Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 50609 invoked from network); 16 Sep 2007 13:26:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 16 Sep 2007 13:26:12 -0000 Received: (qmail 31181 invoked by uid 500); 16 Sep 2007 13:25:55 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 30099 invoked by uid 500); 16 Sep 2007 13:25:52 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 30088 invoked by uid 99); 16 Sep 2007 13:25:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Sep 2007 06:25:52 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_HELO_PASS,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [63.208.196.171] (HELO outbound.mailhop.org) (63.208.196.171) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Sep 2007 13:25:49 +0000 Received: from cpe-72-231-141-22.nycap.res.rr.com ([72.231.141.22] helo=t60.mydomain.home) by outbound.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1IWu7s-000Aza-1s for users@tomcat.apache.org; Sun, 16 Sep 2007 09:25:28 -0400 X-Mail-Handler: MailHop Outbound by DynDNS X-Originating-IP: 72.231.141.22 X-Report-Abuse-To: abuse@dyndns.com (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX1+I9Xsxz6xxIdHYL0U+03kZWjosn9h39kc= Message-ID: <46ED2EC6.6060905@acm.org> Date: Sun, 16 Sep 2007 09:25:26 -0400 From: "Arend P. van der Veen" User-Agent: Thunderbird 2.0.0.6 (X11/20070803) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: PHP Security Vulnerability??? References: <47361.88439.qm@web33814.mail.mud.yahoo.com> <46E7CE77.1000306@att.net> <7549877b0709121621w4e15bfb7hc7bc304b28adf8d8@mail.gmail.com> <46EB4E10.2030100@att.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Martin Gainty wrote: > Good Evening Aren > > Do you have data on this 'magic_quotes_gpc' vulnerability > Thanks for the headsup-- > > Martin-- > ----- Original Message ----- > From: "Arend P. van der Veen" > To: "Tomcat Users List" > Sent: Friday, September 14, 2007 11:14 PM > Subject: Re: PHP Security Vulnerability??? > > >> Joseph Millet wrote: >>> you've must have got a phpinfo() page running somewhere .... >>> you can grep your www directory for that one ... >>> >>> JJ >>> >>> On 9/12/07, Arend P. van der Veen wrote: >>>> Wade Chandler wrote: >>>>> Does it give you any paths to this PHP application? I haven't seen >>>> anything like it from scanners >>>>> on my server. >>>>> >>>>> Wade >>>>> >>>>> --- "Arend P. van der Veen" wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I recently setup a server using Tomcat 5.5 on FreeBSD 6.2. I thought > I >>>>>> had everything locked down. >>>>>> >>>>>> I run a nessus scan and found a strange Vulnerability. It says that >>>> states: >>>>>> The remote web server contains a PHP application that is affected by >>>>>> multiple vulnerabilities. >>>>>> >>>>>> I am not using PHP. Has anyone else seen this? >>>>>> >>>>>> Thanks, >>>>>> Arend >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>>> >>>>>> >>>>> --------------------------------------------------------------------- >>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>> >>>>> >>>> Hi Wade, >>>> >>>> I have tomcat sitting on 127.0.0.1:8080 (http) and 127.0.0.1:8081 >>>> (https) and use ipfw to forward from port 80 and 443 respectively. > Could >>>> this part of my problem? I am wondering if this is some kind of false >>>> positive. Following is an excerpt from the Nessus Scan Report: >>>> >>>> ****************************************************************** >>>> Synopsis : >>>> >>>> The remote web server contains a PHP application that is affected by >>>> multiple vulnerabilities. >>>> >>>> Description : >>>> >>>> The remote host is running phpSysInfo, a PHP application that parses >>>> the /proc entries on Linux/Unix systems and displays them in HTML. >>>> >>>> The installed version of phpSysInfo on the remote host has a design >>>> flaw in its globalization layer such that the script's variables can >>>> be overwritten independent of PHP's 'register_globals' setting. By >>>> exploiting this issue, an attacker may be able to read arbitrary files >>>> on the remote host (if PHP's 'magic_quotes_gpc' setting is off) and >>>> even execute arbitrary PHP code, both subject to the privileges of the >>>> web server user id. >>>> >>>> In addition, the application fails to sanitize user-supplied input >>>> before using it in dynamically-generated pages, which can be used to >>>> conduct cross-site scripting and HTTP response splitting attacks. >>>> >>>> See also : >>>> >>>> http://www.hardened-php.net/advisory_222005.81.html >>>> >>>> Solution : >>>> >>>> Upgrade to phpSysInfo 2.4.1 or later. >>>> >>>> Risk factor : >>>> >>>> Low / CVSS Base Score : 2.3 >>>> (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N) >>>> CVE : CVE-2003-0536, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348 >>>> BID : 7286, 15396, 15414 >>>> Nessus ID : 20215 >>>> *********************************************************************** >>>> >>>> Thanks, >>>> Arens >>>> >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >> Hi, >> >> This turned out to be a false positive. >> >> I use /cgi-bin as a url-pattern for a servlet mapping: >> >> >> ProxyServlet >> /cgi-bin/* >> >> >> I essentially was sending references to cgi-bin to apache listening on >> the loopback. I also set a security-constraint for this url-pattern. >> Finally, I set the login-conf to form based authentication. When Nessus >> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http >> error of 200 even though it did not exist. Not sure why. But Nessus >> assumed that the 200 meant that it existed. When I switched the login >> configuration to basic authentication the problem went away. This had >> something to do with form based authentication. >> >> A finally found that if a simply changing the URL binding to from >> cgi-bin to xyz. Now with form based authentication everything works. >> >> Thanks, >> Arend >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > Hi Martin, I can supply you a couple of things: 1. Tomcat access logs showing the Nessus attack that generated the problem. 2. A detailed description of my configuration that generated the error and what I did to fix it. 3. A sample app that generates the problem. 4. All of the above. Please let me know what you want and I will forward it to you. Thanks, Arend --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org