[
https://jira.jboss.org/jira/browse/JBAS-5507?page=com.atlassian.jira.plug...
]
Jan Normann Nielsen commented on JBAS-5507:
-------------------------------------------
I do not agree that this is a "Tomcat issue" as the issue was introduced in
JBoss 4.2 (which switched from Tomcat 5.5 to JBossWeb). Also, the issue cannot be resolved
with setting proxyName and proxyPort if you're running AJP/1.3 as the protocol between
Apache and Tomcat.
Please see discussion on this page:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=149194
Please reconsider opening this bug.
Internal IP Address Leak - JBoss Application Server
---------------------------------------------------
Key: JBAS-5507
URL:
https://jira.jboss.org/jira/browse/JBAS-5507
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.2.2.GA
Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2)
Reporter: Jeremy Carroll
Assignee: Remy Maucherat
When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the
internal IP address of the server in the Location response. Basically you create a HTTP
1.0 request to a URL which will result in a 302. Then you can see in the internal server
IP / name. I have mitigated this issue with a front end Web Application Firewall by
denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not
allow this to happen? It is pretty widespread from testing I have done in the lab. It
results in a PCI compliance violation by scoring it as an exploit.
Example:
GET /application HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location:
http://arcenae:8090/application/
Date: Wed, 07 May 2008 03:10:36 GMT
Connection: close
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira