Jump to: navigation, search
MithiWiki Home > ConnectXf Home > ConnectXf Administration > Configuration > Commonly faced vulnerability reports and their solutions


Troubleshooting Icon.png
Troubleshooting
Product ConnectXf
Version All
Applies to Administrators
Level Advanced




Commonly faced vulnerability reports and their solutions

The table below is a colation of vulnerability reports received by customers, who have done independant third party audits on the Mithi servers. If your organisation performs a third party audit on the sever, please match the vulnerabilities against this table and apply the relevant solutions on your servers.

Vulnerability Synopsis Affected service Risk factor Solution MCS How to Comments
Samba NDR MS-RPC Request Heap-Based Buffer Overflow Vulnerability It is possible to execute code on the remote host through samba. samba Critical Upgrade to Samba version 3.0.25 or later.
  • smb stop
  • chkconfig smb off
This is caused because the samba service is running on the server. The samba service is not required to be ON. It might be required in some special cases but we can turn it ON & OFF at that time. It is not required to run continuously.
Inetd enabled The remote host is running an ident (also known as \'auth\') daemon. inetd � xinetd Low Disable the service if not used *chkconfig auth off
SSH protocol version 1 enabled The remote service offers an insecure cryptographic protocol sshd Low Disable compatibility with version 1 of the protocol.
  • vi /etc/ssh/sshd_config
  • Change Protocol 2,1 to Protocol 2.
  • Uncomment the line if it is commented.
  • Restart the sshd service:/etc/init.d/sshd restart
JBoss Malformed HTTP Request Remote Information Disclosure The remote web server is affected by an information disclosure flaw. jboss Medium Change jboss config � doc provided
  • Upgrade to JBoss 3.2.8 or 4.0.3.

