Re: WebObjects App Open To Hackers - So I'm Told
Re: WebObjects App Open To Hackers - So I'm Told
- Subject: Re: WebObjects App Open To Hackers - So I'm Told
- From: Alan Ward <email@hidden>
- Date: Thu, 3 Jul 2003 11:05:30 -0700
On Thursday, July 3, 2003, at 10:58 AM, Jonathan Fleming wrote:
OK guys I hear what you are all saying so i'm going to give you the
address in question live:
http://217.65.164.40/cgi-bin/WebObjects.dll/JandM.woa/1/wa/Terms
Is this address a sucrity issue?
Not that I can tell. I tried hitting http://217.65.164.40/cgi-bin and
got
a directory listing denied (which is good). I have seen people
misconfigure
their web server such that you can do this to see what's in their
cgi-bin and
potentially download it. Not sure you'd be able to replace it though
without
exploiting some other web server hole.
Personally I would ask the Microsoft dude why he thinks it's a
vulnerability.
Should be good for a laugh if nothing else ;-) Certainly seems less
vulnerable to
me than the simple act of reading your email in OutLook ;-)
Kind regards
Jonathan :^/
Ps. sorry for posting to every list but this is quite important to
clear up.
From: "Jonathan Fleming" <email@hidden>
To: email@hidden, email@hidden,
email@hidden
Subject: WebObjects App Open To Hackers - So I'm Told
Date: Thu, 03 Jul 2003 18:21:18 +0100
Recently I got onto the deployment side of WebObjects and my app is
running nice and fluently, but a Microsoft engineer got word to me
through a mutual friend that my app is fully open to hackers as it
shows the complete path to the cgi-bin through the exposed ip address
eg.:
http://nnn.nn.nnn.nn/cgi-bin/WebObjects.dll/Murray.woa/1/wa/Terms
Aparently with such an exposed address a hacker has everything they
need to get into the source and grab what they like... is this true?
If so how do I overcome this open error. By the way I'm not up on my
serverside stuff very well at all, in fact I'm only just learning it
since deploying with WebObjects so I may need some layman
explanations.
Kind regards
Jonathan :^|
_________________________________________________________________
Find a cheaper internet access deal - choose one to suit you.
http://www.msn.co.uk/internetaccess
_______________________________________________
webobjects-deploy mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/webobjects-deploy
Do not post admin requests to the list. They will be ignored.
_________________________________________________________________
Find a cheaper internet access deal - choose one to suit you.
http://www.msn.co.uk/internetaccess
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.