[jboss-user] [Security & JAAS/JBoss] - is it security hole

sunlinux do-not-reply at jboss.com
Tue Nov 25 04:07:03 EST 2008


Pls. go thru below text from nikto( web server scanner ) .. what it showing .. Is thr any security hole in my jboss server if yes pls tell how to fix it. 

+ Target IP:          *.*.*.*
+ Target Hostname:    *.*.*.*
+ Target Port:        80
+ Start Time:         2008-11-26 13:22:53
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ No CGI Directories found (use '-C all' to force check all possible dirs)
- Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: Retrieved X-Powered-By header: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
+ OSVDB-39272: /favicon.ico file identifies this server as: JBoss Server
+ OSVDB-6659: GET //4jMvouXjTAI0l6q0s9PJz4ME7t2c2lWekO6lkW2fHtVCUXPM4YTiy44U1TUR4a5czl41wXgRZAJJZjDT5aOTIuvBU04zUTmbhcmSjW6Af7kBKYG391zCTfny14KqA8IbqzkPMm8MrFxGGHzXI8WuZ0LGeY5GU4lTaihpwuEvHN7sBx0jCwbbKg2VjEnvnE7bHrjtT8KRHBvhIc4ISUG41O8W2YN20io<font%20size=50>DEFACED<!--//-- : MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version.
+ OSVDB-3092: GET //status?full=true : Apache Tomcat and/or JBoss information page.
+ 3577 items checked: 8 item(s) reported on remote host
+ End Time:        2008-11-26 13:28:52 (359 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4191991#4191991

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4191991



More information about the jboss-user mailing list