OR

  • Edit JBoss\' \'jboss-service.xml\' configuration file (/var/jboss/server/mithiconfig/conf/jboss-service.xml)
  • set \'DownloadServerClasses\' to \'false\',
  • Restart the server (/etc/init.d/jboss restart)
This thread mentions everything that needs for verification.
LDAP allows null bases It is possible to disclose LDAP information. ldap Medium Disable NULL BASE queries on your LDAP server change ldap conf - null bind
Weak Supported SSL Ciphers Suites The remote service supports the use of weak SSL ciphers. sshd Medium Reconfigure the affected application if possible to avoid use of weak ciphers. * To use SSL protocol 3 in https
   * To use a strong cipher suite in https
   * For 3 & 4 above, in /etc/httpd/conf.d/ssl.conf 
       * Search for SSLCipherSuite
       * Comment the exising SSLCipherSuite line
       * Add foll two lines in its place. SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite SSLv3:+HIGH:+MEDIUM
       * Save the file and restart httpd. 
LDAP allows anonymous binds The remote LDAP server allows anonymous access. ldap Medium Configure the LDAP server so that it does not allow NULL BINDs.
  • Check that the MCS discloses the LDAP info.
  • We can confirm that following commands give some output
  • ldapsearch -LLL -x -b \"\"dc=connectserver\"\"
  • ldapsearch -LLL -x -b \"\"o=ms,dc=connectserver\"\"
  • Secure LDAP Configure the LDAP ACLs using the following steps
  • vi /mithi/mcs/components/mithi-ldap-openldap/binconf/ldap_acls
  • Comment the line (which is towards the end of the file)- access to * by * read Add following lines
  • access to dn=\"\"dc=connectserver\"\"
  • by dn.regex=\"\"^$$\"\" none
  • Save the file
  • Restart the ldap service-
  • /etc/init.d/ldap restart
  • Test LDAP There should be no output for the following commands
  • ldapsearch -LLL -x -b \"\"dc=connectserver\"\"
  • ldapsearch -LLL -x -b \"\"o=ms,dc=connectserver\"\"\"
SMB shares enumeration It is possible to enumerate remote network shares. samba Yellow
SSL Certificate Expiry The SSL certificate of the remote service expired Sep 5 12:14:53 2007 GMT! sshd Yellow
Deprecated SSL Protocol Usage The remote service encrypts traffic using a protocol with known weaknesses. sshd Medium Consult the application\'s documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. recommended: http://www.openssl.org/news/secadv_20051011.txt http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites
HTTP TRACE / TRACK Methods Debugging functions are enabled on the remote web server. http Medium Change apache conf
  • Take backup of /etc/httpd/conf.d folder in /root/mithiwork/httpconf
  • To disable Trace method for port 80 In the apache conf files, for the virtual hosts, the rewrite rules & conditions should be present in foll. order.
  • RewriteEngine On
  • RewriteCond %{HTTPS} !=on
  • RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
  • RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
  • RewriteRule .* - [F]
  • One more change is using [R] instead of [L,R] in RewriteRule.
  • To disable Trace method on port 443, add foll. lines in each virtual host in /etc/httpd/conf.d/ssl.conf
  • RewriteEngine On
  • RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
  • RewriteRule .* - [F]
  • To use SSL protocol 3 in https
  • To use a strong cipher suite in https
  • For 3 & 4 above, in /etc/httpd/conf.d/ssl.conf
  • Search for SSLCipherSuite
  • Comment the exising SSLCipherSuite line
  • Add foll two lines in its place. SSLProtocol -all +SSLv3 +TLSv1
  • SSLCipherSuite SSLv3:+HIGH:+MEDIUM
  • Save the file and restart httpd.
reference : http://rackerhacker.com/2007/08/28/apache-disable-trace-and-track-methods/ Also : http://www.karakas-online.de/forum/viewtopic.php?t=341 search for apache For testing purpose : http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html I tried verifying the testing steps given at the above site, but could not.
The remote web server contains several HTML forms containing an input of type \'password\' which transmit their information to a remote web server over plain text. http/web mail client Low Make sure that every form transmits its results over HTTPS. Configure forced https usage
The remote PostgreSQL server might be vulnerable to various flaws which may allow an attacker who has the rights to query the remote database to obtain a shell on this host. Upgrade to postgresql 7.2.3 or newer PostgreSQL database Low The current postgresql version is 7.3.10 for RHEL3 and 7.4.16 for RHEL4 so already solved
It is possible to disclose LDAP information. Description: Improperly configured LDAP servers will allow the directory BASE to be set to NULL. Low Disable NULL BASE queries on your LDAP server Already done
The remote web server is affected by an information disclosure flaw. Upgrade to JBoss 3.2.8 or 4.0.3. Or edit JBoss\' \'jboss-service.xml\' configuration file, set� DownloadServerClasses\' to \'false\', and restart the server. Jboss Low
  • Verify that JBoss allows to download classes
  • telnet localhost 8083
  • Trying 127.0.0.1...
  • Connected to localhost
  • Escape character is \'^]\'.
  • GET %server.policy HTTP/1.0
  • HTTP/1.0 200 OK
  • Content-Length: 550
  • Content-Type: text/html
  • grant { Allow everything for now permission java.security.AllPermission;};
  • Connection closed by foreign host.
  • Secure JBOSS
  • vi /var/jboss/server/mithiconfig/conf/jboss-service.xml
  • set \'DownloadServerClasses\' to \'false\'.
  • /etc/init.d/jboss restart
  • If the jboss restart fails, check the status of the jboss service. It should be running. Else restart the service once again (/etc/init.d/jboss restart).
  • Verify that the settings work
  • telnet localhost 8083
  • Trying 127.0.0.1...
  • Connected to localhost.
  • Escape character is \'^]\'.
  • GET %. HTTP/1.0
  • HTTP/1.0 404 Not Found
  • Content-Length: 0
  • Content-Type: text/html
  • Connection closed by foreign host.
  • telnet localhost 8083
  • Trying 127.0.0.1...
  • Connected to localhost.
  • Escape character is \'^]\'.
  • GET %server.policy HTTP/1.0
  • HTTP/1.0 404 Not Found
  • Content-Length: 0
  • Content-Type: text/html
  • Connection closed by foreign host.
Disable remote root login Root user must not be able to login from a remote console. The login command is part of the authentication process to access a local Linux Operating Environment account. Any action requiring direct login to the system using 'root' should be restricted to the local console. Login to the system through telnet session can reveal the clear text password of root user. Allowing remote login for root also enables a malicious user to attempt access to the system leading to system compromise. High

Ensure that /etc/securetty file contains only the console entry in /etc/securetty file. echo console>/etc/securetty

This is not required to be done on MCS as telnet service is disabled by MCS.
Set null shell for all default user accounts Managing user and system accounts is an important aspect of the Linux Operating Environment security. A default installation carries several accounts. The shell for system accounts need to be set to /sbin/nologin. Non-essential user accounts increase the likelihood of compromise by providing attackers with more user accounts to check for security holes. Medium

Set the shell for all the users in the table below to /sbin/nologin Non Essential Accounts Lp, uucp, ftp, Sync, operator, nobody, Shutdown, games, nscd, Halt, gopher, News, adm

can be done
Enable strong password policy Password policy is required to control user passwords including password minimum length, password aging and other critical parameters Users may use weak passwords or same password for long time. The accounts with such passwords can get compromised. High

Edit /etc/login.defs file and set the following password configuration: vi /etc/login.defs PASS_MIN_LEN=8 Set password expiry to PASS_MAX_DAYS=45 PASS_MIN_DAYS=7 PASS_WARN=14 This will ensure that a user is forced to change his password as per the password policy on first login. Please take note that the 'root' user can change any user's password to a password which is not restricted by the password policy.

can be done.
Password protect Single User mode Linux provides a mechanism for system maintenance via 'Single user mode' which is typically started when the system is booting. This allows an attacker at the console to bypass any system protection and move into run level 1 as root and change system settings. Medium

Edit /etc/inittab file to have entry as shown below. vi /etc/innittab id:5:initdefault: ~~:S:wait:/sbin/sulogin Save the changes and restart the service: /sbin/init q

Has a different type of risk. In case you do forget the root password, and the single user password, you will then be helpless to access the server. Not recommended if the server is well protected physically.
Set login banner An appropriate login message must be displayed to the user when he/she tries to login to the system. This file should contain warnings about inappropriate and unauthorized use of the system. It should also warn users that their sessions and accounts may be monitored for illegal or inappropriate use. The contents of the /etc/issue file are displayed prior to the login prompt on the system\'s console and serial devices. /etc/motd is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed. Displaying appropriate warning messages when users access a system will assist in processing computer crime cases and will also act as an effective deterrent. Low

Create or modify the /etc/issue, /etc/motd files with appropriate statutory warning. Sample text for statutory warning: vi /etc/issue

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

Same process for editing the file /etc/motd

can be done.
Remove SUID bit for key files SUID (Set UID) file allows users to execute certain programs with elevated privileges; typically as root user SUID files can leave security loopholes in the system. Often such SUID programs can provide malicious users with a root shell if forced to exit abnormally. It is therefore important to remove the SUID bit from those programs that do not require it. High Once you have located an offending file with the SUID bit set, you can use chmod to remove its SUID bit as shown below:

chmod 0700

  • /usr/sbin/usernetctl
  • /usr/sbin/userisdnctl
  • /usr/bin/chage
  • /usr/bin/gpasswd
  • /usr/bin/rcp
  • /usr/bin/rlogin
  • /usr/bin/rsh
  • /usr/bin/crontab
  • /usr/bin/lppasswd
  • /usr/bin/desktop-create-kmenu
  • /bin/traceroute6
  • /bin/traceroute
Can do for these files. Do not change permission of any MCS files as it may impact functioning
Set strong permission on log files Linux maintains extensive logs of various system activities in the director /var/log. Often suspicious entries in the log files are the first indication that something is wrong with the system. Attackers can easily delete those file from the system to remove the trace of attacks. High

