From: Marek Wójcik (puzon@adm.onet.pl)
Date: Fri Aug 20 2004 - 02:24:04 EDT
On Thu, Aug 19, 2004 at 10:18:41AM +0100, George Hedfors wrote:
> Pen-testers,
>
> I'm currently working on server, which reacts strangely to stripped
> HTTP request headers. For instance, removing the "Host:" from the HTTP
> header makes the remote server sending the source of the server side
> scripts (jsp) instead of executing them. This is an Apache with some
> sort of Tomcat installed. Does anyone know what kind of
> misconfiguration that could cause this? Me and my co-worker has
> seriously no idea.
[...]
Hi!
I am far from being Apache/Tomcat guru, but what comes to my mind
is configuration with several VirtualHosts with the same DocumentRoot
and the default one not interpreting jsp scripts.
-- Marek Wójcik puzon@adm.onet.pl ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:59 EDT