[AWS] Nessus resports security hole in aws?

Preben Randhol randhol@pvv.org
Wed, 15 Oct 2003 16:57:55 +0200 

Pascal Obry <p.obry@wanadoo.fr> wrote on 15/10/2003 (16:02) :
>
> Preben,
>
>  > tried the text_input and now I get a bunch of serious security alerts:
>  >
>  > Problem is that I don't understand where these .cgi etc.. files are.
>  > They are not on my system. Is the problem that aws doesn't give a 404
>  > when one write http://localhost:8080/somelink.html and then nessus
>  > thinks this file is installed?
>
> Yes that's the only explanation I have. It would be more interesting to run
> Nessus with the WS demo. It does return a 404 if a file is not found.

Here is the report from ws test. I don't know it makes any sense either.

Nessus Scan Report
------------------
 . Vulnerability found on port unknown (1234/tcp) :



    Allaire JRun 3.0/3.1 under a Microsoft IIS 4.0/5.0 platform has a
    problem handling malformed URLs. This allows a remote user to browse
    the file system under the web root (normally \inetpub\wwwroot).

    Under Windows NT/2000(any service pack) and IIS 4.0/5.0:
    - JRun 3.0 (all editions)
    - JRun 3.1 (all editions)


    Upon sending a specially formed request to the web server, containing
    a '.jsp' extension makes the JRun handle the request. Example:

    http://www.victim.com/%3f.jsp

    This vulnerability allows anyone with remote access to the web server
    to browse it and any directory within the web root.

    Solution:
    >From Macromedia Product Security Bulletin (MPSB01-13)
    http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full

    Macromedia recommends, as a best practice, turning off directory
    browsing for the JRun Default Server in the following applications:

    - Default Application (the application with '/' mapping that causes
      the security problem)

    - Demo Application
      Also, make sure any newly created web application that uses the '/'
      mapping has directory browsing off.

    The changes that need to be made in the JRun Management Console or JMC:

    - JRun Default Server/Web Applications/Default User Application/File
      Settings/Directory Browsing Allowed set to FALSE.
    - JRun Default Server/Web Applications/JRun Demo/File Settings/
      Directory Browsing Allowed set to FALSE.

    Restart the servers after making the changes and the %3f.jsp request
    should now return a 403 forbidden. When this bug is fixed, the request
    (regardless of directory browsing setting) should return a '404 page
    not found'.

    The directory browsing property is called [file.browsedirs]. Changing
    the property via the JMC will cause the following changes:
    JRun 3.0 will write [file.browsedirs=false] in the local.properties
    file. (server-wide change)
    JRun 3.1 will write [file.browsedirs=false] in the webapp.properties
    of the application.


    Risk factor : Medium
    BID : 3592

 . Warning found on port unknown (1234/tcp)



    The following CGI directories are browsable :
    .



    This shows an attacker the name of the installed common scripts and those
    which are written by the webmaster and thus may be exploitable.

    Solution : Make these directories non-browsable.

    Risk factor : Medium

 . Warning found on port unknown (1234/tcp)


    The remote web server seems to be vulnerable to the Cross Site Scripting
     vulnerability (XSS). The vulnerability is caused
    by the result returned to the user when a non-existing file is requested
     (e.g. the result contains the JavaScript provided
    in the request).
    The vulnerability would allow an attacker to make the server present the
     user with the attacker's JavaScript/HTML code.
    Since the content is presented by the server, the user will give it the
     trust
    level of the server (for example, the trust level of banks, shopping
     centers, etc. would usually be high).

    Risk factor : Medium

    Solutions:

    . Allaire/Macromedia Jrun:
          - http://www.macromedia.com/software/jrun/download/update/
          -
     http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
. Microsoft IIS:
      - http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
. Apache:
      - http://httpd.apache.org/info/css-security/
. ColdFusion:
      - http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
. General:
      - http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
      - http://www.cert.org/advisories/CA-2000-02.html
BID : 5305, 7353, 7344, 8037


 . Information found on port unknown (1234/tcp)


    A web server is running on this port

 . Information found on port unknown (1234/tcp)


    The following directories were discovered:
    /demos, /docs, /icons, /include, /soap, /src, /ssl, /tools

 . Information found on port unknown (1234/tcp)


    The remote web server type is :

    AWS (Ada Web Server) v1.3

    Solution : We recommend that you configure (if possible) your web server to
     return
    a bogus Server header in order to not leak information.




 . Information found on port unknown (1234/tcp)


    The following PDF files (.pdf) are available on the remote server :
       /docs/aws.pdf


    You should make sure that none of these files contain confidential or
    otherwise sensitive information.

    An attacker may use these files to gain a more intimate knowledge of
    your organization and eventually use them do perform social engineering
    attacks (abusing the trust of the personel of your company).

    Solution : sensitive files should not be accessible by everyone, but only
    by authenticated users.


Preben