Enable logging in the syslog.conf file. Secure the permission of the above files and give them permission as mentioned below. Use programs like logcheck and swatch to filter out the suspicious entries in the log files. Check the permission on the following files:

  • ls -l /var/log/messages (The safe permission is 620)
  • ls -l /var/log/wtmp. (The safe permission is 620)
  • ls -l /var/log/xferlog. (The safe permission is 622)
  • ls -l /var/log/cron. (The safe permission is 620)
  • ls -l /var/log/lastlog. (The safe permission is 622)
Already done for /var/log/messages which is used by MCS.
Non-essential services are enabled on the system Numerous services run on Linux each providing some functionality. The functionality provided by each of the services must be reviewed. If found that the functionality is not required the service should be disabled. An attacker can exploit known vulnerabilities in running services and gain administrative access to the server. High

Disable all unessential services from all run levels by using the command chkconfig off

All unrequired services on MCS already turned off.
Set strong preliminary network settings There are several kernel options in Red Hat Linux that can be configured to increase the overall network security. The kernel can be modified by editing /etc/sysctl.conf file. The file is loaded whenever the server reboots or an administrator manually restarts the network services. Weak network settings can be used to launch DOS attacks on the server or use the machine as an intermediary in attacks. High

Set the value of the parameters as following in /etc/sysctl.conf file *net.ipv4.icmp_echo_ignore_broadcasts = 1

  • net.ipv4.conf.all.accept_redirects = 0
  • net.ipv4.conf.all.send_redirects = 0
  • net.ipv4.conf.all.rp_filter = 1
  • net.ipv4.conf.default.rp_filter = 1
  • net.ipv4.ip_forward = 0
  • net.ipv4.conf.all.accept_source_route = 0
  • net.ipv4.tcp_max_syn_backlog = 4096
  • net.ipv4.tcp_syncookies = 1
Can be done
TLS Protocol Session Renegotiation Security Vulnerability The Transport Layer Security (TLS) is a cryptographic protocol that provides security for communication over networks at the Transport Layer. TLS protocol is prone to a security vulnerability that allows man-in-the-middle attacks. Note that this issue does not allow attackers to decrypt the encrypted data. Specifically, the issue exists in a way applications handle the session renegotiation process and may allow attackers to inject arbitrary plaintext in the beginning of application protocol stream. The attack has been confirmed to work with HTTP as the application protocol but it is believed to be also possible with other protocols that are layered on TLS. Httpd Medium Workarounds: OpenSSL has provided a version (0.9.8l) that has a workaround. Please refer to OpenSSL Change Log (Changes between 0.9.8k and 0.9.8l Section) to obtain additional details. Enable SSLAlwaysNegoClientCert setting. Will be available in RHEL6
Sql injection attack Attackers are able to send SQL statements to RDBMS, which it executes and returns the results back to the attacker. The risk of such attacks on commercial application increases if the web application is delivered along with the source code or if it is an open-source application. OR Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your web application/s (generally over port 80/443). The web application has open access to the database in order to return (update) the requested (changed) information. Web server High NA NA http://www.packetsource.com/article/sql-injection/40060/sql-injection-attack-and-defense OR http://www.acunetix.com/websitesecurity/sql-injection.htm
cross site scripting attacks and phishing XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages such as HTML and JavaScript. Web server High Handled by hardening of Apache. Use of ESAPI in the application. Steps:-

1. ExtendedStatus.

2. mod_cache.

