Whoha... Just had my nightly report on the server, and thank god it was
running TC40b7 when I had a NESSUS run :)
I got a TON of reports on CGIs installed on the system, and freaked out
AAAHHH someone broke into my server... UNTIL I didn't see a .exe CGI...
What, is it a UNIX or a WINDOWS box? Hmmm... There's something wrong here.
What do I find out? That Tomcat, simply sets the "200 OK" status regardless
whether the CGI exists or not! :) And so PATCH! :)
(Amy, please review and commit!)
Pier
(BTW, wouldn't it be wise to disable CGI execution in the default
configuration? I don't know, after hearing people running Tomcat as root, I
feel we really should!)
Index: CGIServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets
/CGIServlet.java,v
retrieving revision 1.4
diff -c -3 -r1.4 CGIServlet.java
*** CGIServlet.java 2001/08/14 18:50:10 1.4
--- CGIServlet.java 2001/08/18 08:37:07
***************
*** 632,637 ****
--- 632,638 ----
if (cgiEnv.isValid()) {
out.println(cgiEnv.toString());
} else {
+ res.setStatus(404);
out.println("<H3>");
out.println("CGI script not found or not specified.");
out.println("</H3>");
