26194 (7080/tcp) Web Server Uses Plain Text Authenti ...

Our recent tenable security scan on the PeopleSoft web server shows the web
server is using the plan text authentication. We are using the both secured
(port 7081) and non-secured (port 7080) web services (PeopleSoft Weblogic
web server). I have attached the detailed message to the submitted case. It
looks that the LoginForm.jsp is passing the plain text password. I just
don't know how to fix this? any suggestions?
Vulnerability Details
Vulnerability Report Description:
Synopsis :
The remote web server might transmit credentials over clear text
Description :
The remote web server contains several HTML forms containing
an input of type password which transmit their information to
a remote web server over plain text.
An attacker eavesdropping the traffic might use this setup to
obtain logins and passwords of valid users.
Solution :
Make sure that every form transmits its results over HTTPS
Risk factor:
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output :
Page : /console/login/LoginForm.jsp;ADMINCONSOLESESSION=LGY........
Destination page : /console/j_security_check
Input name : xxxxxxxxx
Page : /console/login/LoginForm.jsp;ADMINCONSOLESESSION=LGY........
Destination page : /console/j_security_check
Input name : xxxxxxxxx

The most common solution to the problem is to only transmit user/pass over https. You might want to only enable https on your server. Or (more finer grained solution might be to access the app only over https)

Similar Messages

DECODING MAIL FROM WEB SERVER IN PLAIN TEXT FORMAT(THE MAIL BEING SENT BY LABVIEW APPLICATION)

Hi All
I have a labview application that send mail every hour automatically.
But actually the mail has to be decoded from the web server(by another application).But now when that application decode the data in the mail(that is send by labview application)its getting some funny characters inside that can not be detected by the decoding application
(When open the mail no problem.)But actually our goal is to decode the mail from the web server.
Why the extra characters are appearing when decoding from the server?Is it because of the HTML format?
Is there option to send the mail in plain text format(not like attachment)?
In outlook we can change the setting (tools->options->send->mail sending format->....here we can set as HTML format/Plain Text format)
Like that at the sending time can i chenge the sending option as plain text format in my labview application?
Thanks...

smercurio_fc wrote:
Then it sounds to me like this other application is not decoding the attachment correctly, especially if you looked at the attachment yourself after you received it and verified it's correct.
No, no, smercurio. This is charcter encoding here. In older versions of LabVIEW you could specify what character encoding to use when sending an email through the SMTP VIs. But that gave problems since people in certain locales used certain characters that where not transfered right when the wrong encoding was specified, and that encoding stuff is not understood by most people at all, so the wrong selected encoding was rather the rule than the exception. In newer versions of LabVIEW do the SMTP VIs handle the encoding automatically based on the currently used locale on the system.
This change is documented in the Upgrade Notes of LabVIEW and probably happened around LabVIEW 7.1 or 8.0.
A decent mail client will recognize the encoding and convert it back to whatever is necessary before presenting it to the user. The OPs posters server application obviously isn't a smart mail client but probably just some crude text file parser that has no notion of proper mail character encoding and how to deal with it.
I would suppose that there is a chance to dig into the SMTP VIs itself and try to manipulate or disable that encoding altogether in there but that may open a whole can of worms somewhere else. The proper way would be to process the incoming mail by a character encoding aware mail client before passing it to the text parser. On Unix setting up something like this would be fairly trivial.
Rolf Kalbermatter
Message Edited by rolfk on 01-23-2008 10:21 AM
Rolf Kalbermatter
CIT Engineering Netherlands
a division of Test & Measurement Solutions

Reversing Configuration to allow SMB connections using plain text passsword

I could not logon to a SMB Winows server - repeatedly getting a error -36. I found Apple Article 301580 "Mac OS X 10.4: Error -36 alert displays when connecting to a Windows server". After checking about the possibility of the server being configured to accept an encrypted password - I was resigned to following the directions in 301580 to configure your computer to use plain text passwords to make SMB/CIFS connections when the specified Samba or Windows (SMB/CIFS) server does not support encrypted passwords:
1. Make sure that you are not currently connected to any Samba or Windows (SMB/CIFS) servers and that you do not have any Samba or Windows-related error messages open.
2. Open the Terminal (/Applications/Utilities/).
3. At the prompt, type: sudo pico /etc/nsmb.conf
4. Press Return.
5. Enter your password when prompted, then press Return again.
6. You should see an empty file and a "New File" notice at the bottom of the pico window. If you do not see the "New File" notice, this file already exists.
7. Enter the following into the file so that it appears as follows:
[default]
minauth=none
8. Save the file (press Control-O), press Return, then exit pico (Control-X).
9. Type: sudo chmod a+r /etc/nsmb.conf
10. Press Return.
11. Restart your computer.
My question is how can I reverse this confuiguration to the previous setting where only encrypted passwords are used ?
Thanks!

