We are working in an environment where UI Requests flow to a WildFly Server (where the WAR is deployed) versioned 10.1.0 via an Apache Web Server versioned 2.4
We were running Security tests and when using a VirtualDirContext, it was possible to bypass the security constraints and view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request via Burp.
How we reproduce the vulnerability in Burp:
We capture a random Request via the UI and replicate it in Burp.
We turn the Request into a GET Request, mention the path of a JSP file and add %2520 to it.
This issue is reproducible even if the Requests go directly to the WildFly Server instead of via the Apache Web Server.
Is there a way to prevent this vulnerability? We believe validating each Request for the presence of %2520 in it in the Filter layer may not be a comprehensive fix.
In simple words, when we use a URL that contains the path of a JSP file present in the code, appended with %2520, the content of the JSP was disclosed. Is there a way to prevent this?
Related
My Jenkins is running on https://myhost:9043 using the standalone war on Linux with the below command.
java -jar jenkins.war
However, when I try the following URL for say https://myhost:9043/<any random text> the resource uri is obviously not found.
The problem, however, is I get output in the browser as
HTTP 404 error URI not found Powered by Jetty://9.4.27.vXXXX
I wish not to reveal the Jetty version.
Is there a way to display a custom error page for incorrect URIs thus avoiding revealing the Jetty version? If not, can I somehow hide the Jetty version from being displayed to anonymous users?
I'm not a pure java programmer but just a DevOps admin.
You can override the Jetty version with adding to your command line -Djetty.version=NOTHING
Otherwise I created the issue https://issues.jenkins-ci.org/browse/JENKINS-62890 to have a custom error page from users
I have configured a webserver on localhost with https using Microsoft IIS Administration. I am able to browse directory with files with browsers and Visual Studio using localhost prefixed with https, such as https://localhost/trial etc.
I wish to upload a file to the said directory, ie., trial, using Libcurl to test some features. Unfortunately I'm unable to do so.
Using the same Libcurl example as given on
Libcurl File Upload
-modified for https, the console window tells me that the following has occurred, upon running the code :
IIS 10.0 Detailed Error - 405.0 - Method Not Allowed
HTTP Error 405.0 - Method Not Allowed The page you are
looking for cannot be displayed because an invalid method (HTTP verb)
is being used.
I checked the IIS Administrator and saw that all authorizations are allowed. I suppose the fact that it is flagging a HTTP verb issue rather than HTTPS as I'd enabled and used as URL in code isn't a big thing?
Libcurl uses PUT for uploading files, so should be an allowed verb.
I am quite new to this, so I'm not certain I did something incorrect with the setting up of the webserver, or whether there are security issues or permission issues which are causing a problem here.
As far as I know, there is impossible to use http put or post a file to a IIS web application's folder without writing server-side code. Otherwise, configure an FTP site on your IIS installation. Then you could use ftp command to upload the file.
If you really need using HTTP put or post to upload the file, you could consider using WebDav.
More details about what is webdev and how to use it, you could refer to below article.
https://learn.microsoft.com/en-us/iis/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-7/what39s-new-for-webdav-and-iis-7
Try hostname instead of localhost
Add a trailing slash (/) for the directory.
My main website is running on a Tomcat server. All regular pages are handled by Tomcat. What I want, is for a specific page (for example /bugs) to be handled by Apache HTTP server.
Rather than the other way around where specific URLs (/app1) would map to Tomcat. All of the tutorials and things I have looked at use Apache HTTP server as the first point and link to Tomcat.
Is this even possible? If so, how would I do it?
I'm using IIS8 on my Windows 8 development machine. I'm developing an ASP.NET MVC 4 WebAPI-based application, which interfaces with 3rd party servers.
One of these servers (Kaltura content management system) sends a notification which I just can't "catch" with my routing and/or controllers. I'm trying to log the full request's URL on IIS to investigate it's syntax.
I've installed IIS Advanced Logging and configured it to log the all available fields (other than performance counters), but the logs does not contain the URL or the request's contents (a form).
My question is, is it possible to log the full URL in IIS?
There is no default way to log all form fields. Logging everything would make log files go huge very quickly. If there was a way to log everything that would mean logging viewstate and all post fields (what if you’re uploading a 20MB file).
If you want to support something like this you would have to create a custom handler or do it in the website code itself (for example in master page so you don’t have to add logging code to every page).
I have a tomcat hosted web-app, in one of the jsp pages the webapp displays I am using an iframe to embed an html document.
I need to have the html pages separate to the web-app so that they can be altered without requiring a relaunch of the original web-app or access by editors to the web-app.
It is also essential that html pages are secure and not available directly in any way, i.e. only available within this web-app or by authenticating the user. I also want to avoid making the user login to both the web-app and the page in the iframe.
I am not sure how to approach this, I have an apache server, php, and of course tomcat at my disposal.
I can think of two approaches but am not sure how to implement either:
I pass through the authentication details from the jsp page and store all the usernames etc elsewhere for the .htaccess file to check against (not ideal as this means the upkeep of two username / password files)
I somehow enforce that these pages can only be accessed when they are being shown within this iframe i.e. use the web-app as an authenticator and hold the web pages to be only accessible via it.
Presently I can only think of a rather clunky, double log-in way, using .htaccess on an apache server which will require the user to enter a username and password again before viewing the documents.
Can anyone think of a more elegant solution?
Thanks!
CJ
Easiest approach would be to not serve the HTML pages by a public webserver, but just host them in some fixed path outside the public webcontent. Then you can create an servlet which gets an InputStream of the HTML file by FileInputStream and writes it to the OutputStream of the servlet response as obtained by HttpServletResponse#getOutputStream() the usual Java IO way.
Then, in your JSP just change the <iframe> src to point to that servlet instead, along with the desired HTML file as request parameter or pathinfo.
<iframe src="htmlservlet/file.html" />
This way you can control the authentication at one place, the JSP/Servlet webapp.