hi,
On Tue, Sep 15, 2020 at 8:20 AM Pratik Shrestha wrote:
> Hi Guys,
>
> Just wanted to know if anyone found an idea on fixing it or a workaround.
>
Did you find what is the expected behavior by Qualis ?
>
> Thanks
>
> Pratik.
>
> On Fri, Aug 28, 2020 at 10:46 AM Pratik Shrestha
> wrote:
>
Hi Guys,
Just wanted to know if anyone found an idea on fixing it or a workaround.
Thanks
Pratik.
On Fri, Aug 28, 2020 at 10:46 AM Pratik Shrestha
wrote:
> Hi Chris
>
>
>
>
> *This wasn't the case for httpd for many years. I don't know what itdoes
> these days, but it used to reply with a nic
Hi Chris
*This wasn't the case for httpd for many years. I don't know what itdoes
these days, but it used to reply with a nice "400 Bad Request"error just
like Tomcat is doing. The difference is that httpd has richconfiguration
options to allow you to override that behavior. *
Correct. By defa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Merka,
On 8/27/20 06:32, Phoenix, Merka wrote:
> I think what the Qualys scan is trying to flag is that the server
> (Tomcat) is listening for both secured and unsecured traffic on
> the _same_ TCP port when the server should be listening for just
>
On 27/08/2020 11:32, Phoenix, Merka wrote:
> The error message returned by the Tomcat service, while certainly helpful to
> the remote client, is returning more information than it should (from a
> security-viewpoint).
What, exactly, are the security concerns here? Your comment suggests
there
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Thursday, 27 August, 2020 00:42
To: users@tomcat.apache.org
Subject: Re: Tomcat v9 - Insecure transport vulnerability reported by Qualys
... (from earlier in this thread)
> On Wed, Aug 26, 2020 at 7:53 AM Pra
Mark,
Sorry for Top-posting.
I’m still wondering what is causing this Qualys finding.
I remember times when you got only garbage when you connected with http to
https. Probably Qualys was fine with that.
Now you get a nice 400 message that helps the user understand his mistake and
Qualys jump
On 27/08/2020 06:31, Terence M. Bandoian wrote:
> On 8/26/2020 11:27 PM, Pratik Shrestha wrote:
>> For me, there are two options for the fix which I am not able to make
>> them
>> work.
>>
>> 1. Either show 'ERR_EMPTY_RESP' like old Tomcat version 7 used to
>> show. As
>> far as I know, with To
ein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.
-Original Message-
From: Christopher Schultz
Sent: Wednesday, August 26, 2020 2:56 PM
To: users@tomcat.apache.org
Subject: Re: Tomca
Original Message-
> From: Christopher Schultz
> Sent: Wednesday, August 26, 2020 2:56 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat v9 - Insecure transport vulnerability reported by
> Qualys
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
.
-Original Message-
From: Christopher Schultz
Sent: Wednesday, August 26, 2020 2:56 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat v9 - Insecure transport vulnerability reported by Qualys
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/26/20 13:59, Mark Thomas wrote:
> On 26
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/26/20 13:59, Mark Thomas wrote:
> On 26/08/2020 17:50, Christopher Schultz wrote:
>> On 8/26/20 05:27, Mark Thomas wrote:
>>> On 26/08/2020 08:14, Martin Grigorov wrote:
Hi,
On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jon,
On 8/26/20 14:01, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Did Qualsys include a QID with their report?
No, but the OP did include this:
"
Insecure transport
Group: Information Disclosure
CWE CWE-319
OWASP A3 Sensitive Data Exposure
WAS
v9 - Insecure transport vulnerability reported by Qualys
On 26/08/2020 17:50, Christopher Schultz wrote:
> On 8/26/20 05:27, Mark Thomas wrote:
>> On 26/08/2020 08:14, Martin Grigorov wrote:
>>> Hi,
>>>
>>> On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha
&
On 26/08/2020 17:50, Christopher Schultz wrote:
> On 8/26/20 05:27, Mark Thomas wrote:
>> On 26/08/2020 08:14, Martin Grigorov wrote:
>>> Hi,
>>>
>>> On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha
>>> wrote:
>>>
Thanks for reply,
Hi Peter - it complains on port 8443 which belongs t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/26/20 05:27, Mark Thomas wrote:
> On 26/08/2020 08:14, Martin Grigorov wrote:
>> Hi,
>>
>> On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha
>> wrote:
>>
>>> Thanks for reply,
>>>
>>> Hi Peter - it complains on port 8443 which belongs to T
On 26/08/2020 08:14, Martin Grigorov wrote:
> Hi,
>
> On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha wrote:
>
>> Thanks for reply,
>>
>> Hi Peter - it complains on port 8443 which belongs to Tomcat.
>>
>> Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security
>> vulnerability i
Hi,
On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha wrote:
> Thanks for reply,
>
> Hi Peter - it complains on port 8443 which belongs to Tomcat.
>
> Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security
> vulnerability is given to us by Qualys scan. It tries to post plain HTTP
Pratik,
> Am 26.08.2020 um 06:52 schrieb Pratik Shrestha :
>
> Thanks for reply,
>
> Hi Peter - it complains on port 8443 which belongs to Tomcat.
>
> Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security
> vulnerability is given to us by Qualys scan. It tries to post plain
Thanks for reply,
Hi Peter - it complains on port 8443 which belongs to Tomcat.
Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this security
vulnerability is given to us by Qualys scan. It tries to post plain HTTP
request on HTTPS port and then gets error message "Bad Request. This
com
On 25/08/2020 11:14, Pratik Shrestha wrote:
> Hi all,
>
> Tomcat version: 9.0.37
>
> Our website is running on Tomcat. We did Qualys vulnerability scan on our
> site. Scan shows below vulnerability.
>
> Insecure transport
> Group: Information Disclosure
> CWE CWE-319
> OWASP A3 Sensitive Data Ex
Pratik,
> Am 25.08.2020 um 12:14 schrieb Pratik Shrestha :
>
> Hi all,
>
> Tomcat version: 9.0.37
>
> Our website is running on Tomcat. We did Qualys vulnerability scan on our
> site. Scan shows below vulnerability.
>
> Insecure transport
> Group: Information Disclosure
> CWE CWE-319
> OWASP A
Hi all,
Tomcat version: 9.0.37
Our website is running on Tomcat. We did Qualys vulnerability scan on our
site. Scan shows below vulnerability.
Insecure transport
Group: Information Disclosure
CWE CWE-319
OWASP A3 Sensitive Data Exposure
WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION
Please
23 matches
Mail list logo
