Good Evening Aren Do you have data on this 'magic_quotes_gpc' vulnerability Thanks for the headsup--
Martin-- ----- Original Message ----- From: "Arend P. van der Veen" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Friday, September 14, 2007 11:14 PM Subject: Re: PHP Security Vulnerability??? > Joseph Millet wrote: > > you've must have got a phpinfo() page running somewhere .... > > you can grep your www directory for that one ... > > > > JJ > > > > On 9/12/07, Arend P. van der Veen <[EMAIL PROTECTED]> wrote: > >> Wade Chandler wrote: > >>> Does it give you any paths to this PHP application? I haven't seen > >> anything like it from scanners > >>> on my server. > >>> > >>> Wade > >>> > >>> --- "Arend P. van der Veen" <[EMAIL PROTECTED]> wrote: > >>> > >>>> Hi, > >>>> > >>>> I recently setup a server using Tomcat 5.5 on FreeBSD 6.2. I thought I > >>>> had everything locked down. > >>>> > >>>> I run a nessus scan and found a strange Vulnerability. It says that > >> states: > >>>> The remote web server contains a PHP application that is affected by > >>>> multiple vulnerabilities. > >>>> > >>>> I am not using PHP. Has anyone else seen this? > >>>> > >>>> Thanks, > >>>> Arend > >>>> > >>>> --------------------------------------------------------------------- > >>>> To start a new topic, e-mail: users@tomcat.apache.org > >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>> For additional commands, e-mail: [EMAIL PROTECTED] > >>>> > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To start a new topic, e-mail: users@tomcat.apache.org > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >> Hi Wade, > >> > >> I have tomcat sitting on 127.0.0.1:8080 (http) and 127.0.0.1:8081 > >> (https) and use ipfw to forward from port 80 and 443 respectively. Could > >> this part of my problem? I am wondering if this is some kind of false > >> positive. Following is an excerpt from the Nessus Scan Report: > >> > >> ****************************************************************** > >> Synopsis : > >> > >> The remote web server contains a PHP application that is affected by > >> multiple vulnerabilities. > >> > >> Description : > >> > >> The remote host is running phpSysInfo, a PHP application that parses > >> the /proc entries on Linux/Unix systems and displays them in HTML. > >> > >> The installed version of phpSysInfo on the remote host has a design > >> flaw in its globalization layer such that the script's variables can > >> be overwritten independent of PHP's 'register_globals' setting. By > >> exploiting this issue, an attacker may be able to read arbitrary files > >> on the remote host (if PHP's 'magic_quotes_gpc' setting is off) and > >> even execute arbitrary PHP code, both subject to the privileges of the > >> web server user id. > >> > >> In addition, the application fails to sanitize user-supplied input > >> before using it in dynamically-generated pages, which can be used to > >> conduct cross-site scripting and HTTP response splitting attacks. > >> > >> See also : > >> > >> http://www.hardened-php.net/advisory_222005.81.html > >> > >> Solution : > >> > >> Upgrade to phpSysInfo 2.4.1 or later. > >> > >> Risk factor : > >> > >> Low / CVSS Base Score : 2.3 > >> (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N) > >> CVE : CVE-2003-0536, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348 > >> BID : 7286, 15396, 15414 > >> Nessus ID : 20215 > >> *********************************************************************** > >> > >> Thanks, > >> Arens > >> > >> --------------------------------------------------------------------- > >> To start a new topic, e-mail: users@tomcat.apache.org > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > Hi, > > This turned out to be a false positive. > > I use /cgi-bin as a url-pattern for a servlet mapping: > > <servlet-mapping> > <servlet-name>ProxyServlet</servlet-name> > <url-pattern>/cgi-bin/*</url-pattern> > </servlet-mapping> > > I essentially was sending references to cgi-bin to apache listening on > the loopback. I also set a security-constraint for this url-pattern. > Finally, I set the login-conf to form based authentication. When Nessus > tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http > error of 200 even though it did not exist. Not sure why. But Nessus > assumed that the 200 meant that it existed. When I switched the login > configuration to basic authentication the problem went away. This had > something to do with form based authentication. > > A finally found that if a simply changing the URL binding to from > cgi-bin to xyz. Now with form based authentication everything works. > > Thanks, > Arend > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
