t oo created RANGER-2360:
----------------------------
Summary: [security] Admin WebUI - Server information disclosure
Key: RANGER-2360
URL: https://issues.apache.org/jira/browse/RANGER-2360
Project: Ranger
Issue Type: Bug
Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo
|Revealing server information or system data helps an attacker learn about the
technologies used by the application, which can aid him in forming a plan of
attack. The information revealed could then be abused to craft more effective
exploits against the application and underlying platforms.|
|All HTTP Responses and error messages disclosed server information names and
version.
Apache-Coyote/1.1
Apache Tomcat/7.0.82|
|Threat actors can include external and internal users with malicious intent. A
potential attacker would first conduct a review of the system and try to
identify the technologies that the system is running on, by inducing errors on
the site, looking at the HTTP headers sent in response to requests and by
looking at the HTML source code generated by the application. Though these bits
of information are not vulnerabilities themselves, an attacker, equipped with
this information, can proceed to use targeted vulnerability tests and exploits
against the platform/technology in use.
Given the following server information, a would-be attacker can infer the
following information: Server product, version, operating system, and
vulnerability publications. These are helpful in planning an attack and
minimises the possibility of detection.|
Remove the information from application’s HTTP headers in response. Modify or
remove the banner to limit the amount of information disclosed over the
Internet.
GET /login.jsp reveals Apache-Coyote/1.1
PROFIND /index.html reveals Apache Tomcat/7.0.82
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
