tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Gainty" <mgai...@hotmail.com>
Subject Re: PHP Security Vulnerability???
Date Sat, 16 Sep 2000 02:10:14 GMT
Good Evening Aren

Do you have data on this 'magic_quotes_gpc'  vulnerability
Thanks for the headsup--

Martin--
----- Original Message -----
From: "Arend P. van der Veen" <apvanderveen@att.net>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Friday, September 14, 2007 11:14 PM
Subject: Re: PHP Security Vulnerability???


> Joseph Millet wrote:
> > you've must have got a phpinfo() page running somewhere ....
> > you can grep your www directory for that one ...
> >
> > JJ
> >
> > On 9/12/07, Arend P. van der Veen <apvanderveen@att.net> wrote:
> >> Wade Chandler wrote:
> >>> Does it give you any paths to this PHP application? I haven't seen
> >> anything like it from scanners
> >>> on my server.
> >>>
> >>> Wade
> >>>
> >>> --- "Arend P. van der Veen" <apvanderveen@att.net> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I recently setup a server using Tomcat 5.5 on FreeBSD 6.2.  I thought
I
> >>>> had everything locked down.
> >>>>
> >>>> I run a nessus scan and found a strange Vulnerability.  It says that
> >> states:
> >>>> The remote web server contains a PHP application that is affected by
> >>>> multiple vulnerabilities.
> >>>>
> >>>> I am not using PHP.  Has anyone else seen this?
> >>>>
> >>>> Thanks,
> >>>> Arend
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To start a new topic, e-mail: users@tomcat.apache.org
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To start a new topic, e-mail: users@tomcat.apache.org
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >> Hi Wade,
> >>
> >> I have tomcat sitting on 127.0.0.1:8080 (http) and 127.0.0.1:8081
> >> (https) and use ipfw to forward from port 80 and 443 respectively.
Could
> >> this part of my problem?  I am wondering if this is some kind of false
> >> positive.  Following is an excerpt from the Nessus Scan Report:
> >>
> >> ******************************************************************
> >> Synopsis :
> >>
> >> The remote web server contains a PHP application that is affected by
> >> multiple vulnerabilities.
> >>
> >> Description :
> >>
> >> The remote host is running phpSysInfo, a PHP application that parses
> >> the /proc entries on Linux/Unix systems and displays them in HTML.
> >>
> >> The installed version of phpSysInfo on the remote host has a design
> >> flaw in its globalization layer such that the script's variables can
> >> be overwritten independent of PHP's 'register_globals' setting. By
> >> exploiting this issue, an attacker may be able to read arbitrary files
> >> on the remote host (if PHP's 'magic_quotes_gpc' setting is off) and
> >> even execute arbitrary PHP code, both subject to the privileges of the
> >> web server user id.
> >>
> >> In addition, the application fails to sanitize user-supplied input
> >> before using it in dynamically-generated pages, which can be used to
> >> conduct cross-site scripting and HTTP response splitting attacks.
> >>
> >> See also :
> >>
> >> http://www.hardened-php.net/advisory_222005.81.html
> >>
> >> Solution :
> >>
> >> Upgrade to phpSysInfo 2.4.1 or later.
> >>
> >> Risk factor :
> >>
> >> Low / CVSS Base Score : 2.3
> >> (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
> >> CVE : CVE-2003-0536, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348
> >> BID : 7286, 15396, 15414
> >> Nessus ID : 20215
> >> ***********************************************************************
> >>
> >> Thanks,
> >> Arens
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
> Hi,
>
> This turned out to be a false positive.
>
> I use /cgi-bin as a url-pattern for a servlet mapping:
>
>      <servlet-mapping>
>          <servlet-name>ProxyServlet</servlet-name>
>          <url-pattern>/cgi-bin/*</url-pattern>
>      </servlet-mapping>
>
> I essentially was sending references to cgi-bin to apache listening on
> the loopback.  I also set a security-constraint for this url-pattern.
> Finally, I set the login-conf to form based authentication.  When Nessus
> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
> error of 200 even though it did not exist.  Not sure why.  But Nessus
> assumed that the 200 meant that it existed.  When I switched the login
> configuration to basic authentication the problem went away.  This had
> something to do with form based authentication.
>
> A finally found that if a simply changing the URL binding to from
> cgi-bin to xyz.  Now with form based authentication everything works.
>
> Thanks,
> Arend
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message