sebthebert
commented
10 years ago Hi,
I will take a look at this security issue tonight or tomorrow and provide a fix quickly.
Which vulnerability scanner did you use ? Nexus ?
Closed RhysBurkitt closed 10 years ago
sebthebert
commented
10 years ago Hi,
I will take a look at this security issue tonight or tomorrow and provide a fix quickly.
Which vulnerability scanner did you use ? Nexus ?
RhysBurkitt
commented
10 years ago Hi that was fast!
Yes I used the latest version of Nessus Last time I posted when you was source forge I had the option to make the bug post private so no one could see the content but I could not find an option to do on Github, so apologies for posting it in the open before you have had a chance to look at it.
Regards
Rhys Burkitt IT Systems Administrator
Polestar Applied Solutions
t: +44 (0)1623 727500 f: +44 (0)1623 727501 m: +44 (0)7949 006432 e: rhys.burkitt@polestarappliedsolutions.com
mailto:rhys.burkitt@polestarappliedsolutions.comwww.polestar-group.comhttp://www.polestar-group.com/
Think of the environment - Do you need to print this email?
Registered company: Polestar UK Print Limited, 1 Apex Business Park, Boscombe Road, Dunstable, Bedfordshire, LU5 4SB Tel: +44 (0)1582 678900. Registered in England and Wales. Company Number: 5674948 Security & Confidentiality: This email may contain confidential information and/or copyright material.This email is intended for the use of the addressee only.Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.
From: Sebastien Thebert [mailto:notifications@github.com] Sent: 19 February 2014 15:58 To: sebthebert/Octopussy Cc: Rhys Burkitt Subject: Re: [Octopussy] Vulnerability in web interface (#579)
Hi,
I will take a look at this security issue tonight or tomorrow and provide a fix quickly.
Which vulnerability scanner did you use ? Nexus ?
— Reply to this email directly or view it on GitHubhttps://github.com/sebthebert/Octopussy/issues/579#issuecomment-35513669.
This email is UNCLASSIFIED unless stated otherwise.
sebthebert
commented
10 years ago Hi,
sorry for the delay, I worked on performance issues before that one.
Can you confirm that the fix that I just pushed fixed this issue ?
sebthebert
commented
10 years ago It's supposed to be fixed in Octopussy 1.0.12.
Reopen a ticket if not !
Hi just ran a vulnerability scan over Octopussy and received the following issues, some which I think are similar to the ones I reported about 2 years ago which you promptly resolved.
Regards
Description At least one web application hosted on the remote web server discloses the physical path to its directories when a malformed request is sent to it.
Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend. Solution Filter error messages containing path information.
The request GET /login.asp?redirect=index.asp?login=%0Acat%20/etc/passwd HTTP/1.1 Host: SERVERIP:8888 Accept-Charset: iso-8859-1,utf-8;q=0.9,;q=0.1 Accept-Language: en Connection: Keep-Alive Cookie: session-id=0224f3728c3a27abebe6cfa82d613a7e User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */
produces the following path information :