nikto.pl -host chesstst.eecs.berkeley.edu
mod_ssl/2.2.10 appears to be outdated (current is at least 2.8.31) (may depend on server version)
2.2.10
corresponds with
the Apache version, so this is not a problem.
mod_jk/1.2.25 appears to be outdated (current is at least 1.2.26)
The fix was to upgrade mod_jk, see
Installing Tomkat
We had a problem with blank pages, see
JSP pages not found
http://chesstst.eecs.berkeley.edu/xxx/%3Cscript%3Ealert(%27Vulnerable%27)%3C/script%3E
brings up an alert box.
The fix is to modify the php files that generate
the file unknown page. Each website has a separate file,
see www/php/chess.eecs.berkeley.edu/layout/html.inc.
php
.
OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
for details
See Secure Apache
The main idea is to add the following to
/usr/local/apache/conf/rewrite.conf
:
# Block TRACE/TRACK XSS vector RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRAC(E|K) RewriteRule .* - [F]and then run
/etc/init.d/apachectl graceful