...and you're still insinuating that I don't read, and have compromised
security in some way? It's just incredible how you do that!
You say you changed the server info to TomEE. Yet you look at this in
some other light? You also suggest that people who read properties in
configuration files of a server system are in some way stupid and should
therefore not be presented with options to research - I could almost go
with you on that one if the presented attribute was set to an insecure
value. I still prefer to think that others are capable of 'also' reading
security related information.
You insist across several mails that I am wrong about the 'server'
attribute and your eventual insight is a simple 'oops', and yes I agree
that 'Apache Coyote/1.1' was my mistake. However, the intention of
changing that to 'Apache TomEE' is not to serve myself in some way. The
purpose of that is to specifically advertise the use of Apache TomEE
when being trawled. This is in absolutely no way different than every
other server on the global market! I strongly believe that Apache TomEE
should be advertising itself in this way, else it will not be mentioned
in statistics. Groups collect this information and publish it on sites
across the globe - That is free advertising on a global scale, you just
can't buy that.
You suggest that 'Apache TomEE' is broken and that hackers will see this
as an invite to attack specific elements offered by certain TomEE
distributions. I would suggest that a malicious hacker is quite capable
of researching the responses of any server that they choose to attack
regardless of the distributor, else they are not a malicious hacker.
Very sorry that you see this as some kind of massive security breach? So
please feel free to revert those changes. Last words on the subject.
Andy.
Ping....
On 08/05/2015 00:43, Romain Manni-Bucau wrote:
...just read security documents you'll realize I don't. The
minimumerrorvalve was not created for fun just to remove tomcat string from
error pages!
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:41 GMT+02:00 Andy <[email protected]>:
You're kidding right. Now you're clutching straws..... oh yea, let's add
the TomEE Plus. :-D
Night.
On 08/05/2015 00:34, Romain Manni-Bucau wrote:
2015-05-08 0:32 GMT+02:00 Andy <[email protected]>:
Yes yes whatever, you win (not that this was ever intended to be a
competition, you just seem to enjoy making it into one every single
time)... I am going to bed. Complete waste of my time. You still imply
that
I have unsecured something?
you make tomee easily identifiable compared to tomcat (= any java
server of
the web more or less). This way it is super easy to know that you can
exploit a cxf issue for instance, thing you don't know with default
header.
On 08/05/2015 00:26, Romain Manni-Bucau wrote:
not what I said.
I said:
1) over exposing a variable you shouldnt activate is useless
2) we shouldnt set Apache TomEE to server variable by default
Happy to replace these defaults by a server.xml.sample or anothing you
judge appropriated while we stay aligned on tomcat default secured
settings
(also note that Apache Coyote is secured cause most of servers have it
otherwise it would be as Apache TomEE)
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:24 GMT+02:00 Andy <[email protected]>:
Hmm, so why do you want to treat the system administrator like one?
On 08/05/2015 00:21, Romain Manni-Bucau wrote:
Sure security is all about children...
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:19 GMT+02:00 Andy <[email protected]>:
I was just thinking 'Kindergarten', how strange...
On 08/05/2015 00:17, Romain Manni-Bucau wrote:
hmm this answer doesnt make sense for me, I surely miss something
but
read
it like "hey there is this property you can switch on true but if
you
google you'll see you shouldn't"
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:15 GMT+02:00 Andy <[email protected]>:
This is what I said and the reason I changed it. And yes the
constants
have that for 'server' now, and have also had other values in the
past.
So to be even more complete and correct myself.... changed it from
"Apache
Coyote/1.1" to "Apache TomEE", which is still better IMHO.
@Romain: "you encourage it by making it on the front of the scene."
That's like saying I'm encouraging someone to change the 'port',
which
is
also potentially dangerous when put into the hands of an idiot.
I like, and hope, to think that exposing a property would encourage
someone to look it up before changing it blindly. The very first
google
hit
on 'xpoweredBy' will enlighten even the most fickle reader.
Sorry if my opinion just does not fit in on that. Another hour of
my
life
wasted.
Andy.
