[AWS] Nessus resports security hole in aws?

[Pascal Obry]

Preben,

 > I was running the hello_world demo of aws on my machine while checking
 > it with nessus. I got this feedback:
 > 
 >  . Vulnerability found on port unknown (8080/tcp) :
 > 
 > 
 >     It is possible to retrieve the password of the remote guestbook application
 >     by requesting the file 'passwd.txt' in files/
 > 
 >     Solution : Delete the guestbook CGI
 >     Risk factor : Low
 >     BID : 7167

???

 >  . Information found on port unknown (8080/tcp)
 > 
 > 
 >     A web server is running on this port

Ok.

 >  . Information found on port unknown (8080/tcp)
 > 
 > 
 > 
 >     This web server is [mis]configured in that it
 >     does not return '404 Not Found' error codes when
 >     a non-existent file is requested, perhaps returning
 >     a site map or search page or authentication page instead.
 > 
 >     Unfortunately, we were unable to find a way to recognize this page,
 >     so some CGI-related checks have been disabled.
 > 
 >     To work around this issue, please contact the Nessus team.

Of course since Hello World demo always returns the same page.

 >  . Information found on port unknown (8080/tcp)
 > 
 > 
 >     The remote web server type is :
 > 
 >     AWS (Ada Web Server) v1.3
 > 
 >     Solution : We recommend that you configure (if possible) your web
 >     server to return
 >     a bogus Server header in order to not leak information.

???

 > I don't understand this. Is it just a false alert or not?

Indeed some feedbacks are just non-sense to me :)

Pascal.

-- 

--|------------------------------------------------------
--| Pascal Obry                           Team-Ada Member
--| 45, rue Gabriel Peri - 78114 Magny Les Hameaux FRANCE
--|------------------------------------------------------
--|         http://perso.wanadoo.fr/pascal.obry
--| "The best way to travel is by means of imagination"
--|
--| gpg --keyserver wwwkeys.pgp.net --recv-key C1082595