3. Disabling mod_cache will disable this. By default ExtendedStatus is disabled.

Comment the following lines in httpd.conf

#LoadModule cache_module modules/mod_cache.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule mem_cache_module modules/mod_mem_cache.so

Disable "mod_status", "mod_imagemap", "mod_imap" and "mod_proxy_ftp". Comment the following lines in httpd.conf

#LoadModule status_module modules/mod_status.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule imap_module modules/mod_imap.so
 Restart httpd Service
http://www.veracode.com/security/xss
Multiple vulnerabilities exists in Apache HTTP Server Multiple vulnerabilities exist in Apache HTTP server versions prior to 1.3.39, 2.0.61 and 2.2.6. The following errors exist: Allow remote attackers to inject arbitrary web script or HTML. This error exists in mod_status.c in the mod_status module when ExtendedStatus is enabled and a public server-status page is used. Allow service crash. This error exists in cache_util.c in the mod_cache module when caching is enabled and a threaded Multi-Processing Module is used. Child processing handler crash via a request with some Cache-Control headers without a value. httpd High Upgrade to Apache version 5.0 or later. There are 3 vulnerabilities listed here :

1. ExtendedStatus.

2. mod_cache.

3. Disabling mod_cache will disable this. By default ExtendedStatus is disabled

Comment the following lines in httpd.conf

#LoadModule cache_module modules/mod_cache.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule mem_cache_module modules/mod_mem_cache.so

Restart httpd Service

Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities Apache HTTP Server modules "mod_status", "mod_imagemap", "mod_imap" and "mod_proxy_ftp" contain multiple cross-site scripting vulnerabilities. These vulnerabilities arise from the application failing to properly sanitize user input. httpd High Upgrade to Apache version 5.0 or later. Disable "mod_status", "mod_imagemap", "mod_imap" and "mod_proxy_ftp".

Comment the following lines in httpd.conf

#LoadModule status_module modules/mod_status.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule imap_module modules/mod_imap.so

Restart httpd Service

Apache 1.3.29/2.X mod_rewrite Buffer Overflow A buffer overflow exists within the mod_rewrite module of Apache that is used to remap requests based on regular expressions. A buffer overflow exists within the LDAP URI processing which may allow for an anonymous attacker to exploit a system remotely and execute arbitrary code. Note: This audit may report false findings on vendor-specific Apache backports. httpd High Apply the appropriate vendor-supplied patch, available at Apache.org and referenced below. Disable mod_ldap module and auth_ldap_module.

1.Open httpd.conf file.

2.comment mod_ldap module and auth_ldap_module.

3.Restart httpd

OpenSSH X11 Port Forwarding Session Hijack Vulnerability OpenSSH 4.9 and prior allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. This audit may report findings on backported versions of OpenSSH. Certain versions of Red Hat Enterprise Linux and devices (e.g. F5) are not affected by this vulnerability but may be affected by this finding. The audit accounts for certain backported versions, however backported versions of RHEL OpenSSH or other devices mimic the version of a vulnerable OpenSSH.org version. OR OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections. Successfully exploiting this issue may allow an attacker run arbitrary shell commands. sshd Medium Upgrade to OpenSSH 5.0 or later. Disable x11-forwarding

1.Open file /etc/ssh/sshd_config

2.X11Forwarding No

3.restart sshd

Apache Mod_SetEnvIf .htaccess Privilege Escalation (Zero-Day) Apache contains an integer overflow vulnerability in the ap_pregsub function in server/util.c when handling a crafted SetEnvIf directive in conjunction with a crafted HTTP request header and mod_setenvif is enabled. Successful exploitation could allow a local attacker to execute arbitrary code with elevated privileges. httpd Medium No vendor patch is available. We cant disable Mod_Setenvlf module.
Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day The Apache HTTP Server commonly referred to as Apache is a freely available Web server. Apache is vulnerable to a denial of service due to holding a connection open for partial HTTP requests. Apache Versions 1.x and 2.x are vulnerable. httpd Medium Upgrade to Apache version 5.0 or later. Disable RANGE header in apache configuration.

1.Add the following lines in httpd.conf

RequestHeader unset Range
RequestHeader unset Request-Range

2.Restart httpd Service.

Apache Tomcat DIGEST Vulnerability Apache Tomcat contains multiple design flaw vulnerabilities in the implementation of HTTP DIGEST authentication, the result of which resulted in DIGEST being no more secure than BASIC authentication. Successful exploitation may result in security bypass. httpd Medium Upgrade Apache Tomcat to version 7.0.12, 6.0.33, 5.5.34, or newer. Mithi does not use Digest authentication
Apache Tomcat XSS and Security Bypass (200807) Two cross-site scripting vulnerabilities have been identified in Apache Tomcat that could allow attackers to inject arbitrary script or HTML code. In addition to these vulnerabilities, a security bypass exists when processing malformed RequestDispatcher query strings that could allow restricted content to be accessed. (Note: This audit is for versions of Tomcat obtained from Tomcat.Apache.org and may report false findings with vendor specific backports.) httpd Medium Upgrade Apache Tomcat to versions 6.0.18, 5.5.SVN, or 4.1.SVN, or newest release. In RHEL6, tomcat 6.0.26 will be installed.
Apache Tomcat Multiple Versions Update Apache Software Foundation has issued an update for Apache Tomcat 6.0.x, 5.5.x, and 4.1.x that addresses multiple vulnerabilities with various impacts, including: disclosure of sensitive information, execution of arbitrary script code via cross site scripting, session hijacking, privilege escalation, and manipulation of data. Note: This audit is designed for versions of Tomcat obtained from Tomcat.Apache.org and may report false findings with vendor specific backports. httpd Medium Upgrade to Apache Tomcat 6.0.16, 5.5.26, or 4.1.37, or newest available version In RHEL6, tomcat 6.0.26 will be installed.
Apache Tomcat 5.5.x Multiple Vulnerabilities (20100124) Apache Tomcat 5.5.x contains multiple vulnerabilities upon deploying files that could allow attackers to create arbitrary content outside the web root, delete the contents of the host's work directory, or gain access to autodeployed files without authentication. Note: This audit is designed for versions of Tomcat obtained from Tomcat.Apache.org and may report false findings with vendor specific backports. OR When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the WAR. httpd Medium Upgrade Apache Tomcat to version 5.5.SVN-902650, or 5.5.29, or newest release. In RHEL6, tomcat 6.0.26 will be installed.
SSL Weak Cipher Strength Supported in Tomcat Retina has detected that the targeted SSL service supports a cryptographically weak cipher strength. An attacker may be able to leverage weaknesses in the cipher strength to gain access to sensitive information.(For Tomcat). tomcat Medium Disable ciphers that support less than a 128-bit cipher strength. Reconfigure the affected application to use a high-grade encryption cipher. Disabling Weak and Anonymous encryption ciphers is done by adding the following command to your server.xml:
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Changes go into effect once tomcat has been restarted.
Web Resource /manual/ Detected The presence of the URI '/manual/ ' has been discovered on the web server. This resource could potentially lead to sensitive information disclosure, arbitrary file system access, execution of arbitrary script commands, execution of arbitrary code, and/or full system compromise. httpd Medium Remove or restrict access to the detected web resource to deter potential exploitation. Steps:-

1.mv manual.conf manual.conf.org

2.restart httpd

Web Resource /manager/ Detected The presence of the URI '/manager/ ' has been discovered on the web server. This resource could potentially lead to sensitive information disclosure, arbitrary file system access, execution of arbitrary script commands, execution of arbitrary code, and/or full system compromise. httpd Medium Remove or restrict access to the detected web resource to deter potential exploitation. Steps:-

1.mv server/webapps/manager /mithi/

2.restart tomcat

Web Resource /admin/ Detected The presence of the URI '/admin/ ' has been discovered on the web server. This resource could potentially lead to sensitive information disclosure, arbitrary file system access, execution of arbitrary script commands, execution of arbitrary code, and/or full system compromise. httpd Medium Remove or restrict access to the detected web resource to deter potential exploitation Steps:-

1.mv webapps/ROOT/admin /mithi/

2.restart tomcat

Apache Web Server ETag Header Information Disclosure Weakness. The Apache HTTP Server is a popular, open-source HTTP server for multiple platforms, including Windows, Unix and Linux. A cache management feature for Apache makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, an ETag response header is returned containing various file attributes for caching purposes. ETag information allows subsequent file requests to contain specific information, such as the file's inode number. httpd Medium Configure the FileETag directive to generate ETag headers without inode information, which mitigates this vulnerability. Disable fileetag. This should be available on RHEL4.