On 07/05/2015 23:58, Romain Manni-Bucau wrote:
2015-05-07 23:56 GMT+02:00 Andy <[email protected]>:
Also, for completeness:
xpoweredBy="*false*" activates nothing, if it were
xpoweredBy="*true*"
then maybe that might just 'activate' whatever it is you think is
being
activated here?
you encourage it by making it on the front of the scene.
server="*Apache TomEE*" merely changes the existing value
and
also
'activates' nothing. I don't see where you think this is a
security
issue?
Happy to learn though, so please point me to the specific code
that
this
affects?
it is on by default is not overrided by the app.
Andy.
On 07/05/2015 23:21, Romain Manni-Bucau wrote:
You activated 2 different headers which is useless since we
change
serverinfo by default you already get tomee here.
That said this is not the real issue. Doing it is a standard
security
issue, that is why it is off by default in tomcat so I suggest
to
not
set
it on by default
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 23:10 GMT+02:00 Andy <[email protected]>:
Some crawlers are using that header as the evaluation.
Default
is
Apache
Tomcat 7.0.x etc and it is always on, so having Apache TomEE
will
give
us
better standing.
Andy.
On 07/05/2015 22:38, Romain Manni-Bucau wrote:
PS (sorry hit enter without wishing it): asking cause I
wouldn't
have it
on
by default as a user
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> |
Tomitriber
<http://www.tomitribe.com>
2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
[email protected]
:
Hi
What's the goal? We already switch server info,isnt it
enough?
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github
<https://github.com/rmannibucau> | LinkedIn
<https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
---------- Forwarded message ----------
From: <[email protected]>
Date: 2015-05-07 22:03 GMT+02:00
Subject: tomee git commit: TomEE header
To: [email protected]
Repository: tomee
Updated Branches:
refs/heads/master 2c4047e14 -> 268b57c86
TomEE header
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit:
http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
Tree:
http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
Diff:
http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
Branch: refs/heads/master
Commit: 268b57c868c055e3788b85d6ed6a192da094e808
Parents: 2c4047e
Author: [email protected] <[email protected]>
Authored: Thu May 7 22:03:35 2015 +0200
Committer: [email protected] <[email protected]>
Committed: Thu May 7 22:03:35 2015 +0200
----------------------------------------------------------------------
.../apache/tomee/RemoteTomEEEJBContainerIT.java
| 2
+-
.../java/org/apache/tomee/installer/Installer.java |
17
+++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
----------------------------------------------------------------------
diff --git
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
index 70fcf6f..17731b9 100644
---
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
+++
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
@@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
" <!-- TomEE plugin for Tomcat -->\n" +
" <Listener
className=\"org.apache.tomee.catalina.ServerListener\" />\n"
+
" <Service name=\"Catalina\">\n" +
- " <Connector port=\"" + http + "\"
protocol=\"HTTP/1.1\"
/>\n" +
+ " <Connector port=\"" + http + "\"
protocol=\"HTTP/1.1\"
xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
" <Engine name=\"Catalina\"
defaultHost=\"localhost\">\n" +
" <Host name=\"localhost\"
appBase=\"webapps\"\n"
+
" unpackWARs=\"true\"
autoDeploy=\"true\">\n" +
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
----------------------------------------------------------------------
diff --git
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index 0308c3d..60bd8f7 100644
---
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -448,6 +448,23 @@ public class Installer implements
InstallerInterface {
alerts.addError("Error while adding
listener to
server.xml
file", e);
}
+ //Add TomEE header
+ try {
+ newServerXml =
Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8080\"",
+ "<Connector port=\"8080\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache
TomEE\"
/>");
+
+ newServerXml =
Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8443\"",
+ "<Connector port=\"8443\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache
TomEE\"
/>");
+ } catch (final IOException e) {
+ alerts.addError("Error adding server attribute
to
server.xml
file", e);
+ }
+
// overwrite server.xml
if
(Installers.writeAll(paths.getServerXmlFile(),
newServerXml,
alerts)) {
alerts.addInfo("Add OpenEJB listener to
server.xml");
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
