----- Original Message ---- From: Arend P. van der Veen <[EMAIL PROTECTED]> To: Tomcat Users List <users@tomcat.apache.org> Sent: Monday, September 17, 2007 7:43:36 AM Subject: Re: PHP Security Vulnerability???
Wade Chandler wrote: > --- "Arend P. van der Veen" <[EMAIL PROTECTED]> wrote: > ... >>>> Hi, >>>> >>>> This turned out to be a false positive. >>>> >>>> I use /cgi-bin as a url-pattern for a servlet mapping: >>>> >>>> <servlet-mapping> >>>> <servlet-name>ProxyServlet</servlet-name> >>>> <url-pattern>/cgi-bin/*</url-pattern> >>>> </servlet-mapping> >>>> >>>> I essentially was sending references to cgi-bin to apache listening on >>>> the loopback. I also set a security-constraint for this url-pattern. >>>> Finally, I set the login-conf to form based authentication. When Nessus >>>> tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http >>>> error of 200 even though it did not exist. Not sure why. But Nessus >>>> assumed that the 200 meant that it existed. When I switched the login >>>> configuration to basic authentication the problem went away. This had >>>> something to do with form based authentication. >>>> >>>> A finally found that if a simply changing the URL binding to from >>>> cgi-bin to xyz. Now with form based authentication everything works. >>>> >>>> Thanks, >>>> Arend >>>> > ... >> Hi Martin, >> >> I can supply you a couple of things: >> >> 1. Tomcat access logs showing the Nessus attack that generated the problem. >> 2. A detailed description of my configuration that generated the error >> and what I did to fix it. >> 3. A sample app that generates the problem. >> 4. All of the above. >> >> Please let me know what you want and I will forward it to you. >> >> Thanks, >> Arend >> > > I meant to write before, and it slipped my mind. The reason this occurs with > form based > authentication is because form based authentication is a pure server side > thing. It doesn't tell > the client...oh hey, by the way, I'm going to need you to authenticate. > Instead it sends back an > actual web page which happens to ask the user to login. So, the scanner tried > to hit the URL it > thought would have phpinfo (anything else under that path should give the > same results), and it > did in fact get returned a valid HTML page, yet not anything related to > phpinfo. This sounds like > a bug in the scanner though as it should analyze the return and not whether > something was just > returned or not. Someone might have their server setup to return a page which > explains this is not > available if on an external NIC port and if on an internal one to return the > actual phpinfo. > > Wade > > > ================== > Wade Chandler > Software Engineer and Developer > > Netbeans Community and Dream Team Member: > http://wiki.netbeans.org/wiki/view/NetBeansDreamTeam > > Check out Netbeans at: > http://www.netbeans.org > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > >This matches what I see. Can I relay some of this information to Nessus >in a bug report? Thanks for your help. Absolutely, I believe anything from a public mailing list is free for all ;-) Wade --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
