ryancblack / webgoat

Automatically exported from code.google.com/p/webgoat
0 stars 0 forks source link

Security: default configuration limits HTTP do localhost, but misses globally available AJP #61

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The default configurations for the bundled tomcat from 
WebGoat-5.4-OWASP_Standard_Win32.zip are:

* For listening on port 80, tomcat\conf\server_80.xml
* For listening on port 8080, tomcat\conf\server_8080.xml

Both of those try to limit the exposure of the machine on which WebGoat is 
installed by limiting the HTTP connector to listening on local loopback 
interface:

     <Connector address="127.0.0.1" port="80" ...  />

However, what has been overlooked is that there's also an active AJP/13 
connector:

     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

This connector should also be limited to loopback interface:

     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <Connector address="127.0.0.1" port="8009" protocol="AJP/1.3" redirectPort="8443" />

Original issue reported on code.google.com by aleksand...@gmail.com on 13 May 2013 at 10:26

GoogleCodeExporter commented 8 years ago

Original comment by mayhe...@gmail.com on 18 Nov 2013 at 3:52