Benn: Ding, ding, ... ding! So even if I truly logged in from a bum URL, I would get the error just after I authenticated. I just need to explain that to them.
Thanks, David On Mon, Oct 20, 2008 at 10:25 PM, David Whitehurst <[EMAIL PROTECTED]> wrote: > Benn: > > The security guy believes that I should protect the CAS URL from crazy > characters. The security people call this "SQL injection > vulnerability". Even though we know that any URL after a /cas virtual > is protected they still don't like it. > > I'm going to add a servlet filter to disallow any foreign characters > on the URL and then pass some other error page. I can't explain this > away so I'm just going to fix it for them. > > Thanks for the posts > > David > > On Mon, Oct 20, 2008 at 9:37 PM, Benn Oshrin > <[EMAIL PROTECTED]> wrote: >> I don't know where you're going with this, so I'll just come back to >> the original point. CAS behaves like Apache would if you had a >> directory foo protected by a .htaccess and you requested >> foo/no-exist.html, which presumably doesn't exist. You get prompted >> for credentials, and then are told no such file or directory. >> >> This sounds right. You're trying to access a protected resource, and >> the state of existence of that resource is protected as well. >> >> -Benn- >> >> David Whitehurst <[EMAIL PROTECTED]> wrote on October 20, 2008 >> 11:21:42 AM -0400: >> >> ] Scott: >> ] >> ] Your sentence is the key: >> ] >> ] You can configure this by editing your web.xml to whatever you'd like >> ] ;-) >> ] >> ] It starts with the question, "Is it truly an issue"? >> ] >> ] When a web server returns a resource for a bogus URL is that wrong? I >> ] personally think that when businesses pay 50K for a tool to spot web >> ] application security issues this is really wrong. Then, allowing that >> ] to assist in hiring less-qualified security personnel is major wrong. >> ] And, if the tool is wrong, wouldn't that raise some questions as to >> ] whether the tool will even be effective for the primary goal of >> ] application security? >> ] >> ] Let me be the devil's advocate, if you could install Confluence on >> ] someone else's server, and you could access their database, and >> ] install admin.php on the CAS virtual to start it, you could >> ] effectively wreck their database through the CAS virtual. And the >> ] recommendation is in: contact vendor for CAS product and revoke the >> ] use of admin.php. Huh? >> ] >> ] Thanks Scott >> ] >> ] David >> ] >> ] >> ] >> ] On 10/20/08, Scott Battaglia <[EMAIL PROTECTED]> wrote: >> ]> By default, if you access a CAS page and it does not exist, you are >> ]> redirected to the CAS login page. You can configure this by editing >> ]> your web.xml to whatever you'd like ;-) >> ]> >> ]> -Scott >> ]> >> ]> -Scott Battaglia >> ]> PGP Public Key Id: 0x383733AA >> ]> LinkedIn: http://www.linkedin.com/in/scottbattaglia >> ]> >> ]> >> ]> >> ]> On Mon, Oct 20, 2008 at 10:40 AM, David Whitehurst >> ]> <[EMAIL PROTECTED]> wrote: >> ]> > >> ]> > Should the URL >> ]> http://www.myserver.com/cas/database/mydb.mdb return >> ]> > any HTML resource other than a CAS error page? >> ]> > >> ]> > I'm asking because a formal security scan of my CAS installation >> ]> > has found an issue and I will respond with one of the two >> ]> > responses: >> ]> > >> ]> > 1. The URL returns the CAS login page and I think this to be >> ]> > correct. >> ]> > >> ]> > 2. The URL should return an error page and not provide a resource >> ]> > of any >> ]> kind. >> ]> > >> ]> > I'm asking this group what seems most reasonable. The login page >> ]> > for me personally is best but I would like to gather some opinion >> ]> > here. >> ]> > >> ]> > >> ]> > Thanks, >> ]> > >> ]> > >> ]> > David >> ]> > _______________________________________________ >> ]> > Yale CAS mailing list >> ]> > [email protected] >> ]> > http://tp.its.yale.edu/mailman/listinfo/cas >> ]> > >> ]> >> ]> >> ]> _______________________________________________ >> ]> Yale CAS mailing list >> ]> [email protected] >> ]> http://tp.its.yale.edu/mailman/listinfo/cas >> ]> >> ]> >> ] _______________________________________________ >> ] Yale CAS mailing list >> ] [email protected] >> ] http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
