Skip to Content
0
Former Member
Jun 08, 2009 at 11:58 AM

BO Edge 3.0 - Hardening Apache

71 Views

Hi,

Because edge uses Apache/Tomcat 5.5, it is suceptable to attacks to these servers. Is there any documentation or best practices which are recommended to follow to harden these up? Our deployment of Edge will be internet-facing and we do not want to compromise the data we will be presenting on there.

An example of one of the issues is:

"The server was seen to support the WEBDAV extension which allows remote web site authoring. Connecting to the following URL gives a directory listing:

http:// xxx.xxx.xxx.xxx:8080/webdav/

Webdav is linked with numerous security issues as it relies on file permissions to protect content u2013 the most common method of supporting webdav on Apache is mod_dav for which a serious denial of service vulnerability has been released on the 01/06/09. This publicly available exploit will consume server memory until a denial of service is carried out and there is no fix to this as of yet. It is strongly recommended that mod_dav be disabled unless absolutely functionally required otherwise to reduce the risk, Webdav access should be password protected."

another risk we have identified is:

"The server hosting the Business Objects application was fingerprinted as running a version of Apache Tomcat (5.5.20) which is known to suffer from several publicly known security issues including denial of service, cross-site scripting and directory traversal. An example of one of these issues, directory traversal, can be seen from the below URL:

http://xxx.xxx.xxx.xxx:8080/foo/\../manager/html

This gives access to the Apache manager which should not be externally accessible and if a valid username and password were guessed would allow access to the server including the ability to deploy new applications including a remote command shell. A full list of issues affecting this version can be found at:

http://tomcat.apache.org/security-5.html"

Please can you advise?

Many Thanks,

DS