This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG WS nginx"
(Created page with "{{Template:OWASP Secure Configuration Guide}}") |
|||
| Line 1: | Line 1: | ||
{{Template:OWASP Secure Configuration Guide}} | {{Template:OWASP Secure Configuration Guide}} | ||
| + | '''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR A GOOD MATERIAL!''' | ||
| + | |||
| + | == Summary == | ||
| + | A detailed description of the product (can be taken from the official website) | ||
| + | |||
| + | == Common Misconfigurations == | ||
| + | |||
| + | === Misconfiguration 1 === | ||
| + | ==== Description ==== | ||
| + | |||
| + | %ProductName% allows unauthorized attacker to list all users of the system ... | ||
| + | |||
| + | // Detailed description of the impact. Is it enabled by default? Vulnerable versions. | ||
| + | |||
| + | ==== How to test ==== | ||
| + | |||
| + | In order to test for %Misconfiguration_1%, one should ... | ||
| + | |||
| + | // Proof-of-concept here. Please include the screenshots and widely known tools/scanners! | ||
| + | |||
| + | ==== Remediation ==== | ||
| + | |||
| + | Initial/common value of parameter "listUsers" from config.xml is set to "true". | ||
| + | |||
| + | To assess the vulnerability it is enough to change the value to false: | ||
| + | |||
| + | <pre> | ||
| + | <security> | ||
| + | <listUsers>false</listUsers> | ||
| + | </security> | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | == References == | ||
| + | |||
| + | https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ | ||
Revision as of 21:33, 19 December 2014
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR A GOOD MATERIAL!
Summary
A detailed description of the product (can be taken from the official website)
Common Misconfigurations
Misconfiguration 1
Description
%ProductName% allows unauthorized attacker to list all users of the system ...
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
How to test
In order to test for %Misconfiguration_1%, one should ...
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
Remediation
Initial/common value of parameter "listUsers" from config.xml is set to "true".
To assess the vulnerability it is enough to change the value to false:
<security> <listUsers>false</listUsers> </security>
