Sun Java System Calendar Server Denial of Service

[1 of 1] Sun Java System Calendar Server Denial of Service
Severity: High
Test Type: Application
Vulnerable URL: http://172.17.244.116/pcbcalc/
CVE ID(s): CVE-2009-1219
CWE ID(s): 20
Remediation Tasks: Apply patches for Sun Java System Calendar Server 6.3
Variant 1 of 1 [ID=12182]
The following changes were applied to the original request:
• Set path to 'pcbcalc/'
• Added parameter 'tzid' with the following value 'crash'

=============================================================

Hello there,
i'm taking my time so long to search.surf to remove from error reporting which software i used to scan my application.

Here, just want to share with you how do i do that.
have you ever heard apache mod rewrite. yes that what i'll explain till end.

i'm using SUSE SLES 11.

1) check your info about php. Does it install mod rewrite? You now have to check. create one file with phpinfo();

2) Asssume you dont install.

im /etc/apache2/default-server.conf

a- Search for AllowOverride , it will be below  . /srv/www/htdocs can be changed, if you changed your sever root before to some other directory.

b- And change AllowOverride None to AllowOverride All , which will allow you to create custom .htaccess rules.

Save and exit.

c- Run SuSEconfig to update the Apache configuration files.

vim /etc/sysconfig/apache2

Now apache2 file is open and we need to do some changes in it.

Note: If you are not familiar with vim commands, read it here and be careful to use it. You will need few commands like how to insert(i key), how to quit insert mode(Esc key), how to save the file(:wq [w=write, q=quit]), how to exit the file without save(:q). The link i provided is for reference.

d- Search for APACHE_MODULES and you will see a line some thing like:

APACHE_MODULES=”actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5″

Now we will add rewrite at the end of the line and it will become:

APACHE_MODULES=”actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 rewrite”

e- Restart the server with:

/etc/init.d/apache2 restart

Take from http://anl4u.com/blog/enable-mod_rewrite-on-opensuse-11-3-linux/

3) you need to have file .htaccess in directory

4) 
#AllowOverride All

Options ExecCGI FollowSymLinks

Options +FollowSymLinks +SymLinksIfOwnerMatch
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /err.php/$1 [L,QSA]



5) finally you need err.php
put yor error message inside err.php to tell your client


tq

Installing MySql in Slackware 13.37 - prepare by Nurul

Installing Mysql - Slackware 13.37

1. Slackware does not install mysql automatically. User need to install on thier own.
2. you have to use root password,type mysql_install_db
2.1 you can see some information typing the above command.It asking you to create root password.
2.2 in order to create the password u need to start the db first
2.3 to start db, go to this path /var/lib/mysql and change the owner of all file to mysql.
The command i use is: chmod -R mysql.mysql *
3. on succesful,start the mysql.the command i used : /etc/rc.d/rc.mysqld start
4. Then type this command to create the password:/usr/bin/mysqladmin -u root password 'p@ssw0rd'
5. currently,there's no connection between outside client to access this database.you have to grant permission to the client.
5.1 first,login to the database;command :mysql -u root -p ... enter your password
5.2 on successful login,you'll be given mysql prompt mysql>
5.3 at the prompt type this command:  grant all privileges on *.* to 'userid1'@'%' identified by 'p@ssw0rd' with grant option;
5.4 the command is actually telling you that userid1 can access all tables in the database and the '%' means that 'userid1' can
access the dbase form any ip.If you want to limit athe access,you have to rplace the '%' with ip address.
6.The mysql configuration n need to be placed in /etc directory.You can choose file that suitable to your server requirement
  The files are ; my_huge.cnf ,my_large.cnf,my_medium.cnf and my_small.cnf.Open and view this file,you can see difeerent parameter
  for each one of them
  6.1 copy the chosen file to /etc/my.cnf
  for me, i choose my-huge.cnf to copy to my.cnf because my RAM is big
7.So far, if you trying to connect the dbase through the client, you will failed.The last step you need to do is put # to this statement inside the rc.mysqld file
 the statement: SKIP="--skip-networking".
 8.then restart the rc.mysqld

 9.Now,you can connect through the client. Happy using mysql,the best DB in the world!!