[jboss-jira] [JBoss JIRA] Commented: (JBAS-5507) Internal IP Address Leak - JBoss Application Server

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Fri Feb 6 07:56:44 EST 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-5507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12451480#action_12451480 ] 

Remy Maucherat commented on JBAS-5507:
--------------------------------------

Tomcat 6 is the corresponding version, and it uses the same code (use APR or the org.apache.coyote.ajp.AjpProcessor).

> Internal IP Address Leak - JBoss Application Server
> ---------------------------------------------------
>
>                 Key: JBAS-5507
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5507
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-4.2.2.GA
>         Environment: Tested on Windows / Linux JBoss installations (4.0.3, 4.0.4, 4.2.2)
>            Reporter: Jeremy Carroll
>            Assignee: Remy Maucherat
>
> When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the internal IP address of the server in the Location response. Basically you create a HTTP 1.0 request to a URL which will result in a 302. Then you can see in the internal server IP / name. I have mitigated this issue with a front end Web Application Firewall by denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not allow this to happen? It is pretty widespread from testing I have done in the lab. It results in a PCI compliance violation by scoring it as an exploit.
> Example:
> GET /application HTTP/1.0
> HTTP/1.1 302 Moved Temporarily
> Server: Apache-Coyote/1.1
> Location: http://arcenae:8090/application/
> Date: Wed, 07 May 2008 03:10:36 GMT
> Connection: close

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list