• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Buried in cloud files? We can help with Spring cleaning!

    Whether you use Dropbox, Drive, G-Suite, OneDrive, Gmail, Slack, Notion, or all of the above, Dokkio will organize your files for you. Try Dokkio (from the makers of PBworks) for free today.

  • Dokkio (from the makers of PBworks) was #2 on Product Hunt! Check out what people are saying by clicking here.

View
 

Server Misconfiguration

Page history last edited by Robert Auger 12 years, 4 months ago

Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-14

 

Server Misconfiguration

Server Misconfiguration attacks exploit configuration weaknesses found in web servers and application servers. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts, and web pages. They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.

 

Servers may include well-known default accounts and passwords. Failure to fully lock down or harden the server may leave improperly set file and directory permissions. Misconfigured SSL certificates and encryption settings, the use of default certificates, and improper authentication implementation with external systems may compromise the confidentiality of information.

 

Verbose and informative error messages may result in data leakage, and the information revealed could be used to formulate the next level of attack. Incorrect configurations in the server software may permit directory indexing and path traversal attacks.

 

Example

The following default or incorrect configuration in the httpd.conf file on an Apache server does not restrict access to the server-status page:

 

<Location /server-status>

SetHandler server-status

</Location>

 

This configuration allows the server status page to be viewed. This page contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. If exploited, an attacker could view the sensitive system information in the file.

 

References

“Insecure Configuration Management”, OWASP

[1] http://www.owasp.org/index.php/Insecure_Configuration_Management

 

“Apache mod_status /server-status Information Disclosure”, Open Source Vulnerability Database (OSVD)

[2] http://osvdb.org/displayvuln.php?osvdb_id=562

 

CROSS-SITE TRACING (XST)

[3] http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

 

XST Strikes Back

[4] http://www.securityfocus.com/archive/1/423028

 

See Also 'Improper Filesystem Permissions'

[5] http://projects.webappsec.org/Improper-Filesystem-Permissions

Comments (0)

You don't have permission to comment on this page.