]
Dimitris Andreadis updated JBAS-5507:
-------------------------------------
Component/s: Web (Tomcat) service
Affects Version/s: JBossAS-4.2.2.GA
Assignee: Remy Maucherat
Internal IP Address Leak - JBoss Application Server
---------------------------------------------------
Key: JBAS-5507
URL:
http://jira.jboss.com/jira/browse/JBAS-5507
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.2.2.GA
Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2)
Reporter: Jeremy Carroll
Assigned To: Remy Maucherat
When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the
internal IP address of the server in the Location response. Basically you create a HTTP
1.0 request to a URL which will result in a 302. Then you can see in the internal server
IP / name. I have mitigated this issue with a front end Web Application Firewall by
denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not
allow this to happen? It is pretty widespread from testing I have done in the lab. It
results in a PCI compliance violation by scoring it as an exploit.
Example:
GET /application HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location:
http://arcenae:8090/application/
Date: Wed, 07 May 2008 03:10:36 GMT
Connection: close
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: