1 Reply Latest reply on Dec 7, 2008 11:27 AM by Anil Saldanha

    is it security hole

    sun kum Newbie

      Pls. go thru below text from nikto( web server scanner ) .. what it showing .. Is thr any security hole in my jboss server if yes pls tell how to fix it.

      + Target IP: *.*.*.*
      + Target Hostname: *.*.*.*
      + Target Port: 80
      + Start Time: 2008-11-26 13:22:53
      ---------------------------------------------------------------------------
      + Server: Apache-Coyote/1.1
      + No CGI Directories found (use '-C all' to force check all possible dirs)
      - Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
      + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
      + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
      + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
      + OSVDB-0: Retrieved X-Powered-By header: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
      + OSVDB-39272: /favicon.ico file identifies this server as: JBoss Server
      + OSVDB-6659: GET //4jMvouXjTAI0l6q0s9PJz4ME7t2c2lWekO6lkW2fHtVCUXPM4YTiy44U1TUR4a5czl41wXgRZAJJZjDT5aOTIuvBU04zUTmbhcmSjW6Af7kBKYG391zCTfny14KqA8IbqzkPMm8MrFxGGHzXI8WuZ0LGeY5GU4lTaihpwuEvHN7sBx0jCwbbKg2VjEnvnE7bHrjtT8KRHBvhIc4ISUG41O8W2YN20io<font%20size=50>DEFACED<!--//-- : MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version.
      + OSVDB-3092: GET //status?full=true : Apache Tomcat and/or JBoss information page.
      + 3577 items checked: 8 item(s) reported on remote host
      + End Time: 2008-11-26 13:28:52 (359 seconds)
      ---------------------------------------------------------------------------
      + 1 host(s) tested