AMQP Cleartext Authentication
Description The remote Advanced Message Queuing Protocol (AMQP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear. Solution Disable cleartext authentication mechanisms in the AMQP configuration in ubuntu or centos machines disable unencrypted access in the configuration file. >> unencrypted" here refers to client connections. https://www.rabbitmq.com/ssl.html Steps of disabling the AMQP: https://liquidwarelabs.zendesk.com/hc/en-us/articles/360019562832-Disable-cleartext-authentication-option-in-RabbitMQ The above link used for windows vulnerability. Please help in getting resolution for Centos or Ubuntu configuration file.SSL Certificate with Wrong Hostname
SSL Certificate with Wrong Hostname The SSL certificate for this service is for a different host. The commonName (CN) of the SSL certificate presented on this service is for a different machine. Purchase or generate a proper certificate for this service solution provided on other sites : "Purchase or generate a proper certificate for this service." What is the proper solution to go away for this vulnerability from linux machines and how to implement the solution ?
Certificate Issue : unable to find valid certification path to requested target
Hello, We deployed a staging e-payment application, using a Virtual Server with these properties : port : https protocol profile : mptcp-mobile-optimized HTTP Profile : XFF SSL Profile : 2 certificates - The issued certificate & a second certificate with Default SSL Profile for SNI SNAT Pool : ip in the same subnet as nodes. Pool : 2 pool members with port 7010 I'm using public certificates (signed by CA Verisign G5 & CA Symantec G4) the web page is displayed correctly, & SSL checks says all is ok (tested with "; & ";) the actual issue is that transaction doesn't pass over https (in http it works fine) here's the error message relived from client side : -An exception occured in HTTPProcess sendMessage. Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - doPost exception encountered. Exception: java.lang.NullPointerException. can you support us please?MongoDB Service Without Authentication Detection
DescriptionMongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without any authentication. A remote attacker can therefore connect to the database system in order to create, read, update, and delete documents, collections, and databases. Enable authentication or restrict access to the MongoDB service. What are the steps for the above vulnerabilty on linux server to enable authentication or restrict access to the MongoDB service?
DataSafe password encryption ...not really
Hi team, I just performed a test with datasafe on version 15.1.0.2. I set my login url to "/user_login.php" and the parameters "username" and "password" for the username/password field of my webpage. I asked datasafe to encrypt and obfuscate both my username and password parameters. then I reloaded my webpage. I entered "kabe_admin" as username and "kabe_password" as password. Then I opened the browser (firefox80.0.1) console and lunched a small script which displays all the forms fields value: javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { s += f[i].name + ":" + f[i].value + " " + f[i].type +"\n"; } } if (s) console.log("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})(); I got the following result: Passwords in forms on this page: : hidden q: text :Go! submit : hidden id:0 select-one :Go! submit :kabe_admin text 08be7f2d16081800e5fbe4edc855463d5cc54fb3a397ca49d50c3cfe8264b225:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4ed1414f7bfc7c4af165db6e2b448dcddee856cef14d376fd0a0f93356891cea6ce48ab7fa20410 hidden :kabe_password password 08be7f2d16081800e3908b0fe720a0fa78171259b4b5ff7e142021740647c372:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4eda4b79a1d9a94b53f4fe4e37fefa20dc2709bfed517f1710e8a30f48bd6b045e84cadff3b1ac7048d9f hidden : submit action:login hidden As you can see in the output, I was able to get a clear version of the password ! ok the field name doesn't appear in front of "kabe_password" but nonetheless it is of type "password" and after all the password is visible with this simple JS code ! If I can do it, I think that a Malware will more than able to do the same , right ? isn't it the goal of Datasafe to prevent malware from stealing information like this ? Is this a huge bug ? or am I missing something ? PS: This is lab environment and I can share my config if needed. although this can easily be reproduced. many thanks, karim
SSL key generation method
Please clear below questions? Pre-master key derived from already shared random numbers through initial handshake process. Is it correct? How master key is generating from pre-master key on both server and client individually? How session key is generating from master key on both server and client individually?
