2015-05-08 0:32 GMT+02:00 Andy <[email protected]>: > Yes yes whatever, you win (not that this was ever intended to be a > competition, you just seem to enjoy making it into one every single > time)... I am going to bed. Complete waste of my time. You still imply that > I have unsecured something? > > you make tomee easily identifiable compared to tomcat (= any java server of the web more or less). This way it is super easy to know that you can exploit a cxf issue for instance, thing you don't know with default header.
> On 08/05/2015 00:26, Romain Manni-Bucau wrote: > >> not what I said. >> >> I said: >> 1) over exposing a variable you shouldnt activate is useless >> 2) we shouldnt set Apache TomEE to server variable by default >> >> Happy to replace these defaults by a server.xml.sample or anothing you >> judge appropriated while we stay aligned on tomcat default secured >> settings >> (also note that Apache Coyote is secured cause most of servers have it >> otherwise it would be as Apache TomEE) >> >> >> >> >> Romain Manni-Bucau >> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> <http://rmannibucau.wordpress.com> | Github < >> https://github.com/rmannibucau> | >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >> <http://www.tomitribe.com> >> >> 2015-05-08 0:24 GMT+02:00 Andy <[email protected]>: >> >> Hmm, so why do you want to treat the system administrator like one? >>> >>> On 08/05/2015 00:21, Romain Manni-Bucau wrote: >>> >>> Sure security is all about children... >>>> >>>> >>>> Romain Manni-Bucau >>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>> <http://rmannibucau.wordpress.com> | Github < >>>> https://github.com/rmannibucau> | >>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>> <http://www.tomitribe.com> >>>> >>>> 2015-05-08 0:19 GMT+02:00 Andy <[email protected]>: >>>> >>>> I was just thinking 'Kindergarten', how strange... >>>> >>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote: >>>>> >>>>> hmm this answer doesnt make sense for me, I surely miss something but >>>>> >>>>>> read >>>>>> it like "hey there is this property you can switch on true but if you >>>>>> google you'll see you shouldn't" >>>>>> >>>>>> >>>>>> Romain Manni-Bucau >>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>> https://github.com/rmannibucau> | >>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>> <http://www.tomitribe.com> >>>>>> >>>>>> 2015-05-08 0:15 GMT+02:00 Andy <[email protected]>: >>>>>> >>>>>> This is what I said and the reason I changed it. And yes the >>>>>> constants >>>>>> >>>>>> have that for 'server' now, and have also had other values in the >>>>>>> past. >>>>>>> >>>>>>> So to be even more complete and correct myself.... changed it from >>>>>>> "Apache >>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO. >>>>>>> >>>>>>> @Romain: "you encourage it by making it on the front of the scene." >>>>>>> >>>>>>> That's like saying I'm encouraging someone to change the 'port', >>>>>>> which >>>>>>> is >>>>>>> also potentially dangerous when put into the hands of an idiot. >>>>>>> I like, and hope, to think that exposing a property would encourage >>>>>>> someone to look it up before changing it blindly. The very first >>>>>>> google >>>>>>> hit >>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader. >>>>>>> >>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my >>>>>>> life >>>>>>> wasted. >>>>>>> >>>>>>> Andy. >>>>>>> >>>>>>> >>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote: >>>>>>> >>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <[email protected]>: >>>>>>> >>>>>>> Also, for completeness: >>>>>>>> >>>>>>>> xpoweredBy="*false*" activates nothing, if it were >>>>>>>> >>>>>>>>> xpoweredBy="*true*" >>>>>>>>> then maybe that might just 'activate' whatever it is you think is >>>>>>>>> being >>>>>>>>> activated here? >>>>>>>>> >>>>>>>>> >>>>>>>>> you encourage it by making it on the front of the scene. >>>>>>>>> >>>>>>>>> server="*Apache TomEE*" merely changes the existing value and >>>>>>>>> >>>>>>>> also >>>>>>>> >>>>>>>> 'activates' nothing. I don't see where you think this is a >>>>>>>> security >>>>>>>> >>>>>>>>> issue? >>>>>>>>> Happy to learn though, so please point me to the specific code that >>>>>>>>> this >>>>>>>>> affects? >>>>>>>>> >>>>>>>>> >>>>>>>>> it is on by default is not overrided by the app. >>>>>>>>> >>>>>>>>> Andy. >>>>>>>>> >>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote: >>>>>>>> >>>>>>>>> You activated 2 different headers which is useless since we >>>>>>>>> change >>>>>>>>> >>>>>>>>> serverinfo by default you already get tomee here. >>>>>>>>> >>>>>>>>>> That said this is not the real issue. Doing it is a standard >>>>>>>>>> security >>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to >>>>>>>>>> not >>>>>>>>>> set >>>>>>>>>> it on by default >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Romain Manni-Bucau >>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>> >>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <[email protected]>: >>>>>>>>>> >>>>>>>>>> Some crawlers are using that header as the evaluation. >>>>>>>>>> Default >>>>>>>>>> is >>>>>>>>>> Apache >>>>>>>>>> >>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE >>>>>>>>>> will >>>>>>>>>> >>>>>>>>>> give >>>>>>>>>>> us >>>>>>>>>>> better standing. >>>>>>>>>>> >>>>>>>>>>> Andy. >>>>>>>>>>> >>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: >>>>>>>>>>> >>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I >>>>>>>>>>> wouldn't >>>>>>>>>>> have it >>>>>>>>>>> >>>>>>>>>>> on >>>>>>>>>>> >>>>>>>>>>> by default as a user >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>> >>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau < >>>>>>>>>>>> [email protected] >>>>>>>>>>>> >>>>>>>>>>>> : >>>>>>>>>>>> >>>>>>>>>>>>> Hi >>>>>>>>>>>>> >>>>>>>>>>>> What's the goal? We already switch server info,isnt it >>>>>>>>>>>> enough? >>>>>>>>>>>> >>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>> >>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github >>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn >>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------- Forwarded message ---------- >>>>>>>>>>>>> From: <[email protected]> >>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00 >>>>>>>>>>>>> Subject: tomee git commit: TomEE header >>>>>>>>>>>>> To: [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Repository: tomee >>>>>>>>>>>>> Updated Branches: >>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> TomEE header >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo >>>>>>>>>>>>> Commit: >>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 >>>>>>>>>>>>> Tree: >>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 >>>>>>>>>>>>> Diff: >>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 >>>>>>>>>>>>> >>>>>>>>>>>>> Branch: refs/heads/master >>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 >>>>>>>>>>>>> Parents: 2c4047e >>>>>>>>>>>>> Author: [email protected] <[email protected]> >>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>>>> Committer: [email protected] <[email protected]> >>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 >>>>>>>>>>>>> +- >>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17 >>>>>>>>>>>>> +++++++++++++++++ >>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>> diff --git >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>> index 70fcf6f..17731b9 100644 >>>>>>>>>>>>> --- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>> +++ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { >>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" + >>>>>>>>>>>>> " <Listener >>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" + >>>>>>>>>>>>> " <Service name=\"Catalina\">\n" + >>>>>>>>>>>>> - " <Connector port=\"" + http + "\" >>>>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>>>> />\n" + >>>>>>>>>>>>> + " <Connector port=\"" + http + "\" >>>>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + >>>>>>>>>>>>> " <Engine name=\"Catalina\" >>>>>>>>>>>>> defaultHost=\"localhost\">\n" + >>>>>>>>>>>>> " <Host name=\"localhost\" >>>>>>>>>>>>> appBase=\"webapps\"\n" >>>>>>>>>>>>> + >>>>>>>>>>>>> " unpackWARs=\"true\" >>>>>>>>>>>>> autoDeploy=\"true\">\n" + >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>> diff --git >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>> index 0308c3d..60bd8f7 100644 >>>>>>>>>>>>> --- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>> +++ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements >>>>>>>>>>>>> InstallerInterface { >>>>>>>>>>>>> alerts.addError("Error while adding >>>>>>>>>>>>> listener to >>>>>>>>>>>>> server.xml >>>>>>>>>>>>> file", e); >>>>>>>>>>>>> } >>>>>>>>>>>>> >>>>>>>>>>>>> + //Add TomEE header >>>>>>>>>>>>> + try { >>>>>>>>>>>>> + newServerXml = >>>>>>>>>>>>> Installers.replace(serverXmlOriginal, >>>>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>>>> + "/>", >>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>>>> TomEE\" >>>>>>>>>>>>> />"); >>>>>>>>>>>>> + >>>>>>>>>>>>> + newServerXml = >>>>>>>>>>>>> Installers.replace(serverXmlOriginal, >>>>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>>>> + "/>", >>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>>>> TomEE\" >>>>>>>>>>>>> />"); >>>>>>>>>>>>> + } catch (final IOException e) { >>>>>>>>>>>>> + alerts.addError("Error adding server attribute to >>>>>>>>>>>>> server.xml >>>>>>>>>>>>> file", e); >>>>>>>>>>>>> + } >>>>>>>>>>>>> + >>>>>>>>>>>>> // overwrite server.xml >>>>>>>>>>>>> if >>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(), >>>>>>>>>>>>> newServerXml, >>>>>>>>>>>>> alerts)) { >>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to >>>>>>>>>>>>> server.xml"); >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>>>> >>>>>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>> >>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Andy Gumbrecht >>>>>>>> >>>>>>> https://twitter.com/AndyGeeDe >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>> Andy Gumbrecht >>>>> https://twitter.com/AndyGeeDe >>>>> >>>>> >>>>> >>>>> -- >>> Andy Gumbrecht >>> https://twitter.com/AndyGeeDe >>> >>> >>> > -- > Andy Gumbrecht > https://twitter.com/AndyGeeDe > >
