You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Pradeep Agrawal (Jira)" <ji...@apache.org> on 2020/01/29 05:21:00 UTC

[jira] [Assigned] (RANGER-2360) [security] Admin WebUI - Server information disclosure

     [ https://issues.apache.org/jira/browse/RANGER-2360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Pradeep Agrawal reassigned RANGER-2360:
---------------------------------------

    Assignee: Pradeep Agrawal

> [security] Admin WebUI - Server information disclosure
> ------------------------------------------------------
>
>                 Key: RANGER-2360
>                 URL: https://issues.apache.org/jira/browse/RANGER-2360
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, Ranger
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Assignee: Pradeep Agrawal
>            Priority: Trivial
>
> |Revealing server information or system data helps an attacker learn about the technologies used by the application, which can aid him in forming a plan of attack. The information revealed could then be abused to craft more effective exploits against the application and underlying platforms.|
> |All HTTP Responses and error messages disclosed server information names and version. 
>  Apache-Coyote/1.1
>  Apache Tomcat/7.0.82|
> |Threat actors can include external and internal users with malicious intent. A potential attacker would first conduct a review of the system and try to identify the technologies that the system is running on, by inducing errors on the site, looking at the HTTP headers sent in response to requests and by looking at the HTML source code generated by the application. Though these bits of information are not vulnerabilities themselves, an attacker, equipped with this information, can proceed to use targeted vulnerability tests and exploits against the platform/technology in use. 
>  Given the following server information, a would-be attacker can infer the following information: Server product, version, operating system, and vulnerability publications. These are helpful in planning an attack and minimises the possibility of detection.|
> Remove the information from application’s HTTP headers in response. Modify or remove the banner to limit the amount of information disclosed over the Internet. 
>  
> GET /login.jsp reveals Apache-Coyote/1.1
> PROFIND /index.html reveals Apache Tomcat/7.0.82
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)