Web Server Uses Plain-Text Form Based Authentication vulnerability

Jung Choi February 4, 2021

Hello all,

I have been trying to figure out why this vulnerability shows up even after the traffic is set to route to HTTPS.

We have an internal page at jira.domain.com and it does redirect to https with a certificate from GoDaddy.

It looks like the Qualys scan is still picking up this vulnerability. 

I have read that the traffic between Apache and Tomcat is still not encrypted so is it possibly picking up on that?

I apologize if this is a newb question but I am not sure what I should be looking at if the traffic is already redirected http to https.

 

Thanks

2 answers

1 vote
Matthew Tebes April 28, 2021

Any update on this question? We also use Qualys for Security scans.

THREAT:The Web server uses plain-text form based authentication. A web page exists on the target host which uses an HTML login form. This data is sentfrom the client to the server in plain-text.

IMPACT:An attacker with access to the network traffic to and from the target host may be able to obtain login credentials for other users by sniffingthe network traffic.

SOLUTION:Please contact the vendor of the hardware/software for a possible fix for the issue. For custom applications, ensure that data sent via HTMLlogin forms is encrypted before being sent from the client to the host.

COMPLIANCE:Not Applicable

EXPLOITABILITY:There is no exploitability information for this vulnerability.

ASSOCIATED MALWARE:There is no malware information for this vulnerability.

Darren Newberry September 15, 2021

any update on this? we are seeing the same thing in qualys reports.

0 votes
Valeria Batalka September 1, 2023

Hey Jung Choi,

Don't worry, we've got all been there, and it's great that you are actively working on security concerns. Your question isn't newbie at all; it's a common issue that many face.

You're on the right track with the HTTP to HTTPS redirection, but the Qualys scan might indeed be picking up on the communication between Apache and Tomcat. Even though traffic from the user's browser is secure, internal communication might still be unencrypted.

Here's a potential solution: Make sure to configure Apache and Tomcat to communicate via HTTPS. You can set up SSL for Tomcat, which would encrypt the traffic between Apache and Tomcat. This should help address the vulnerability you're seeing.

I've dealt with a similar issue before, and implementing SSL for internal communication between these servers resolved it. It might take a bit of configuration, but it's a significant step towards ensuring the security of your web server.

Best of luck with your setup, and feel free to ask if you need more specific guidance...

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events