One of our customer has run security tests on Servoy and sent us their findings:
The findings from the WebInspect scan carried out recently that must be either fixed or mitigated before going into production are as follows:
1 - Source: WI Scan;
Finding: Apache Tomcat JK Web Server Connector Buffer Overflow & Stack-based overflow A buffer overflow vulnerability has been found in Apache Tomcat. The vulnerability is located in the Tomcat JK Web Server Connecter in the URI handler for the mod_jk.so library in the map_uri_to_worker function of the jk_uri_worker_map.c module. To exploit this vulnerability, send a long URL (greater than 4095 characters) to the Tomcat server.
For example:
a) http://web.test.appserver.com:8080/serv … AAAAAAAAAA (4096 chars)
b) http://web.test.appserver.com:8080/serv … AAAAAAAAAA
c) http://web.test.appserver.com:8080/serv … AAAAAAAAAA
2 - Source: Web Inspect Scan;
Finding: Apache Tomcat Directory Traversal Apache Tomcat 6.0.0 through 6.0.16 is known to contain a directory traversal vulnerability, when allowLinking and UTF-8 are enabled.
3 - Source: Web Inspect Scan;
Finding: OneWorldStore Remote Denial of Service OneWorldStore is Web based storefront software implemented is ASP. A remote user can directly access the /owConnections/chksettings.asp’ file to cause the application to crash. Administrator intervention is required to return the system to normal operations. Click on the following link to manually verify this vulnerability.http://web.test.appserver.com:8080/serv … ttings.asp
The problem with scanning tools is that they report a bunch of generic stuff that might not be an issue with the selected install.
Servoy uses pure Java embedded Tomcat. mod_jk is a module for Apache WEB server, which is obsolete anyhow, you should be using mod_proxy instead. However, Servoy does not include Apache web server, nor mod_jk, so this is not an issue.
Servoy does not have allowLinking enabled, so this is not an issue.
Servoy does not run any software implemented in ASP, so this vulnerability is a false positive, and not applicable to Servoy.
These files are supposed to be publicly available, so there is no issue.
All in all, none of the vulnerabilities are real, let alone high-risk.
The problem with scanning tools is that they report a bunch of generic stuff that might not be an issue with the selected install.
Servoy uses pure Java embedded Tomcat. mod_jk is a module for Apache WEB server, which is obsolete anyhow, you should be using mod_proxy instead. However, Servoy does not include Apache web server, nor mod_jk, so this is not an issue.
Servoy does not have allowLinking enabled, so this is not an issue.
Servoy does not run any software implemented in ASP, so this vulnerability is a false positive, and not applicable to Servoy.
These files are supposed to be publicly available, so there is no issue.
All in all, none of the vulnerabilities are real, let alone high-risk.
The problem with scanning tools is that they report a bunch of generic stuff that might not be an issue with the selected install.
Servoy uses pure Java embedded Tomcat. mod_jk is a module for Apache WEB server, which is obsolete anyhow, you should be using mod_proxy instead. However, Servoy does not include Apache web server, nor mod_jk, so this is not an issue.
Servoy does not have allowLinking enabled, so this is not an issue.
Servoy does not run any software implemented in ASP, so this vulnerability is a false positive, and not applicable to Servoy.
These files are supposed to be publicly available, so there is no issue.
All in all, none of the vulnerabilities are real, let alone high-risk.
Thank you very much Sebastiaan for your reply.
Foobrother, please consider using an appropriate subject the next time, it was very misleading, there was nothing thorough about whatever research your client did and the subject ‘several known high-risk’ was absolutely inappropriate.