Rabu, 5 Disember 2012

Sun Java System Calendar Server Denial of Service


[1 of 1] Sun Java System Calendar Server Denial of Service
Severity: High
Test Type: Application
Vulnerable URL: http://172.17.244.116/pcbcalc/
CVE ID(s): CVE-2009-1219
CWE ID(s): 20
Remediation Tasks: Apply patches for Sun Java System Calendar Server 6.3
Variant 1 of 1 [ID=12182]
The following changes were applied to the original request:
• Set path to 'pcbcalc/'
• Added parameter 'tzid' with the following value 'crash'

=============================================================

Hello there,
i'm taking my time so long to search.surf to remove from error reporting which software i used to scan my application.

Here, just want to share with you how do i do that.
have you ever heard apache mod rewrite. yes that what i'll explain till end.

i'm using SUSE SLES 11.

1) check your info about php. Does it install mod rewrite? You now have to check. create one file with phpinfo();

2) Asssume you dont install.
im /etc/apache2/default-server.conf
a- Search for AllowOverride , it will be below  . /srv/www/htdocs can be changed, if you changed your sever root before to some other directory.
b- And change AllowOverride None to AllowOverride All , which will allow you to create custom .htaccess rules.
Save and exit.
c- Run SuSEconfig to update the Apache configuration files.
vim /etc/sysconfig/apache2
Now apache2 file is open and we need to do some changes in it.
Note: If you are not familiar with vim commands, read it here and be careful to use it. You will need few commands like how to insert(i key), how to quit insert mode(Esc key), how to save the file(:wq [w=write, q=quit]), how to exit the file without save(:q). The link i provided is for reference.
d- Search for APACHE_MODULES and you will see a line some thing like:
APACHE_MODULES=”actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5″
Now we will add rewrite at the end of the line and it will become:
APACHE_MODULES=”actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 rewrite”




e- Restart the server with:
/etc/init.d/apache2 restart

Take from http://anl4u.com/blog/enable-mod_rewrite-on-opensuse-11-3-linux/

3) you need to have file .htaccess in directory

4) 
#AllowOverride All

Options ExecCGI FollowSymLinks

Options +FollowSymLinks +SymLinksIfOwnerMatch
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /err.php/$1 [L,QSA]



5) finally you need err.php
put yor error message inside err.php to tell your client


tq