Martin Gainty wrote:
Good Evening Aren
Do you have data on this 'magic_quotes_gpc' vulnerability
Thanks for the headsup--
Martin--
----- Original Message -----
From: "Arend P. van der Veen" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Friday, September 14, 2007 11:14 PM
Subject: Re: PHP Security Vulnerability???
Joseph Millet wrote:
you've must have got a phpinfo() page running somewhere ....
you can grep your www directory for that one ...
JJ
On 9/12/07, Arend P. van der Veen <[EMAIL PROTECTED]> wrote:
Wade Chandler wrote:
Does it give you any paths to this PHP application? I haven't seen
anything like it from scanners
on my server.
Wade
--- "Arend P. van der Veen" <[EMAIL PROTECTED]> wrote:
Hi,
I recently setup a server using Tomcat 5.5 on FreeBSD 6.2. I thought
I
had everything locked down.
I run a nessus scan and found a strange Vulnerability. It says that
states:
The remote web server contains a PHP application that is affected by
multiple vulnerabilities.
I am not using PHP. Has anyone else seen this?
Thanks,
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hi Wade,
I have tomcat sitting on 127.0.0.1:8080 (http) and 127.0.0.1:8081
(https) and use ipfw to forward from port 80 and 443 respectively.
Could
this part of my problem? I am wondering if this is some kind of false
positive. Following is an excerpt from the Nessus Scan Report:
******************************************************************
Synopsis :
The remote web server contains a PHP application that is affected by
multiple vulnerabilities.
Description :
The remote host is running phpSysInfo, a PHP application that parses
the /proc entries on Linux/Unix systems and displays them in HTML.
The installed version of phpSysInfo on the remote host has a design
flaw in its globalization layer such that the script's variables can
be overwritten independent of PHP's 'register_globals' setting. By
exploiting this issue, an attacker may be able to read arbitrary files
on the remote host (if PHP's 'magic_quotes_gpc' setting is off) and
even execute arbitrary PHP code, both subject to the privileges of the
web server user id.
In addition, the application fails to sanitize user-supplied input
before using it in dynamically-generated pages, which can be used to
conduct cross-site scripting and HTTP response splitting attacks.
See also :
http://www.hardened-php.net/advisory_222005.81.html
Solution :
Upgrade to phpSysInfo 2.4.1 or later.
Risk factor :
Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
CVE : CVE-2003-0536, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348
BID : 7286, 15396, 15414
Nessus ID : 20215
***********************************************************************
Thanks,
Arens
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hi,
This turned out to be a false positive.
I use /cgi-bin as a url-pattern for a servlet mapping:
<servlet-mapping>
<servlet-name>ProxyServlet</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
I essentially was sending references to cgi-bin to apache listening on
the loopback. I also set a security-constraint for this url-pattern.
Finally, I set the login-conf to form based authentication. When Nessus
tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
error of 200 even though it did not exist. Not sure why. But Nessus
assumed that the 200 meant that it existed. When I switched the login
configuration to basic authentication the problem went away. This had
something to do with form based authentication.
A finally found that if a simply changing the URL binding to from
cgi-bin to xyz. Now with form based authentication everything works.
Thanks,
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hi Martin,
I can supply you a couple of things:
1. Tomcat access logs showing the Nessus attack that generated the problem.
2. A detailed description of my configuration that generated the error
and what I did to fix it.
3. A sample app that generates the problem.
4. All of the above.
Please let me know what you want and I will forward it to you.
Thanks,
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
