Thanks Mark.. Got clarified On Thu, Nov 22, 2018 at 10:50 PM Mark Thomas <[email protected]> wrote:
> On November 22, 2018 4:19:40 PM UTC, GNK G <[email protected]> wrote: > >Hello Team, > > > >According to the below link, we can check the vulnerability using > >"status" > >worker > > > > > https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ > > > >I am able to simulate the issue using the above method. > > > >But it is specific only to "status" worker. > > > >Does that mean, the issue is only specific to "status" worker, if we > >don't > >use it, is it not vulnerable. > > No. The vulnerability is not specific to the status worker. > > >I am trying the same method in other URL (by appending ;) in our > >server, it > >is always going for authentication. So can I assume, it does not affect > >other part in our server. > > No. Whether or not you are vulnerable will depend on multiple factors. > > If you are applying access controls in httpd to a subset of the URLs > served by Tomcat or if Tomcat serves only a subset of the URLs accessible > through httpd then you are probably vulnerable. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
