[liberationtech] nweb + Tor
Jorge SoydelBierzo
berciano at soydelbierzo.com
Mon Jan 20 12:04:15 PST 2014
BTW, mod_security it's available for Nginx at beta stage, it's a good deal
install it and add OWASP core rules. For dynamic content, CMS like drupal,
wordpress, joomla, etc, works better Atomicorp (GotRoot) rules for
mod_security.
2014/1/20 Jorge SoydelBierzo <berciano at soydelbierzo.com>
> Nweb is easily exploitable
>
> A simple petition like this crashs server:
>
> GET
> /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> HTTP/1.0
>
> It's also possible to hack core file using a special crafted petition,
> using info gathered and metasploit to inject a shell using one of the linux
> reverse payloads, giving access to your server with privileges from user
> running the web server.
>
> Nweb is not for a production environment, better use Nginx without access
> to cgi, php-fpm, etc. just for static content.
>
>
>
> 2014/1/20 Jonathan Wilkes <jancsika at yahoo.com>
>
>> Hi list,
>> I'm thinking about setting up a slightly modified version of nweb as
>> a Tor hidden service:
>> http://www.ibm.com/developerworks/systems/library/es-nweb/index.html?ca=
>> dat
>>
>> This is for fun, mostly just to learn some more about Tor hidden services
>> and webservers. But it's got me wondering: has anyone done this yet?
>>
>> If not, I'm curious what kinds of attacks a security specialist sees with
>> this setup if I just want to post something like the text of the Magna
>> Carta. Especially-- are there simple attacks against such a naive
>> webserver like this that nginx or other webservers run as a hidden service
>> would prevent?
>>
>> Best,
>> Jonathan
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated: https://mailman.stanford.edu/
>> mailman/listinfo/liberationtech. Unsubscribe, change to digest, or
>> change password by emailing moderator at companys at stanford.edu.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140120/429b1280/attachment.html>
More information about the liberationtech
mailing list