Hi all,
Can someone help to double check below issue, I think it is a false vunerablity.Webinspect can not find this issue everytime .Sometimes it can not catch this issue.
Details:
-------------------------
Apache Tomcat Directory Traversal
GET
/jetspeed/portal/media-type/html/user/DOS.7.CONSOLE_UTF8_ENCODED/muti_console_configuration/null/%c0%ae%
c0%ae/%c0%ae%c0%ae/conf/web.xml HTTP/1.1
Resolution of this vulnerability requires upgrading Apache Tomcat to version
6.0.18.We had upgraded Apache Tomcat to version 6.0.35 in AA 7.3.0.But the
Webinspect still can find this issue in AA 7.3.0. We will report a bug to fix
this issue.
Apache Tomcat Directory Traversal
Medium
Reference:
Resolution of this vulnerability requires upgrading to version 6.0.18.
Disclosure of sensisitive information such as passwords, configuration
information etc.
Summary:
Vendor:
http://tomcat.apache.org/
Advisory:
http://www.securityfocus.com/archive/1/archive/1/495318/100/0/threaded
CVE:
CVE-2008-2938
Microsoft:
IIS Authentication
Authentication in IIS 6.0 (IIS 6.0)
How to configure IIS Web site authentication in Windows Server 2003
Apache:
Apache HTTP Server Version 1.3 - Authentication, Authorization, and Access
Control
Apache HTTP Server Version 2.0 - Authentication, Authorization, and Access
Control
Fix:
Apache Tomcat 6.0.0 through 6.0.16 is known to contain a directory traversal
vulnerability, when allowLinking and UTF-8 are
enabled. The vulnerability may allow remote attackers to access sensitive
information via encoded directory traversal
sequences in the URI including /etc/passwd files, config files etc.
Recommendations include upgrading to latest version.
Implication:
Attack Request:
Hewlett Packard, Inc.
10Vulnerability (Legacy)
GET
/jetspeed/portal/media-type/html/user/DOS.7.CONSOLE_UTF8_ENCODED/muti_console_configuration/null/%c0%ae%
c0%ae/%c0%ae%c0%ae/conf/web.xml HTTP/1.1
Referer: https://XXXXX/jetspeed/portal/media-
type/html/user/DOS.7.CONSOLE_UTF8_ENCODED/muti_console_configuration/null/
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18)
Gecko/20110614 Firefox/3.6.18 (.NET CLR
3.5.30729)
Host: avtraining.elicensing.state.nyenet
Connection: Keep-Alive
X-WIPP: AscVersion=10.1.177.0
X-Scan-Memo: Category="Audit.Attack"; SID="8738C3184201839778E8D8A1EA385951";
PSID="D1C9E22B98A5E030A1830ED4DA5736DB"; SessionType="AuditAttack";
CrawlType="None"; AttackType="None";
OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb";
Method="createStateRequestFromAttackDefinition";
AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0";
AttackParamSubIndex="0"; CheckId="10738";
Engine="Request+Modify"; Retry="False"; SmartMode="ServerSpecificOnly";
ThreadId="64";
ThreadType="AuditDBReaderSessionDrivenAudit";
X-RequestManager-Memo: StateID="1290";
ID="3d3a53c4-dd7e-4215-bd94-5cc341b554e5";
X-Request-Memo: ID="3eb97927-429d-4249-80f8-46499b6c354a"; ThreadId="169";
Cookie:
CustomCookie=WebInspect87375ZXEA925335BAD043D0B75277A048AA1A2BY09BF;JSESSIONID=5C6805650F8FE5ED4779B1
9FDADA6898;username=elicda2;agency=DOS;locale=en_US;LASTEST_REQUEST_TIME=1374780560090;hostSignOn=null;AC
Auth=37111804300527944614;ACSignOnModule=SSOStandard;AAPersistLoginServProvCode=DOS;LoginServProvCode4MultiA
gency=DOS;LoginUsername4MultiAgency=ELICDA2;ACSignoff=https://avtraining.elicensing.state.nyenet/jetspeed/portal?
action=JLogoutUser;ACSwitchAgency=https://******.****.state.*****/jetspeed/*******/admin/blank.jsp;g_current_la
nguage_ext=en_US
Attack Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA
date=200807181417)/JBossWeb-2.0
AccelaSSO: SessionTimeOut
Content-Type: text/html
Content-Length: 836
Date: Thu, 25 Jul 2013 20:14:30 GMT
...TRUNCATED...configuration/null/%c0%ae%c0%ae/%c0%ae%c0%ae/conf/web.xml"/>
<script>
function
doRedirect(){document.locati...TRUNCATED...configuration/null/%c0%ae%c0%ae/%c0%ae%c0%ae/conf/web.xml
';}
</script>
</head>
<body>
<img src="https://avt...TRUNCATED...
--------------------------------------------------------------------------------
http://secunia.com/advisories/31379/ article said precondition as below:
Successful exploitation requires that a context is configured with allowLinking="true" and that the connector is configured with URIEncoding="UTF-8".
But we don't have allowLinking="true".
Thanks,
Trancy