[AWS] Nessus resports security hole in aws?

Preben Randhol randhol@pvv.org
Wed, 15 Oct 2003 14:05:27 +0200

Previous message: [AWS] Can AWS help me with this?
Next message: [AWS] Nessus resports security hole in aws?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

I was running the hello_world demo of aws on my machine while checking
it with nessus. I got this feedback:

 . Vulnerability found on port unknown (8080/tcp) :


    It is possible to retrieve the password of the remote guestbook application
    by requesting the file 'passwd.txt' in files/

    Solution : Delete the guestbook CGI
    Risk factor : Low
    BID : 7167


 . Information found on port unknown (8080/tcp)


    A web server is running on this port

 . Information found on port unknown (8080/tcp)



    This web server is [mis]configured in that it
    does not return '404 Not Found' error codes when
    a non-existent file is requested, perhaps returning
    a site map or search page or authentication page instead.

    Unfortunately, we were unable to find a way to recognize this page,
    so some CGI-related checks have been disabled.

    To work around this issue, please contact the Nessus team.

 . Information found on port unknown (8080/tcp)


    The remote web server type is :

    AWS (Ada Web Server) v1.3

    Solution : We recommend that you configure (if possible) your web server to
     return
    a bogus Server header in order to not leak information.


I don't understand this. Is it just a false alert or not?

Thanks in advance

Preben

Previous message: [AWS] Can AWS help me with this?
Next message: [AWS] Nessus resports security hole in aws?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]