[jboss-jira] [JBoss JIRA] Commented: (JBAS-5507) Internal IP Address Leak - JBoss Application Server

Jan Normann Nielsen (JIRA) jira-events at lists.jboss.org
Fri Feb 6 05:30:44 EST 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-5507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12451458#action_12451458 ] 

Jan Normann Nielsen commented on JBAS-5507:
-------------------------------------------

I do not agree that this is a "Tomcat issue" as the issue was introduced in JBoss 4.2 (which switched from Tomcat 5.5 to JBossWeb). Also, the issue cannot be resolved with setting proxyName and proxyPort if you're running AJP/1.3 as the protocol between Apache and Tomcat.

Please see discussion on this page:

http://www.jboss.com/index.html?module=bb&op=viewtopic&t=149194

Please reconsider opening this bug.

> Internal IP Address Leak - JBoss Application Server
> ---------------------------------------------------
>
>                 Key: JBAS-5507
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5507
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-4.2.2.GA
>         Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2)
>            Reporter: Jeremy Carroll
>            Assignee: Remy Maucherat
>
> When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the internal IP address of the server in the Location response. Basically you create a HTTP 1.0 request to a URL which will result in a 302. Then you can see in the internal server IP / name. I have mitigated this issue with a front end Web Application Firewall by denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not allow this to happen? It is pretty widespread from testing I have done in the lab. It results in a PCI compliance violation by scoring it as an exploit.
> Example:
> GET /application HTTP/1.0
> HTTP/1.1 302 Moved Temporarily
> Server: Apache-Coyote/1.1
> Location: http://arcenae:8090/application/
> Date: Wed, 07 May 2008 03:10:36 GMT
> Connection: close

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list