The solution in my situation was to insert the code below at the top of the file and that took care of the problem.
AddType image/svg+xml svg
AddType image/svg+xml svgz

Post a File to a web server using HTTP_POST

Hello,
I have to generate a program to post a file ".TXT" to a web server using a HTTP POST with multipart form and a couple of variables (user, password).
I was investigating and I found that I can do it using SAPHTTP but I dont know how to work with the FM HTTP_POST.
Does anyone have a sample code?
Thanks
Ariel

sample usage:
CALL FUNCTION 'HTTP_POST'
    EXPORTING
      ABSOLUTE_URI                = IM_OFX_CONTROL_DATA-ADDRESS
      REQUEST_ENTITY_BODY_LENGTH = RESPONSE_ENTITY_BODY_LENGTH
      RFC_DESTINATION             = IM_OFX_CONTROL_DATA-HTTP_RFCDEST
      USER                        = IM_OFX_CONTROL_DATA-HTTP_USER
      PASSWORD                    = IM_OFX_CONTROL_DATA-HTTP_PASSWORD
      BLANKSTOCRLF                = 'X'
    IMPORTING
      STATUS_CODE                 = STATUS
      STATUS_TEXT                 = STATUS_TEXT
      RESPONSE_ENTITY_BODY_LENGTH = RLENGTH
    TABLES
      REQUEST_ENTITY_BODY         = LT_REQUEST
      RESPONSE_ENTITY_BODY        = RESPONSE
      RESPONSE_HEADERS            = LT_RESPONSE_HEADERS
      REQUEST_HEADERS             = LT_HTTP_HEADERS
   EXCEPTIONS
        OTHERS                      = 1.
Refer the programs:
LFPIFF02
LOFXALSU04
LPRGN_URL_RESPONSEU01
LSBCCU01
LSFTPU09
for some idea.
regards,
ravi

Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7?

Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7? I would like to display a simple web page, and I would like to pass to that web page the answers to all the quiz questions, quiz score, etc. In other words, instead of passing quiz results to a SCORM-compliant LMS like Moodle, I'd like to pass that data to a Drupal Webform using a URL like:
https://www.example.com/my-drupal-webform?param1=value1&param2=value2...&paramn=valuen
Is this possible?
Thanks,
John

You have to make sure every step in MOS Document ID 726414.1 that is applicable to your E-Business Suite 12.1.x release is performed. Enabling ASADMIN is just one of the steps. In spite of following all the steps in this Document you continue to get the error when clicking "Generate WSDL", please log a Service Request with Oracle Support.I will check all steps again. Maybe I missed one... Thanks!

Dreamweaver CS3 fails when publishing to the web server using WebDAV

Dreamweaver CS3 fails when publishing to the web server using
WebDAV
using an earlier version (7.x/8.x) works fine.
Does anybody know if there is a solution for this.. This is
urgent..
Attempting to call the 1-800-833-6687 number fails with:
recording, music, rings as though someone will finally answer, but
gets a few dial tones and connection goes silent..
Thanks
J.

If all of your credentials are correct, Server Name/IP Address, Username, Password, Root Directory and it's still not connecting, I would try toggling the Passive FTP checkbox.
If you still can't connect in DW, try downloading a third party FTP program like Filezilla (free) and uploading there. If the third party app doesn't work either, there is likely a problem with your credentials and you would need to contact your hosting provider to straighten it out.

Resources for implementing HTTP web server using java

hi ,
Thanks for giving your precious time in reading the message.I want to build a HTTP web server using java,which will run on my machine and I can communicate with it through web browser(IE) using HTTP requests and response.
I know java language, but quite new to network programming.I want to gain enough knowledge on network programming in java.Can you please suggest me good books or any other resources available on the internet for the required subject.Any help will be greatly appreciated.
my email-id is : [email protected]

hi there my friend,
I am writing my own web server too. in w3c there is a sample web server called jigsaw-open source :) and simple-
I do think it worth trying.
you can contact me if you want to share some source and info. cause I will.
[email protected]
but within 2 weeks I will be back for studying for my web server. you have to wait for a while.

Sun java web server - using a lot of memory

sjws 6.1sp7 - solaris 10u4
we have a web server instance that uses over 3gb of ram. it servers mostly jsps. i understand why permanent heap is so large (jsp classes) any one have an idea of what else could be going on here?
17921 webservd 3271M 2976M cpu1 0 10 9:05:55 31% webservd/80
pmap shows (cut down for length):
00010000 8K r-x-- /opt/jws61/bin/https/bin/webservd
00020000 8K rwx-- /opt/jws61/bin/https/bin/webservd
00022000 1171168K rwx-- [ heap ]
< snip, and a bunch of the following >
74000000 5440K r--s- dev:314,2 ino:6823381
74560000 120K r--s- dev:314,2 ino:6823394
74590000 408K r--s- dev:314,2 ino:6823341
74600000 464K r--s- dev:314,2 ino:6823383
74680000 2192K r--s- dev:314,2 ino:6823304
748B0000 72K r--s- dev:314,2 ino:6823307
748D0000 144K r--s- dev:314,2 ino:6823286
74900000 1264K r--s- dev:314,2 ino:6823418
74A50000 160K r--s- dev:314,2 ino:6823345
74A80000 552K r--s- dev:314,2 ino:6823276
74B10000 8K r--s- dev:314,2 ino:6823327
74B20000 352K r--s- dev:314,2 ino:6823280
74B80000 832K r--s- dev:314,2 ino:6823319
74C60000 104K r--s- dev:314,2 ino:6823324
74C80000 504K r--s- dev:314,2 ino:6823337
74D10000 352K r--s- dev:314,2 ino:6823283
74D70000 32K r--s- dev:314,2 ino:6823406
74D80000 664K r--s- dev:314,2 ino:6823271
74E30000 16K r--s- dev:314,2 ino:6823314
74E40000 40K r--s- dev:314,2 ino:6823349
74E50000 32K r--s- dev:314,2 ino:6823404
74E60000 104K r--s- dev:314,2 ino:6823278
74E80000 584K r--s- dev:314,2 ino:6823347
74F20000 312K r--s- dev:314,2 ino:6823248
74F80000 1808K r--s- dev:85,40 ino:3471
75150000 80K r--s- dev:314,2 ino:6823373
< snip, and then what appears to be taking up most of the memory >
96800000 20480K rwx-- [ anon ]
97C00000 20480K rwx-- [ anon ]
99000000 20480K rwx-- [ anon ]
9A400000 28672K rwx-- [ anon ]
9C000000 4096K rwx-- [ anon ]
9C400000 4096K rwx-- [ anon ]
9C800000 4096K rwx-- [ anon ]
9CC00000 28672K rwx-- [ anon ]
9E800000 8192K rwx-- [ anon ]
9F000000 8192K rwx-- [ anon ]
9F800000 24576K rwx-- [ anon ]
A1000000 4096K rwx-- [ anon ]
A1400000 4096K rwx-- [ anon ]
A1800000 12288K rwx-- [ anon ]
A2400000 40960K rwx-- [ anon ]
A4C00000 8192K rwx-- [ anon ]
A5400000 16384K rwx-- [ anon ]
A6400000 24576K rwx-- [ anon ]
A7C00000 40960K rwx-- [ anon ]
AA400000 20480K rwx-- [ anon ]
AB800000 12288K rwx-- [ anon ]
AC400000 20480K rwx-- [ anon ]
AD800000 4096K rwx-- [ anon ]
ADC00000 36864K rwx-- [ anon ]
B0000000 4096K rwx-- [ anon ]
B0400000 16384K rwx-- [ anon ]
B1400000 4096K rwx-- [ anon ]
B1800000 8192K rwx-- [ anon ]
B2000000 45056K rwx-- [ anon ]
B4C00000 12288K rwx-- [ anon ]
B5800000 4096K rwx-- [ anon ]
B5C00000 12288K rwx-- [ anon ]
B6800000 16384K rwx-- [ anon ]
B7800000 4096K rwx-- [ anon ]
B7C00000 4096K rwx-- [ anon ]
B8000000 4096K rwx-- [ anon ]
B8400000 4096K rwx-- [ anon ]
B8800000 4096K rwx-- [ anon ]
B8C00000 4096K rwx-- [ anon ]
#/usr/jdk/j2sdk1.4.2_16/bin/jmap -heap 17921
Attaching to process ID 17921, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 1.4.2_13-b06
using thread-local object allocation.
Mark Sweep Compact GC
Heap Configuration:
MinHeapFreeRatio = 40
MaxHeapFreeRatio = 70
MaxHeapSize = 67108864 (64.0MB)
NewSize = 2228224 (2.125MB)
MaxNewSize = 4294901760 (4095.9375MB)
OldSize = 1441792 (1.375MB)
NewRatio = 2
SurvivorRatio = 32
PermSize = 16777216 (16.0MB)
MaxPermSize = 1073741824 (1024.0MB)
Heap Usage:
New Generation (Eden + 1 Survivor Space):
capacity = 347406336 (331.3125MB)
used = 163723696 (156.1390838623047MB)
free = 183682640 (175.1734161376953MB)
47.1274352348024% used
Eden Space:
capacity = 336920576 (321.3125MB)
used = 163723696 (156.1390838623047MB)
free = 173196880 (165.1734161376953MB)
48.59415175640683% used
From Space:
capacity = 10485760 (10.0MB)
used = 0 (0.0MB)
free = 10485760 (10.0MB)
0.0% used
To Space:
capacity = 10485760 (10.0MB)
used = 0 (0.0MB)
free = 10485760 (10.0MB)
0.0% used
tenured generation:
capacity = 715849728 (682.6875MB)
used = 645847144 (615.9278335571289MB)
free = 70002584 (66.7596664428711MB)
90.22105041576548% used
Perm Generation:
capacity = 895221760 (853.75MB)
used = 894921568 (853.4637145996094MB)
free = 300192 (0.286285400390625MB)
99.96646730302892% used

It usually takes about 24 hours to get there. It is easily reproducible. "Kill -3" is not leaving a javacore for some reason.
The applications are mostly jsp, and are all over the board. There is a lot of XML parsing, some db connections, and all sorts of other home grown things. However, if the jsp applications were leaking would that not be in the heap?
How would I hunt down these allocations?
A2400000 40960K rwx-- [ anon ]
A4C00000 8192K rwx-- [ anon ]
A5400000 16384K rwx-- [ anon ]
A6400000 24576K rwx-- [ anon ]
A7C00000 40960K rwx-- [ anon ]
AA400000 20480K rwx-- [ anon ]
AB800000 12288K rwx-- [ anon ]
###server.xml
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///opt/jws61/bin/https/dtds/sun-web-server_6_1.dtd" >
<SERVER>
    <PROPERTY name="docroot" value="/xxxxxweb/xxx"/>
    <PROPERTY name="accesslog" value="/data/logs/xxxxx/access"/>
    <PROPERTY name="user" value=""/>
    <PROPERTY name="group" value=""/>
    <PROPERTY name="chroot" value=""/>
    <PROPERTY name="dir" value=""/>
    <PROPERTY name="nice" value=""/>
    <LS id="ls1" port="92" servername="xxxxx" defaultvs="https-bamxxx"/>
    <MIME id="mime1" file="mime.types"/>
    <ACLFILE id="acl1" file="/opt/jws61/httpacl/generated.https-xxxxx.acl"/>
    <VSCLASS id="vsclass1" objectfile="obj.conf">
        <VS id="https-xxxxx" connections="ls1" mime="mime1" aclids="acl1" >
            <PROPERTY name="docroot" value="/xxxxxweb/xxx"/>
            <WEBAPP uri="/" path="/xxxxxweb/xxx" enabled="true"/>
        </VS>
    </VSCLASS>
<JAVA javahome="/usr/jdk/j2sdk1.4.2_13" serverclasspath="/opt/jws61/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/opt/jws61/bin/https/jar/webserv-ext.jar:/opt/jws61/bin/https/jar/webserv-jstl.jar:/opt/jws61/bin/https/jar/ktsearch.jar:/opt/oracle/product/9.2.0/jdbc/lib/ojdbc14.jar:/opt/oracle/product/9.2.0/jdbc/lib/nls_charset12.jar:/opt/oracle/product/9.2.0/jdbc/lib/ocrs12.jar" classpathsuffix="" envclasspathignored="true" nativelibrarypathprefix="/opt/oracle/product/9.2.0/lib32" debug="false" debugoptions="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n" dynamicreloadinterval="-1">
        
        <JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
        <JVMOPTIONS>-Djava.awt.headless=true</JVMOPTIONS>
        <JVMOPTIONS>-server</JVMOPTIONS>
        <JVMOPTIONS>-Xmx1024m</JVMOPTIONS>
        <JVMOPTIONS>-Xms96m</JVMOPTIONS>
        <JVMOPTIONS>-Xrs</JVMOPTIONS>
        <JVMOPTIONS>-XX:MaxPermSize=1024m</JVMOPTIONS>
        <JVMOPTIONS>-Denv=proddc2split</JVMOPTIONS>
        <JVMOPTIONS>-Dhttp.proxyHost=proxy-vip.xxxops.com</JVMOPTIONS>
        <JVMOPTIONS>-Dhttp.proxyPort=3128</JVMOPTIONS>
        <JVMOPTIONS>-Dhttps.proxyHost=proxy-vip.xxxops.com</JVMOPTIONS>
        <JVMOPTIONS>-Dhttps.proxyPort=3128</JVMOPTIONS>

        <SECURITY defaultrealm="native" anonymousrole="ANYONE" audit="false">
            <AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
              <PROPERTY name="file" value="/opt/jws61/https-xxxxx/config/keyfile"/>
              <PROPERTY name="jaas-context" value="fileRealm"/>
            </AUTHREALM>
            <AUTHREALM name="native" classname="com.iplanet.ias.security.auth.realm.webcore.NativeRealm">
              <PROPERTY name="jaas-context" value="nativeRealm"/>
            </AUTHREALM>
            
            
        </SECURITY>
        <RESOURCES>
        </RESOURCES>
    </JAVA>
    <LOG file="/data/logs/xxxxx/errors" loglevel="info"/>
</SERVER>###magnus.conf
# The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
# They will not be supported in future releases of the Web Server.
NetsiteRoot /opt/jws61
ServerName entertainment
ServerID https-xxxxxx
RqThrottle 128
DNS off
Security off
PidLog /opt/jws61/https-xxxxxx/logs/pid
User webservd
StackSize 131072
TempDir /tmp/https-xxxxxx-ba138622
CGIWaitPid on
KeepAliveThreads 4
KeepAliveTimeout 30
KernelThreads off
MaxKeepAliveConnections 256
MaxProcs 1
UseNativePoll on
Init fn=flex-init access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%"
Init fn="load-modules" shlib="/opt/jws61/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"###obj.conf
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="redirect" from="/NASApp/xxx/" url-prefix="/"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn=pfx2dir from=/mc-icons dir="/opt/jws61/ns-icons" name="es-internal"
NameTrans fn=document-root root="$docroot"
PathCheck fn=unix-uri-clean
PathCheck fn="check-acl" acl="default"
PathCheck fn=find-pathinfo
PathCheck fn=find-index index-names="index.html,home.html,index.jsp"
ObjectType fn=type-by-extension
ObjectType fn=force-type type=text/plain
Service method=(GET|HEAD) type=magnus-internal/imagemap fn=imagemap
#Service method=(GET|HEAD) type=magnus-internal/directory fn=index-common
Service method=(GET|HEAD) type=magnus-internal/directory fn=send-error code=404 path="404.html"
Service method=(GET|HEAD|POST) type=*~magnus-internal/* fn=send-file
Service method=TRACE fn=service-trace
Error fn="error-j2ee"
Error fn=send-error code=404 path="/xxxxxxweb/xxx/404.html"
Error fn=send-error code=405 path="/xxxxxxweb/xxx/404.html"
Error fn=send-error code=500 path="/xxxxxxweb/xxx/500.html"
AddLog fn=flex-log name="access"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="cgi">
ObjectType fn=force-type type=magnus-internal/cgi
Service fn=send-cgi user="$user" group="$group" chroot="$chroot" dir="$dir" nice="$nice"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
<Object name="send-compressed">
PathCheck fn="find-compressed"
</Object>
<Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"
</Object>
<Object ppath="*.xml">
AuthTrans fn="set-variable" insert-srvhdrs="Cache-Control: max-age=60"
AuthTrans fn="set-variable" insert-srvhdrs="Edge-Control: max-age=60"
</Object>

Accessing the fielpoint web server using serial port

hello everyone!
I would like to use the fieldpoint serial port, instead of the utp port, to
access the fielpoint internal web server. This means to have the tcp on
serial port. Is it possible? And how can I do it?
Thanks,
Andrea

There may be some hidden trick method of doing that, but usually, RS232 does not support web access. In order to use a COM port to access the web, you'd normally have to use something like PPP. I don't think there's a PPP client for FieldPoint.
- Dan

How to Download a file from web server using servlets

how do we download a file from Java Web Server connecting to oracle database
it should start as soon a i click a button in my html browser
please reply as it is needed to complete my project to submited to the collage

With SQLJ you can do it.
When you look at:
http://otn.oracle.com/sample_code/tech/java/sqlj_jdbc/files/basic/basic.htm
or
http://otn.oracle.com/sample_code/tech/java/sqlj_jdbc/files/advanced/advanced.htm
There are samples for reading LONGRAW / BLOB from Database. If you want use it in servlet you have to pass the result to the responce object, set the correct mime-type and set the response.setContentLength( xx). This is for some PlugIns nessessary (pdf).
regards Dietmar

Web Dynpro application calling external web server using HTTPS giving error

Hello,
I don't know whether this is the right question in this forum but my ABAP web-dynpro applicaiton is expected to call another HTTP application on external web server through HTTPS. Presently it is calling through plain HTTP but we want to have HTTPS.
Here are the steps that we followed based on the link from help.sap.com
1] Received the certificate files from external web server
2] Created SSL Anonymous client
3] Imported the certificate files under this client and added into the certificate list
4] Re-started ICM
5] Created RFC Destination of type HTTP to connect to external server with SSL option and basic authentication. This RFC destination was working under plain HTTP.
When tried with Test connection it gave error "ICM_HTTP_CONNECTION_FAILED".
Any idea what might be missing. Thanks in advance.
Regards
Rajeev

Used proper certificate after which the error went away

How do I save sent emails on my web server using Mail with IMAP?

I have email through a web hosting company setup as IMAP through Apple Mail. In preferences, I have the box checked to save sent emails on the server, however, when I send emails they are stored in Sent Messages folder on my Mac and not on my web server. Also, when I send emails on my iPhone they are stored in the regular Sent folder for my email under Mailboxes.
How can I get all my sent emails stored on my web server?

In Mail, select the mailbox you want to use for sent emails, then go the 'Mailbox' menu and choose 'use this mailbox for' and click 'sent'. The same goes for your iPhone. In settings, go to the advanced settings of the outgoing email server. There you can choose which mailbox you want to use for storing your drafts, sent items, ...

Security Filtering on the v7 Web Server using sed_request

I have been trying to improve protection of an application from cross-site scripting and SQL injection attackes. The ideal solution is the modsecurity rulebase but this is for Apache 2 only so I haev been looking for other solutions. I'm not going to guarantee all of the following since I haven't finished testing it but it looks hopeful so far as an avenue for investigation.
A direct port of the modsecurity engine to the Sun One / iPlanet web server has been started, with an unsupported implementation with near complete functionality in the version 7 codebase, but not all keywords required for the rules are available in this release and it remains unsupported for production use. A simpler but fully supported solution is the sed filter; which is also provided with the version 7 product, but as a separate NSAPI plugin implementing the sed_request and sed_response server application functions (SAFs) which could theoretically be lifted out and run against earlier versions of the web server.
So, how does the sed filter help? Well, although the functionality is less than that of the full modsecurity engine and performance is more limited, as implementing the Unix stream editor (sed) support for simple basic regular expressions it is possible to port some of the key modsecurity rules. The approach is a simple one:
* Choose the key rules for modsecurity that are to implemented, e.g. SQL injection, cross-site scripting, etc
* Open the rule set for each and copy out the extended regular expression
* Translate the extended regular expression to a standard basic regular expression, including replacing the found string with nothing
* Import the new sed rule into the obj.conf for the web server instance
This is best explained with a simple example.
First download the modsecurity source code from http://www.modsecurity.org and unpackage the tarball. In the resulting directory tree go to the rules/base_rules subdirectory and open the modsecurity_crs_41_sql_injection_attacks.conf file. In this file are a number of security rules defined, but a simple examination of each will show the format, the phase and a description after the SecRule keyword and some type information. Note that many of the security rules can be applied unchanged by the unsupported Sun One / iPlanet modsecurity engine that will be a full implementation in a future release. After the type information the extended regular expression used to define when the rule is to be applied can be found. For example, consider one SQL injection rule:
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_tab_columns\b" \
"phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,no
log,auditlog,msg:'Blind SQL Injection Attack',id:'959536',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar
:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%
{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
In this the extended regular expression saying when this rule applies is "\buser_tab_columns\b"
which tells the rules engine to look for the phrase user_tab_columns in the input stream.
We want to replace this with nothing, so a sample sed rule for this would be
sed="s/\buser_tab_columns\b//g"
This says to replace all occurences found in the stream with nothing.
Taking this to its extreme, which will not result in the fastest processing, but will ptotect from cross-site scripting and SQL injection POST attacks against a back end Oracle environment, we end up with a complex segment of an obj.conf for Oracle iPlanet Web Server 7.09. Details are in the next post.

This is something like:
<Object name="default">
Input fn="insert-filter"
method="(GET|POST|HEAD)"
filter="sed-request"
sed="s/</\\</g"
sed="s/%3c/\\</g"
sed="s/%3C/\\</g"
sed="s/>/\\>/g"
sed="s/%3e/\\>/g"
sed="s/%3E/\\>/g"
sed="s/\x2Eexecscript\b//g"
sed="s/<body\b.*?\bonload\b//g"
sed="s/\blivescript://g"
sed="s/\bsettimeout\b[^a-zA-Z_0-9]*?//g"
sed="s/\x3C ?iframe//g"
sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bjavascript://g"
sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bvbscript://g"
sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\becmascript\b//g"
sed="s/\x2Ecookie\b//g"
sed="s/\x3C\x21\x5Bcdata\x5B//g"
sed="s/\x2Eaddimport\b//g"
sed="s/\bhref\b[^a-zA-Z_0-9]*?\bjavascript://g"
sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bjscript\b//g"
sed="s/\balert\b[^a-zA-Z_0-9]*?\x28//g"
sed="s/\btype\b[^a-zA-Z_0-9]*?\bapplication\b[^a-zA-Z_0-9]*?\bx-vbscript\b//g"
sed="s/\x3C ?meta\b//g"
sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bhttp://g"
sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bvbscript\b//g"
sed="s/\bhref\b[^a-zA-Z_0-9]*?\bvbscript://g"
sed="s/\burl\b[^a-zA-Z_0-9]*?\bjavascript://g"
sed="s/\x2Einnerhtml\b//g"
sed="s/\x40import\b//g"
sed="s/\x3C ?script\b//g"
sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bjavascript\b//g"
sed="s/\x2Efromcharcode\b//g"
sed="s/\burl\b[^a-zA-Z_0-9]*?\bvbscript://g"
sed="s/\bsettimeout\b[^a-zA-Z_0-9]*?\x28//g"
sed="s/<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)[^a-zA-Z_0-9]//g"
sed="s/(asfunction|javascript|vbscript|data|mocha|livescript)://g"
sed="s/(fromcharcode|alert|eval)\x73*\x28//g"
sed="s/<!\x5Bcdata\x5B|\x5D>//g"
sed="s/['\"<]xss['\">]//g"
sed="s/(88,83,83)//g"
sed="s/'';!--\"<xss>=&{()}//g"
sed="s/&{//g"
sed="s/<!(doctype|entity)//g"
sed="s/(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&[#\x28\x29=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))//g"
sed="s/(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))//g"
sed="s/(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)//g"
sed="s/(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)//g"
sed="s/(?i:<base[ /+\t].*?href[ /+\t]*=)//g"
sed="s/(?i:<link[ /+\t].*?href[ /+\t]*=)//g"
sed="s/(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)//g"
sed="s/(?i:<?import[ /+\t].*?implementation[ /+\t]*=)//g"
sed="s/(?i:<embed[ /+\t].*?SRC.*?=)//g"
sed="s/(?i:[ /+\t\"\'`]on\x63\x63\x63+?[ +\t]*?=.)//g"
sed="s/(?i:<?frame.*?[ /+\t]*?src[ /+\t]*=)//g"
sed="s/(?i:<isindex[ /+\t>])//g"
sed="s/(?i:<form.*?>)//g"
sed="s/(?i:<script.*?[ /+\t]*?src[ /+\t]*=)//g"
sed="s/(?i:<script.*?>)//g"
sed="s/(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?=)//g"
sed="s/(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\x5B].*?[\x5D].*?))=)//g"
sed="s/\bsys\x2Euser_catalog\b//g"
sed="s/\bsys\x2Euser_tables\b//g"
sed="s/\bcharindex\b//g"
sed="s/\bsys\x2Eall_tables\b//g"
sed="s/\bsys\x2Euser_constraints\b//g"
sed="s/\bselect\b.{0,40}buser\b//g"
sed="s/\bwaitfor\b[^a-zA-Z_0-9]*?\bdelay\b//g"
sed="s/\bselect\b.{0,40}\bsubstring\b//g"
sed="s/\bsys\x2Euser_triggers\b//g"
sed="s/\blocate[^a-zA-Z_0-9]+\x28//g"
sed="s/\bsys\x2Euser_tab_columns\b//g"
sed="s/\battnotnull\b//g"
sed="s/\bsys\x28tab\b//g"
sed="s/\bselect\b.{0,40}\bascii\b//g"
sed="s/\bsys\x2Euser_views\b//g"
sed="s/\binstr[^a-zA-Z_0-9]+\x28//g"
sed="s/\bsys\x2Euser_objects\b//g"
sed="s/\buser_tables\b//g"
sed="s/\buser_tab_columns\b//g"
sed="s/\ball_objects\b//g"
sed="s/\bsubstr\b//g"
sed="s/\bsysdba\b//g"
sed="s/\btextpos[^a-zA-Z_0-9]+\x28//g"
sed="s/\buser_password\b//g"
sed="s/\buser_users\b//g"
sed="s/\buser_constraints\b//g"
sed="s/\bcolumn_name\b//g"
sed="s/\bsubstring\b//g"
sed="s/\bobject_type\b//g"
sed="s/\bobject_id\b//g"
sed="s/\buser_ind_columns\b//g"
sed="s/\bcolumn_id\b//g"
sed="s/\btable_name\b//g"
sed="s/\bobject_name\b//g"
sed="s/\brownum\b//g"
sed="s/\buser_group\b//g"
sed="s/\butl_http\b//g"
sed="s/\bselect\b.*?\bto_number\b//g"
sed="s/\bgroup\b.*\bbyb.{1,100}?\bhaving\b//g"
sed="s/\bselect\b.*?\bdata_type\b//g"
sed="s/\bisnull\b[^a-zA-Z_0-9]*?\x28//g"
sed="s/\bunion\b.{1,100}?\bselect\b//g"
sed="s/\binsert\b[^a-zA-Z_0-9]*?\binto\b//g"
sed="s/\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b//g"
sed="s/\x3B[^a-zA-Z_0-9]*?\bdrop\b//g"
sed="s/\bloadb[^a-zA-Z_0-9]*?\bdata\b.*\binfile\b//g"
sed="s/\bselect\b.*?\bto_char\b//g"
sed="s/\bdbms_java\b//g"
sed="s/\bnvarchar\b//g"
sed="s/\butl_file\b//g"
sed="s/\binner\b[^a-zA-Z_0-9]*?\bjoin\b//g"
sed="s/\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b//g"
sed="s/\bintob[^a-zA-Z_0-9]*?\bdumpfile\b//g"
sed="s/\bdelete\b[^a-zA-Z_0-9]*?\bfrom\b//g"
sed="s/\x3B[^a-zA-Z_0-9]*?\bshutdown\b//g"
sed="s/\bautonomous_transaction\b//g"
sed="s/\bdba_users\b//g"
sed="s/\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b//g"
sed="s/\b(?:coalesce\b|root\x40)//g"
sed="s/\b(?:(?:rel(?:(?:nam|typ)e|kind)|to_(?:numbe|cha)r|d(?:elete|rop)|group\b[^a-zA-Z_0-9]*\bby|insert|where)\b|s(?:(?:ubstr(?:ing)?|leep)[^a-zA-Z_0-9]+\x28|(?:hutdown|elect)\b)|(?:b(?:enchmark|in)|find_in_set|position|mid)[^a-zA-Z_0-9]+\x28|c(?:o(?:n(?:cat[^a-zA-Z_0-9]+\x28|vert\b)|unt\b)|ha?r\b)|u(?:n(?:hex[^a-zA-Z_0-9]+\x28|ion\b)|pdate\b)|l(?:o(?:cate|wer)[^a-zA-Z_0-9]+\x28|ength\b)|a(?:ttn(?:ame|um)\b|scii[^a-zA-Z_0-9]+\x28)|h(?:aving\b|ex[^a-zA-Z_0-9]+\x28))//g"
sed="s/(?:[\\\x28\x29\x25#]|--)//g"
sed="s/\b(?:benchmark|encode)\b//g"

Connection timeout when using iPlanet web-server uses Weblogic 6.1 proxy server to proxy requests to an HTTP server

Hi all,
My configuration is as follows: I have an iPlanet web-server that uses a WebLogic
6.1 (sp1) server to proxy requests to another HTTP server. The HTTP request runs
for 120 seconds. This causes Weblogic to timeout after a while. The error I get
is as follows:
<Aug 25, 2003 3:37:09 PM GMT+00:00> <Warning> <HttpClient> <Couldn't open connection
java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:320)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:133)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:120)
at java.net.Socket.<init>(Socket.java:273)
at java.net.Socket.<init>(Socket.java:127)
at weblogic.net.http.HttpClient.openServer(HttpClient.java:194)
at weblogic.net.http.HttpClient.openServer(HttpClient.java:254)
at weblogic.net.http.HttpClient.<init>(HttpClient.java:117)
at weblogic.net.http.HttpClient.New(HttpClient.java:149)
at weblogic.net.http.HttpURLConnection.connect(HttpURLConnection.java:109)
at com.db.gmr.dcm.DebtIssueServlet.getVectorFromConnection(DebtIssueServle
t.java:285)
at com.db.gmr.dcm.IssuesUSThread.run(IssuesUSThread.java:29)
>
I get the same error when I added the following plug-in configuration parameters
(in obj.conf):
ConnectTimeoutSecs="170" ConnectRetrySecs="170".
What do I need to do to extend this timeout? Any help you can provide will be
greatly appreciated..
Thanks
Manish

Hi all,
My configuration is as follows: I have an iPlanet web-server that uses a WebLogic
6.1 (sp1) server to proxy requests to another HTTP server. The HTTP request runs
for 120 seconds. This causes Weblogic to timeout after a while. The error I get
is as follows:
<Aug 25, 2003 3:37:09 PM GMT+00:00> <Warning> <HttpClient> <Couldn't open connection
java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:320)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:133)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:120)
at java.net.Socket.<init>(Socket.java:273)
at java.net.Socket.<init>(Socket.java:127)
at weblogic.net.http.HttpClient.openServer(HttpClient.java:194)
at weblogic.net.http.HttpClient.openServer(HttpClient.java:254)
at weblogic.net.http.HttpClient.<init>(HttpClient.java:117)
at weblogic.net.http.HttpClient.New(HttpClient.java:149)
at weblogic.net.http.HttpURLConnection.connect(HttpURLConnection.java:109)
at com.db.gmr.dcm.DebtIssueServlet.getVectorFromConnection(DebtIssueServle
t.java:285)
at com.db.gmr.dcm.IssuesUSThread.run(IssuesUSThread.java:29)
>
I get the same error when I added the following plug-in configuration parameters
(in obj.conf):
ConnectTimeoutSecs="170" ConnectRetrySecs="170".
What do I need to do to extend this timeout? Any help you can provide will be
greatly appreciated..
Thanks
Manish

TextField ADS and not using plain text

Hey
Im using interactive forms and I have a problem using linebreaks. The InputField can only accept plain text. If I switch this option off, I get this error message "Node cannot be inserted where requested" when im pressing the Submit to SAP button to go back to another view.
Someone know what im doing wrong?

Hello Kristoffer,
is it necessary for you to use an input field ?
Why aren't you using a textedit field or textarea ?
kind regards
Fabian
Message was edited by: Fabian Eidner

26194 (7080/tcp) Web Server Uses Plain Text Authenti ...

Similar Messages

Maybe you are looking for