By default headers_module is loaded

1.Add the below lines in httd.conf

Header unset ETag
FileETag None

2.Restart httpd Service

An adversary can fingerprint the web server from HTTP responses. By default, HTTP responses from the web server reveal information about the type and version of the web server. This information can be useful to an adversary to refine attacks. Although not exploitable directly, it is a security best practice to disclose as little information as possible to adversaries. httpd Medium Remove the default banners of applications wherever possible. Additionally, ensure that all the services and applications have the latest security patches updated to deter even a version-specific exploit attempt. This is available on RHEL4.

1.Update the ServerSignature and ServerTokens in httd.conf as shown below:

ServerSignature Off   # Should be OFF
ServerTokens ProductOnly # Should be ProductOnly

2.Restart httpd Service

Apache HTTP Server Mod_Proxy Denial of Service Vulnerability A flaw was found in the Apache HTTP Server mod_proxy module. This affects Apache versions 2.0.35 through 2.0.59, and Versions 2.2.0 through 2.2.4. httpd Medium Upgrade to Apache version 5.0 or later.

Disable mod_proxy module. We do not use it.

1.Comment the following lines in httpd.conf

#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so

2.Restart httpd Service

Apache mod_ssl Denial of Service Vulnerability A NULL pointer dereference flaw in mod_ssl exists affects server configurations where an SSL virtual host is configured with access control and a custom 400 error document. httpd Medium Upgrade to Apache version 5.0 or later. This is not applicable to us because we do not use 'access control' & ssl together. This vulnerability only applies when 3 things r used together - mod_ssl, access control and custom 400 error document.
Apache CGI Byterange Request Denial of Service Vulnerability Apache is prone to a denial of service when handling large CGI byterange requests. This may also be triggered by ProxyRequests. The problem occurs because Apache does not free memory used in these requests, allowing multiple requests to consume all memory and swap space. Restarting the service would allow the server to resume normal operations. httpd Medium Upgrade to Apache version 5.0 or later. This is not applicable to us because we do not use CGI.
Apache mod_ssl Certificate Revocation List Off-By-One Buffer Overflow Vulnerability The mod_ssl module provides strong cryptography for the Apache Web servers. There is a vulnerability in the mod_ssl Certificate Revocation List (CRL) verification callback that allows for potential memory corruption when a malicious CRL is handled. Apache httpd 2.0 Versions 2.0.35 through 2.0.54 are vulnerable. httpd Medium Upgrade to Apache version 5.0 or later. This is not applicable to us because we do not use Certificate Revocation List.

1.Add the following lines in httpd.conf

RequestHeader unset Range 
RequestHeader unset Request-Range

2.Restart httpd Service

The icons folders of the web client can be directly listed from a browser by using

http://<Lan IP>/icons/ OR http://<Public IP>/icons/

This method of listing has to be explicitly disabled httpd Low Comment the relevant entries in the httpd.conf file
  • Backup the httpd configuration file
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf_<DATE>.org
  • Open and comment below lines in httpd.conf file
vi /etc/httpd/conf/httpd.conf

Comment out below lines as shown below
#Alias /icons/ "/var/www/icons/"
#<Directory "/var/www/icons">
#   Options Indexes MultiViews FollowSymLinks
#  AllowOverride None
#   Order allow,deny
#   Allow from all
#</Directory>
Save the file
  • To restart http service
/etc/init.d/httpd restart