>>>> cgi-bin to xyz.  Now with form based authentication everything works.
>>>>
>>>> Thanks,
>>>> Arend
>>>>
> ...
>> Hi Martin,
>>
>> I can supply you a couple of things:
>>
>> 1.  Tomcat access logs showing the Nessus attack that generated the problem.
>> 2.  A detailed description of my configuration that generated the error 
>> and what I did to fix it.
>> 3.  A sample app that generates the problem.
>> 4.  All of the above.
>>
>> Please let me know what you want and I will forward it to you.
>>
>> Thanks,
>> Arend
>>
> 
> I meant to write before, and it slipped my mind. The reason this occurs with form based
> authentication is because form based authentication is a pure server side thing. It doesn't
tell
> the client...oh hey, by the way, I'm going to need you to authenticate. Instead it sends
back an
> actual web page which happens to ask the user to login. So, the scanner tried to hit
the URL it
> thought would have phpinfo (anything else under that path should give the same results),
and it
> did in fact get returned a valid HTML page, yet not anything related to phpinfo. This
sounds like
> a bug in the scanner though as it should analyze the return and not whether something
was just
> returned or not. Someone might have their server setup to return a page which explains
this is not
> available if on an external NIC port and if on an internal one to return the actual phpinfo.
> 
> Wade
> 
> 
> ==================
> Wade Chandler
> Software Engineer and Developer
> 
> Netbeans Community and Dream Team Member:
> http://wiki.netbeans.org/wiki/view/NetBeansDreamTeam
> 
> Check out Netbeans at:
> http://www.netbeans.org
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
This matches what I see.  Can I relay some of this information to Nessus 
in a bug report? Thanks for your help.

Arend

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message