[jboss-jira] [JBoss JIRA] Resolved: (JBAS-5507) Internal IP Address Leak - JBoss Application Server

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Wed May 7 05:45:20 EDT 2008 

     [ http://jira.jboss.com/jira/browse/JBAS-5507?page=all ]

Remy Maucherat resolved JBAS-5507.
----------------------------------

    Resolution: Rejected

This is a Tomcat "issue". What Tomcat is not the frontend server, the user can read the manual and use proxyName and proxyPort. He can also configure rewriting of his location header in his proxy.

> Internal IP Address Leak - JBoss Application Server
> ---------------------------------------------------
>
>                 Key: JBAS-5507
>                 URL: http://jira.jboss.com/jira/browse/JBAS-5507
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-4.2.2.GA
>         Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2)
>            Reporter: Jeremy Carroll
>         Assigned To: Remy Maucherat
>
> When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the internal IP address of the server in the Location response. Basically you create a HTTP 1.0 request to a URL which will result in a 302. Then you can see in the internal server IP / name. I have mitigated this issue with a front end Web Application Firewall by denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not allow this to happen? It is pretty widespread from testing I have done in the lab. It results in a PCI compliance violation by scoring it as an exploit.
> Example:
> GET /application HTTP/1.0
> HTTP/1.1 302 Moved Temporarily
> Server: Apache-Coyote/1.1
> Location: http://arcenae:8090/application/
> Date: Wed, 07 May 2008 03:10:36 GMT
> Connection: close

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list