Scott: Your sentence is the key:
You can configure this by editing your web.xml to whatever you'd like ;-) It starts with the question, "Is it truly an issue"? When a web server returns a resource for a bogus URL is that wrong? I personally think that when businesses pay 50K for a tool to spot web application security issues this is really wrong. Then, allowing that to assist in hiring less-qualified security personnel is major wrong. And, if the tool is wrong, wouldn't that raise some questions as to whether the tool will even be effective for the primary goal of application security? Let me be the devil's advocate, if you could install Confluence on someone else's server, and you could access their database, and install admin.php on the CAS virtual to start it, you could effectively wreck their database through the CAS virtual. And the recommendation is in: contact vendor for CAS product and revoke the use of admin.php. Huh? Thanks Scott David On 10/20/08, Scott Battaglia <[EMAIL PROTECTED]> wrote: > By default, if you access a CAS page and it does not exist, you are > redirected to the CAS login page. You can configure this by editing your > web.xml to whatever you'd like ;-) > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > > On Mon, Oct 20, 2008 at 10:40 AM, David Whitehurst <[EMAIL PROTECTED]> > wrote: > > > > Should the URL > http://www.myserver.com/cas/database/mydb.mdb return > > any HTML resource other than a CAS error page? > > > > I'm asking because a formal security scan of my CAS installation has > > found an issue and I will respond with one of the two responses: > > > > 1. The URL returns the CAS login page and I think this to be correct. > > > > 2. The URL should return an error page and not provide a resource of any > kind. > > > > I'm asking this group what seems most reasonable. The login page for > > me personally is best but I would like to gather some opinion here. > > > > > > Thanks, > > > > > > David > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
