An incorrect configuration of the Webcart CGI program could disclose private information.

Daniel Call March 12, 2019

Has anyone come accross this error on their install of confluence?  Our security metics is flagging up that the /webcart/orders/ directories are readable from the outside.

https://nvd.nist.gov/vuln/detail/CVE-1999-0610

1 answer

0 votes
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 14, 2019

Hey Daniel!

This doesn't look like a directory that's used in the Confluence install directory on disk, or a URL that Confluence serves by default. Additionally, it looks like the error you got from your security tool mentioned CGI - Confluence is written in Java and uses Tomcat (also Java) as its application server. No CGI is involved!

Is is possible there's another application (such as webcart, which is PHP/CGI based) running on the same server or on the same subdomain that your security tool picked up on?

Cheers,
Daniel | Atlassian Support

Daniel Call March 14, 2019

Hi Daniel.

Many thanks for your response.  I'm running a fairly vanilla VM with Windows 2016 datacenter which is hosting our install of Confluence (in a self hosted install) and that's about it.

We use the Nessus vulnerability scanner on all the web servers and this "webcart" app has been flagging up since the start of this year on the public side of our confluence server.  I initially looked at the shopping cart software you mentioned too.

It's helpful to know this is not anything to do with Confluence or anything bundled with tomcat, but I can't for the life of me find where this app or folders are.  But thanks for ruling this out.  I'll keep looking.

Like Daniel Eads likes this
Daniel Call March 15, 2019

Hey Daniel,

I have some more info on this which I posted on this separate thread if you're interested:

https://community.atlassian.com/t5/Confluence-questions/Tomcat-Manager-in-Confluence/qaq-p/1033023?

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events