projects.webappsec.org
Open in
urlscan Pro
208.96.18.238
Public Scan
Submitted URL: http://projects.webappsec.org/Server-Misconfiguration
Effective URL: http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Submission: On October 24 via api from GB — Scanned from GB
Effective URL: http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Submission: On October 24 via api from GB — Scanned from GB
Form analysis 1 forms found in the DOM
POST /Server%20Misconfiguration
<form method="post" action="/Server%20Misconfiguration" id="editwikipage"><input type="hidden" name="process" value="edit_page">
<div id="editframe"></div>
</form>Text Content
* The Web Application Security Consortium log inhelp * Wiki * Pages & Files * If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old. * You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today! View SERVER MISCONFIGURATION Page history last edited by Robert Auger 13 years, 10 months ago Project: WASC Threat Classification Threat Type: Weakness Reference ID: WASC-14 SERVER MISCONFIGURATION Server Misconfiguration attacks exploit configuration weaknesses found in web servers and application servers. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts, and web pages. They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges. Servers may include well-known default accounts and passwords. Failure to fully lock down or harden the server may leave improperly set file and directory permissions. Misconfigured SSL certificates and encryption settings, the use of default certificates, and improper authentication implementation with external systems may compromise the confidentiality of information. Verbose and informative error messages may result in data leakage, and the information revealed could be used to formulate the next level of attack. Incorrect configurations in the server software may permit directory indexing and path traversal attacks. EXAMPLE The following default or incorrect configuration in the httpd.conf file on an Apache server does not restrict access to the server-status page: <Location /server-status> SetHandler server-status </Location> This configuration allows the server status page to be viewed. This page contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. If exploited, an attacker could view the sensitive system information in the file. REFERENCES “Insecure Configuration Management”, OWASP [1] http://www.owasp.org/index.php/Insecure_Configuration_Management “Apache mod_status /server-status Information Disclosure”, Open Source Vulnerability Database (OSVD) [2] http://osvdb.org/displayvuln.php?osvdb_id=562 CROSS-SITE TRACING (XST) [3] http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf XST Strikes Back [4] http://www.securityfocus.com/archive/1/423028 See Also 'Improper Filesystem Permissions' [5] http://projects.webappsec.org/Improper-Filesystem-Permissions SERVER MISCONFIGURATION PAGE TOOLS INSERT LINKS Insert links to other pages or uploaded files. Pages Images and files Insert a link to a new page 1. Loading... 1. No images or files uploaded yet. Insert image from URL Tip: To turn text into a link, highlight the text, then click on a page or file from the list above. COMMENTS (0) You don't have permission to comment on this page. Printable version * Tags: Threat Classification Server Misconfiguration tags changed * Check for plagiarism SIDEBAR WASC Projects * Distributed Open Proxy Honeypots * Script Mapping * Static Analysis Technologies Evaluation Criteria (NEW) * The Web Security Glossary * Web Application Firewall Evaluation Criteria * Web Application Security Scanner Evaluation Criteria * Web Application Security Statistics * Web Hacking Incidents Database * WASC Threat Classification WASC Project Leaders * Robert Auger * Ryan Barnett * Romain Gaucher * Sergey Gordeychik * Sherif Koussa * Ofer Shezaf * Brian Shura WASC Main Website * http://www.webappsec.org/ WASC Mailing Lists * http://lists.webappsec.org/ WASC on Twitter * http://twitter.com/wascupdates Join us on Linkedin! * http://www.linkedin.com/groups?gid=83336 RECENT ACTIVITY Show 0 new items * Static Code Analysis Listedited by Sherif Koussa * WASC TC Gap Analysisedited by Bil Corry * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger More activity...