Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-5507

Internal IP Address Leak - JBoss Application Server

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • JBossAS-4.2.2.GA
    • Web (Tomcat) service
    • None

    Description

      When sending an HTTP 1.0 request that results in a 302 redirect, JBoss will leak the internal IP address of the server in the Location response. Basically you create a HTTP 1.0 request to a URL which will result in a 302. Then you can see in the internal server IP / name. I have mitigated this issue with a front end Web Application Firewall by denying HTTP 1.0 requests as a workaround. Is there a setting in tomcat or JBoss to not allow this to happen? It is pretty widespread from testing I have done in the lab. It results in a PCI compliance violation by scoring it as an exploit.

      Example:

      GET /application HTTP/1.0

      HTTP/1.1 302 Moved Temporarily
      Server: Apache-Coyote/1.1
      Location: http://arcenae:8090/application/
      Date: Wed, 07 May 2008 03:10:36 GMT
      Connection: close

      Attachments

        Activity

          People

            rmaucher Remy Maucherat
            jeremy.carroll Jeremy Carroll (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: