--- "Arend P. van der Veen" <[EMAIL PROTECTED]> wrote: ... > >>>> > >> Hi, > >> > >> This turned out to be a false positive. > >> > >> I use /cgi-bin as a url-pattern for a servlet mapping: > >> > >> <servlet-mapping> > >> <servlet-name>ProxyServlet</servlet-name> > >> <url-pattern>/cgi-bin/*</url-pattern> > >> </servlet-mapping> > >> > >> I essentially was sending references to cgi-bin to apache listening on > >> the loopback. I also set a security-constraint for this url-pattern. > >> Finally, I set the login-conf to form based authentication. When Nessus > >> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http > >> error of 200 even though it did not exist. Not sure why. But Nessus > >> assumed that the 200 meant that it existed. When I switched the login > >> configuration to basic authentication the problem went away. This had > >> something to do with form based authentication. > >> > >> A finally found that if a simply changing the URL binding to from > >> cgi-bin to xyz. Now with form based authentication everything works. > >> > >> Thanks, > >> Arend > >> ... > Hi Martin, > > I can supply you a couple of things: > > 1. Tomcat access logs showing the Nessus attack that generated the problem. > 2. A detailed description of my configuration that generated the error > and what I did to fix it. > 3. A sample app that generates the problem. > 4. All of the above. > > Please let me know what you want and I will forward it to you. > > Thanks, > Arend >
I meant to write before, and it slipped my mind. The reason this occurs with form based authentication is because form based authentication is a pure server side thing. It doesn't tell the client...oh hey, by the way, I'm going to need you to authenticate. Instead it sends back an actual web page which happens to ask the user to login. So, the scanner tried to hit the URL it thought would have phpinfo (anything else under that path should give the same results), and it did in fact get returned a valid HTML page, yet not anything related to phpinfo. This sounds like a bug in the scanner though as it should analyze the return and not whether something was just returned or not. Someone might have their server setup to return a page which explains this is not available if on an external NIC port and if on an internal one to return the actual phpinfo. Wade ================== Wade Chandler Software Engineer and Developer Netbeans Community and Dream Team Member: http://wiki.netbeans.org/wiki/view/NetBeansDreamTeam Check out Netbeans at: http://www.netbeans.org --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
