5

I have a server on which apache tomcat 6.0.16 is installed and there are no web applications running.

But I have a axis2.war which is hosting few web services. Now after performing a Qualsys Security vulnerability check it gave me the following result:

Service name: Web server Vulnerability description: Web Server Uses Plain-Text Form Based Authentication Severity (scale of 1-5, 5 is highest): 3

I have searched for this error and what I gather is that this error happens for websites which requests web pages from a web server and the form of authentication used is plain text based. But my doubt is we do not have any web apps on the server running so which authentication it is asking for? Or if it is related to axis2.war?

Any suggestions would be of great help.

4

2 回答 2

3

基本上是说您正在通过未加密的端口(例如端口 80)传输数据。禁用端口 80 并在端口 443 上启用,应该可以解决您的问题。

于 2013-01-28T15:40:46.273 回答
2

这意味着 Web 服务器允许通过端口 HTTP/80(基于纯文本形式的身份验证)的 POST 请求。

即使您的网站将您重定向到 HTTPS,也没有关系,因为有人可以将请求强制发送到 HTTP。

例如,如果网站配置错误,允许纯文本 POST 请求,某人可以将网站保存在本地并提交未加密的表单。或者攻击者可以创建一个虚假网站(克隆它,使其看起来相同)并通过 HTTP/80 将登录表单重定向到原始网站,这样用户就不会注意到。然后,他可能能够通过嗅探网络流量来获取其他用户的登录凭据。

以下是常规重定向响应的示例:

% curl -I http://example.com/
HTTP/1.1 301 Moved Permanently

这是 POST 请求的示例:

% curl -X POST -I http://example.com/

或者:

curl -d'foo=bar' http://example.com/login

如果您的网站以HTTP/1.1 200 OK或类似的方式响应,则建议在端口 80 上禁止除 GET 和 HEAD 之外的所有请求。

于 2020-06-24T18:25:55.303 回答