[jboss-jira] [JBoss JIRA] Updated: (JBAS-5507) Internal IP Address Leak - JBoss Application Server

Internal IP Address Leak - JBoss Application Server --------------------------------------------------- Key: JBAS-5507 URL: http://jira.jboss.com/jira/browse/JBAS-5507 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-4.2.2.GA Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2) Reporter: Jeremy Carroll Assigned To: Remy Maucherat When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the internal IP address of the server in the Location response. Basically you create a HTTP 1.0 request to a URL which will result in a 302. Then you can see in the internal server IP / name. I have mitigated this issue with a front end Web Application Firewall by denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not allow this to happen? It is pretty widespread from testing I have done in the lab. It results in a PCI compliance violation by scoring it as an exploit. Example: GET /application HTTP/1.0 HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: http://arcenae:8090/application/ Date: Wed, 07 May 2008 03:10:36 GMT Connection: close