CGI Information Disclosure Issue - twisted

I have a vulnerability scan that is showing that a server running TwistedWeb/2.5.0 on a port is subject to a, "Multiple Web Servers finger CGI Information Disclosure Vulnerability." We have verified that the actual "Finger" service is not running, and I personally do not believe it to be related to the "Finger" service. My question is does anyone know of an issue that exists in TwistedWeb on this topic? I have searched the tickets on the site page and have looked through posts here on StackOverflow but have not seen anything that helps to answer it.

Twisted 2.5.0 is 4 years old at this point. It's no longer being supported by the developers at twistedmatrix.com. It may well have bugs. Please upgrade.

Related

im working on leadtools and trying to configure it to work on https

i'm using lead tools web scanner and trying to enable it to work on HTTPS.
Blockquote
can i get some help here
It appears you tried to quote something in your question but it did not show correctly.
In any case, if you’re using the current version 20 of LEADTOOLS, see this forum post with detailed information on How to Enable HTTPS in the LEADTOOLS Web Scanning Host.
If you’re using the previous version 19, there’s an older article that discusses that version here.
If neither of these pages helped you, send full details about what you tried and what problems you ran into to the support address support#leadtools.com. Our email support is free regardless of which version of LEADTOOLS you’re using.

Why is dojotoolkit.org suspended?

When I go to https://dojotoolkit.org/, I get, "Unable to connect". In some browsers I get "You have reached a domain that is pending ICANN verification".
I've used a number of dojo libraries in my code. Does anyone know what happened to the owner and whether this is likely to be fixed in the near future?
If it isn't fixed, what is my best option for replacing it?
This seems to be a temporary administrative DNS issue, based on their Twitter response:
We apologize for the issues accessing the Dojo 1 web site. We’re
working on it as fast as possible. In the mean time, you can add the
IP address directly to /etc/hosts. 104.16.205.241
There are also some workarounds on the dojo gitter.im channel:
Reference guide content is also at https://github.com/dojo/docs/ And
tutorials are at
https://github.com/dojo/dojo-website/tree/master/src/documentation/tutorials
Also, as mentioned in this related question, you can use the Archive.org Wayback Machine.
The site now appears to be back up. I was able to access it and get information on features I'm using.

Recent https (SSL) addition, getting site cannot provide secure connection error page

Recently our website went from http to https. I, and others, are randomly getting "The Site Can't Provide a Secure Connection" page. Upon refresh, the page loads just fine. Why are we getting this initial page randomly?
FYI... We have http to https redirects in place.
Impossible to say without more details, but some things I can suggest are:
You have multiple servers and some are configured correctly and some incorrectly.
You are not including the full certificate chain. Sometimes your browser has the missing intermediary cached and sometimes not (see this answer for more info here: https://serverfault.com/questions/826100/ca-certificate-trouble-with-squid-on-centos7/826321#826321)
A bug in browser/software. I had this issue on Chrome when using Apache HTTP/2. Never did figure it out but a Chrome update fixed it.
Run https://www.ssllabs.com/ssltest/ on your site to confirm not a problem with your https set up and, if that doesn't work, or you don't understand the results it gives, then update your question with more details (what Server and Browser you are using and what version, if you have any proxy in place between your Browser and the site and, ideally the website name) if you want people to help you.
Also be aware this is a programming site and some people don't like these questions here and will suggest other Stack Exchange sites but honestly don't know where this question is best placed: serverfault.com maybe, but is for professional SysAdmins only, Unix and Linux seems a little generic (not even sure if you are using a Linux webserver!), Webmasters is more for content and SEO questions, Information and Security is more for theoretical SSL/TLS questions...

How to properly configure application in Live Connect and project in Visual Studio 2013

My question here is pretty simple: how to properly (and 100%) configure both Live Connect and project in Visual Studio 2013 in order for the local application run and authenticate an user properly against Microsoft account.
My question may be simple, but the answer is most likely not as simple. I've been reading countless articles and possible tutorials about this, but they are all fragmented and divided into small parts that do not really conciliate each other.
So below is the situation better described, with the steps I have followed.
[Steps Followed]
1) I have created a simple MVC application using Visual Studio 2013.
2) I have configured the project (using its properties) to use IIS Express with current Project Url : https://localhost:44302/
The project runs quite well, and external authentication with Facebook, Google and Twitter run very well too. Now for the tricky part:
3) I have created account with Microsoft and successfully created application in the Live Connect Developer Center.
4) Since configuring the field Redirect URLs to a simple http://localhost:<port> will not work (well...just because they didn't want it to, I suppose), I have additionally done the following..
5) Mapped in hosts file the following domain to localhost: # 127.0.0.1 mytestdomain.localtest.me
6) Reconfigured in Live Connect the Redirect URLs field to use the newly mapped domain: http://mytestdomain.localtest.me (although I have tried this with or without the port as well).
[End result]
With this configuration, the site runs properly locally. However, when I try to sign in with Microsoft account credentials (so, when I click the "Microsoft" button), I have redirected and received the following message:
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
I honestly do not understand why wouldn't this work, when a couple of articles suggested that doing these specific steps would make it work.
What can I be missing, why would this happen at all?
If someone can write here what am I missing and we could all join effort and create in this topic a full fledged, 100% working configuration for local application testing with Microsoft authentication, I believe it would help everyone. If such topic already exist and you can point me to it (because clearly I have missed it) it would also be great.
Thank you in advance,
Mad
Actually I just found out a proper and direct answer to my question. I totally missed it somehow during the last few days of research.
Microsoft's blog has all you need to make it work, and now mine does too. No big explanations and discussions, just basic and direct step by step article.
For those who could not find it and stumbled upon my topic here in StackOverflow, here is the link. Follow it word by word, and it will work.
Answer : Configuring your ASP.NET application for Microsoft OAuth account

Cross site scripting in Domino?

I have a Domino site that is getting highs for cross site scripting on app scan.
We don't have a license to run appscan. Another group needs to do that (yeah big corporations :) ). But I have noticed that the IE browser will complain too with a url as such:
http://myserver.com/cld/cldg.nsf/vwTOC?OpenView&Start=28
(ie will warn you on crosssite scripting with such a url).
I noticed the notes.net forum site does not come up with such an error in IE, when I try to inject script tags. I guess it must scrub the url before the page is rendered? How is this being done in the notes.net forum? Is it done at server level or a database level?
I did found this thread
How to avoid a XSP/Domino Cross-Site Scripting Vulnerability?
where Steve mentions his blog and web rules but the blog mentions that they are not needed in 8.5.4. and above. Am I understanding that right? If so we are at 8.5.4. Is there something I still need to do to scrub my url?
Edit: We are at 8.5.3. Not 8.5.4. I was mistaken. Our admin is going to try Steves's suggestions