I don't know where you're going with this, so I'll just come back to the original point. CAS behaves like Apache would if you had a directory foo protected by a .htaccess and you requested foo/no-exist.html, which presumably doesn't exist. You get prompted for credentials, and then are told no such file or directory.
This sounds right. You're trying to access a protected resource, and the state of existence of that resource is protected as well. -Benn- David Whitehurst <[EMAIL PROTECTED]> wrote on October 20, 2008 11:21:42 AM -0400: ] Scott: ] ] Your sentence is the key: ] ] You can configure this by editing your web.xml to whatever you'd like ] ;-) ] ] It starts with the question, "Is it truly an issue"? ] ] When a web server returns a resource for a bogus URL is that wrong? I ] personally think that when businesses pay 50K for a tool to spot web ] application security issues this is really wrong. Then, allowing that ] to assist in hiring less-qualified security personnel is major wrong. ] And, if the tool is wrong, wouldn't that raise some questions as to ] whether the tool will even be effective for the primary goal of ] application security? ] ] Let me be the devil's advocate, if you could install Confluence on ] someone else's server, and you could access their database, and ] install admin.php on the CAS virtual to start it, you could ] effectively wreck their database through the CAS virtual. And the ] recommendation is in: contact vendor for CAS product and revoke the ] use of admin.php. Huh? ] ] Thanks Scott ] ] David ] ] ] ] On 10/20/08, Scott Battaglia <[EMAIL PROTECTED]> wrote: ]> By default, if you access a CAS page and it does not exist, you are ]> redirected to the CAS login page. You can configure this by editing ]> your web.xml to whatever you'd like ;-) ]> ]> -Scott ]> ]> -Scott Battaglia ]> PGP Public Key Id: 0x383733AA ]> LinkedIn: http://www.linkedin.com/in/scottbattaglia ]> ]> ]> ]> On Mon, Oct 20, 2008 at 10:40 AM, David Whitehurst ]> <[EMAIL PROTECTED]> wrote: ]> > ]> > Should the URL ]> http://www.myserver.com/cas/database/mydb.mdb return ]> > any HTML resource other than a CAS error page? ]> > ]> > I'm asking because a formal security scan of my CAS installation ]> > has found an issue and I will respond with one of the two ]> > responses: ]> > ]> > 1. The URL returns the CAS login page and I think this to be ]> > correct. ]> > ]> > 2. The URL should return an error page and not provide a resource ]> > of any ]> kind. ]> > ]> > I'm asking this group what seems most reasonable. The login page ]> > for me personally is best but I would like to gather some opinion ]> > here. ]> > ]> > ]> > Thanks, ]> > ]> > ]> > David ]> > _______________________________________________ ]> > Yale CAS mailing list ]> > [email protected] ]> > http://tp.its.yale.edu/mailman/listinfo/cas ]> > ]> ]> ]> _______________________________________________ ]> Yale CAS mailing list ]> [email protected] ]> http://tp.its.yale.edu/mailman/listinfo/cas ]> ]> ] _______________________________________________ ] Yale CAS mailing list ] [email protected] ] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
