[
http://jira.jboss.com/jira/browse/JBAS-5507?page=all ]
Remy Maucherat resolved JBAS-5507.
----------------------------------
Resolution: Rejected
This is a Tomcat "issue". What Tomcat is not the frontend server, the user can
read the manual and use proxyName and proxyPort. He can also configure rewriting of his
location header in his proxy.
Internal IP Address Leak - JBoss Application Server
---------------------------------------------------
Key: JBAS-5507
URL:
http://jira.jboss.com/jira/browse/JBAS-5507
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.2.2.GA
Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2)
Reporter: Jeremy Carroll
Assigned To: Remy Maucherat
When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the
internal IP address of the server in the Location response. Basically you create a HTTP
1.0 request to a URL which will result in a 302. Then you can see in the internal server
IP / name. I have mitigated this issue with a front end Web Application Firewall by
denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not
allow this to happen? It is pretty widespread from testing I have done in the lab. It
results in a PCI compliance violation by scoring it as an exploit.
Example:
GET /application HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location:
http://arcenae:8090/application/
Date: Wed, 07 May 2008 03:10:36 GMT
Connection: close
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira