Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: plugins

Script 11930, Resin /caucho-status accessible, also /server-status

 

 

Nessus plugins RSS feed   Index | Next | Previous | View Threaded


simon at westpoint

May 9, 2007, 4:34 AM

Post #1 of 2 (1479 views)
Permalink
Script 11930, Resin /caucho-status accessible, also /server-status

Hi

I've seen the Caucho Resin status page accessible on /server-status and
changed plugin 11930 (resin_server_status.nasl) to also check this location.

When running Apache with mod_caucho any location handled by the
"caucho-status" handler can display the page, so it might be worth
checking all detected files when thorough checks is enabled. I don't
know if the location is configurable in other setups (e.g. Resin on
IIS): It looks like it isn't, so checks for locations other than
'/caucho-status' could be conditional on the web server being Apache.

http://wiki.caucho.com/Apache#Configure_Apache_httpd.conf
http://wiki.caucho.com/HowTo_enable_/caucho-status_for_IIS

The status page I saw (Resin 2.1.6) also didn't contain "%cpu/thread" so
I removed that check. I think "<title>Status : Caucho Servlet Engine"
should be sufficient.

Regards
--
Simon Ward

Operations Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
Attachments: resin_server_status_nasl.patch (1.28 KB)


theall at tenablesecurity

May 10, 2007, 8:33 AM

Post #2 of 2 (1335 views)
Permalink
Re: Script 11930, Resin /caucho-status accessible, also /server-status [In reply to]

On 05/09/07 07:34, Simon Ward wrote:

> I've seen the Caucho Resin status page accessible on /server-status and
> changed plugin 11930 (resin_server_status.nasl) to also check this location.
>
> When running Apache with mod_caucho any location handled by the
> "caucho-status" handler can display the page, so it might be worth
> checking all detected files when thorough checks is enabled.
...
> The status page I saw (Resin 2.1.6) also didn't contain "%cpu/thread" so
> I removed that check. I think "<title>Status : Caucho Servlet Engine"
> should be sufficient.

Cheers!

I just committed your patch and revised the description / report a bit.

As for iterating over all files on a web server, I don't feel it's worth
the effort.

George
--
theall [at] tenablesecurity
_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

Nessus plugins RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.