Mailing List Archive

Script 11930, Resin /caucho-status accessible, also /server-status
Hi

I've seen the Caucho Resin status page accessible on /server-status and
changed plugin 11930 (resin_server_status.nasl) to also check this location.

When running Apache with mod_caucho any location handled by the
"caucho-status" handler can display the page, so it might be worth
checking all detected files when thorough checks is enabled. I don't
know if the location is configurable in other setups (e.g. Resin on
IIS): It looks like it isn't, so checks for locations other than
'/caucho-status' could be conditional on the web server being Apache.

http://wiki.caucho.com/Apache#Configure_Apache_httpd.conf
http://wiki.caucho.com/HowTo_enable_/caucho-status_for_IIS

The status page I saw (Resin 2.1.6) also didn't contain "%cpu/thread" so
I removed that check. I think "<title>Status : Caucho Servlet Engine"
should be sufficient.

Regards
--
Simon Ward

Operations Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
Re: Script 11930, Resin /caucho-status accessible, also /server-status [ In reply to ]
On 05/09/07 07:34, Simon Ward wrote:

> I've seen the Caucho Resin status page accessible on /server-status and
> changed plugin 11930 (resin_server_status.nasl) to also check this location.
>
> When running Apache with mod_caucho any location handled by the
> "caucho-status" handler can display the page, so it might be worth
> checking all detected files when thorough checks is enabled.
...
> The status page I saw (Resin 2.1.6) also didn't contain "%cpu/thread" so
> I removed that check. I think "<title>Status : Caucho Servlet Engine"
> should be sufficient.

Cheers!

I just committed your patch and revised the description / report a bit.

As for iterating over all files on a web server, I don't feel it's worth
the effort.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers