Hello Team,
Some security issues were raised by our audit team and these
issues were forwarded to secur...@apache.org.
We got a response from Mark Thomas from the Security team
Theses issues are listed below:
1. Banner Disclosure
We observed that the GTApplication web server disclosed the
Apache Coyote version in its HTTP response. The extracted version
is: Apache-Coyote/1.1
Risk
This information might help an attacker gain a greater understanding of
the systems in use and potentially develop further attacks targeted at the
specific version of Apache.
Response
Not a vulnerability in Apache Tomcat. Every currently supported version of
Apache Tomcat includes that information in the header. All it tells an attacker
is that you are running Apache Tomcat. If you really want to change it, a
configuration option to do that is available on the connector.
2. The Character Set was not set.
The Character set (Charset) was not explicitly set by the
server.
Risk
There is a risk that characters in content are incorrectly
interpreted by the server. Lack of charset can cause the browser
to guess the encoding type and this could lead to Cross-site
Scripting by encoding the payload in
encoding types like UTF-7.
Response
Not a vulnerability in Apache Tomcat. RFC2616 requires clients to treat
responses without a character encoding as being encoding with ISO-8859-1.
Clients that try to guess the charset are in breach of RFC2616. Further that
they might do so in an unsafe manner is a security vulnerability in those
clients and should be reported to the appropriate vendor. If the vendor(s) of
the vulnerable client(s) are unwilling to fix this vulnerability there are
multiple ways that it could be mitigated. For example, with a filter that
always sets the character set.
Kindly send documents that will assist us in resolving these
vulnerabilities
Kind Regards
