This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SCG WS nginx

From OWASP
Revision as of 21:33, 19 December 2014 by Alexander Antukh (talk | contribs)

Jump to: navigation, search 
This article is part of the OWASP Secure Configuration Guide.

Back to the OWASP Secure Configuration Guide ToC:
   https://www.owasp.org/index.php/Secure_Configuration_Guide
Back to the OWASP Secure Configuration Guide Project:
   https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide


NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR A GOOD MATERIAL!

Summary

A detailed description of the product (can be taken from the official website)

Common Misconfigurations

Misconfiguration 1

Description

%ProductName% allows unauthorized attacker to list all users of the system ...

// Detailed description of the impact. Is it enabled by default? Vulnerable versions.

How to test

In order to test for %Misconfiguration_1%, one should ...

// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!

Remediation

Initial/common value of parameter "listUsers" from config.xml is set to "true".

To assess the vulnerability it is enough to change the value to false: 

<security>
	<listUsers>false</listUsers>
</security>


References

https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

Retrieved from "https://wiki.owasp.org/index.php?title=SCG_WS_nginx&oldid=187273"