Wade Chandler wrote:
--- "Arend P. van der Veen" <[EMAIL PROTECTED]> wrote:
...
Hi,
This turned out to be a false positive.
I use /cgi-bin as a url-pattern for a servlet mapping:
<servlet-mapping>
<servlet-name>ProxyServlet</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
I essentially was sending references to cgi-bin to apache listening on
the loopback. I also set a security-constraint for this url-pattern.
Finally, I set the login-conf to form based authentication. When Nessus
tried to access URL such s /cgi-bin/phpinfo.pgp it returned an http
error of 200 even though it did not exist. Not sure why. But Nessus
assumed that the 200 meant that it existed. When I switched the login
configuration to basic authentication the problem went away. This had
something to do with form based authentication.
A finally found that if a simply changing the URL binding to from
cgi-bin to xyz. Now with form based authentication everything works.
Thanks,
Arend
...
Hi Martin,
I can supply you a couple of things:
1. Tomcat access logs showing the Nessus attack that generated the problem.
2. A detailed description of my configuration that generated the error
and what I did to fix it.
3. A sample app that generates the problem.
4. All of the above.
Please let me know what you want and I will forward it to you.
Thanks,
Arend
I meant to write before, and it slipped my mind. The reason this occurs with
form based
authentication is because form based authentication is a pure server side
thing. It doesn't tell
the client...oh hey, by the way, I'm going to need you to authenticate. Instead
it sends back an
actual web page which happens to ask the user to login. So, the scanner tried
to hit the URL it
thought would have phpinfo (anything else under that path should give the same
results), and it
did in fact get returned a valid HTML page, yet not anything related to
phpinfo. This sounds like
a bug in the scanner though as it should analyze the return and not whether
something was just
returned or not. Someone might have their server setup to return a page which
explains this is not
available if on an external NIC port and if on an internal one to return the
actual phpinfo.
Wade
==================
Wade Chandler
Software Engineer and Developer
Netbeans Community and Dream Team Member:
http://wiki.netbeans.org/wiki/view/NetBeansDreamTeam
Check out Netbeans at:
http://www.netbeans.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This matches what I see. Can I relay some of this information to Nessus
in a bug report? Thanks for your help.
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
