On 9/18/2013 5:04 AM, Joy Obba wrote:
Hello Team,Some security issues were raised by our audit team and these issues were forwarded to secur...@apache.org. We got a response from Mark Thomas from the Security team Theses issues are listed below: 1. Banner Disclosure We observed that the GTApplication web server disclosed the Apache Coyote version in its HTTP response. The extracted version is: Apache-Coyote/1.1 *Risk * This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache. ***Response * Not a vulnerability in Apache Tomcat. Every currently supported version of Apache Tomcat includes that information in the header. All it tells an attacker is that you are running Apache Tomcat. If you really want to change it, a configuration option to do that is available on the connector. 2. The Character Set was not set. The Character set (Charset) was not explicitly set by the server. * Risk* There is a risk that characters in content are incorrectly interpreted by the server. Lack of charset can cause the browser to guess the encoding type and this could lead to Cross-site Scripting by encoding the payload in encoding types like UTF-7. * Response* Not a vulnerability in Apache Tomcat. RFC2616 requires clients to treat responses without a character encoding as being encoding with ISO-8859-1. Clients that try to guess the charset are in breach of RFC2616. Further that they might do so in an unsafe manner is a security vulnerability in those clients and should be reported to the appropriate vendor. If the vendor(s) of the vulnerable client(s) are unwilling to fix this vulnerability there are multiple ways that it could be mitigated. For example, with a filter that always sets the character set. Kindly send documents that will assist us in resolving these vulnerabilities
I think Mark's responses above tell you what you need to know in order to resolve these. Just look in the documentation for the implementation details.
D --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
