Benn: The security guy believes that I should protect the CAS URL from crazy characters. The security people call this "SQL injection vulnerability". Even though we know that any URL after a /cas virtual is protected they still don't like it.
I'm going to add a servlet filter to disallow any foreign characters on the URL and then pass some other error page. I can't explain this away so I'm just going to fix it for them. Thanks for the posts David On Mon, Oct 20, 2008 at 9:37 PM, Benn Oshrin <[EMAIL PROTECTED]> wrote: > I don't know where you're going with this, so I'll just come back to > the original point. CAS behaves like Apache would if you had a > directory foo protected by a .htaccess and you requested > foo/no-exist.html, which presumably doesn't exist. You get prompted > for credentials, and then are told no such file or directory. > > This sounds right. You're trying to access a protected resource, and > the state of existence of that resource is protected as well. > > -Benn- > > David Whitehurst <[EMAIL PROTECTED]> wrote on October 20, 2008 > 11:21:42 AM -0400: > > ] Scott: > ] > ] Your sentence is the key: > ] > ] You can configure this by editing your web.xml to whatever you'd like > ] ;-) > ] > ] It starts with the question, "Is it truly an issue"? > ] > ] When a web server returns a resource for a bogus URL is that wrong? I > ] personally think that when businesses pay 50K for a tool to spot web > ] application security issues this is really wrong. Then, allowing that > ] to assist in hiring less-qualified security personnel is major wrong. > ] And, if the tool is wrong, wouldn't that raise some questions as to > ] whether the tool will even be effective for the primary goal of > ] application security? > ] > ] Let me be the devil's advocate, if you could install Confluence on > ] someone else's server, and you could access their database, and > ] install admin.php on the CAS virtual to start it, you could > ] effectively wreck their database through the CAS virtual. And the > ] recommendation is in: contact vendor for CAS product and revoke the > ] use of admin.php. Huh? > ] > ] Thanks Scott > ] > ] David > ] > ] > ] > ] On 10/20/08, Scott Battaglia <[EMAIL PROTECTED]> wrote: > ]> By default, if you access a CAS page and it does not exist, you are > ]> redirected to the CAS login page. You can configure this by editing > ]> your web.xml to whatever you'd like ;-) > ]> > ]> -Scott > ]> > ]> -Scott Battaglia > ]> PGP Public Key Id: 0x383733AA > ]> LinkedIn: http://www.linkedin.com/in/scottbattaglia > ]> > ]> > ]> > ]> On Mon, Oct 20, 2008 at 10:40 AM, David Whitehurst > ]> <[EMAIL PROTECTED]> wrote: > ]> > > ]> > Should the URL > ]> http://www.myserver.com/cas/database/mydb.mdb return > ]> > any HTML resource other than a CAS error page? > ]> > > ]> > I'm asking because a formal security scan of my CAS installation > ]> > has found an issue and I will respond with one of the two > ]> > responses: > ]> > > ]> > 1. The URL returns the CAS login page and I think this to be > ]> > correct. > ]> > > ]> > 2. The URL should return an error page and not provide a resource > ]> > of any > ]> kind. > ]> > > ]> > I'm asking this group what seems most reasonable. The login page > ]> > for me personally is best but I would like to gather some opinion > ]> > here. > ]> > > ]> > > ]> > Thanks, > ]> > > ]> > > ]> > David > ]> > _______________________________________________ > ]> > Yale CAS mailing list > ]> > [email protected] > ]> > http://tp.its.yale.edu/mailman/listinfo/cas > ]> > > ]> > ]> > ]> _______________________________________________ > ]> Yale CAS mailing list > ]> [email protected] > ]> http://tp.its.yale.edu/mailman/listinfo/cas > ]> > ]> > ] _______________________________________________ > ] Yale CAS mailing list > ] [email protected] > ] http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
