You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/02/12 05:27:20 UTC

[Bug 57573] New: Host Header Internal IP Address Disclosure

https://issues.apache.org/bugzilla/show_bug.cgi?id=57573

            Bug ID: 57573
           Summary: Host Header Internal IP Address Disclosure
           Product: Tomcat 6
           Version: 6.0.4
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: 1599409001@qq.com

I upgrade my tomcat server to 6.0.41, When accessed the web site using Chrome,
there is some response header in developer tools as below; The security team
said this was a risk and ask it must hide the IP in Parameter Location. Would
you like to correct the issue?

----------the response header from my web site----------------
Response Headersview source
Connection:Keep-alive
Content-Language:zh-CN
Content-Length:0
Content-Type:text/html;charset=UTF-8
Date:Thu, 12 Feb 2015 03:59:20 GMT
Keep-Alive:timeout=15, max=100
Location:http://218.201.202.225/seeyon/index.jsp
Server:Apache-Coyote/1.1
Via:1.1 ID-0001544136376125 uproxy-2

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57573] Host Header Internal IP Address Disclosure

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57573

xinshouke <15...@qq.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |1599409001@qq.com

--- Comment #2 from xinshouke <15...@qq.com> ---
Created attachment 32461
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=32461&action=edit
my connector configuration

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57573] Host Header Internal IP Address Disclosure

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57573

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
This is likely a configuration problem.

What software are you using as a reverse proxy? What does Tomcat's <Connector>
configuration look like?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57573] Host Header Internal IP Address Disclosure

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57573

--- Comment #3 from xinshouke <15...@qq.com> ---
I had no found there is a config about IP in my server.xml. Just a 'localhost'.
I attached my server.xml in the attachment.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57573] Host Header Internal IP Address Disclosure

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57573

Konstantin Kolinko <kn...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|---                         |INVALID

--- Comment #4 from Konstantin Kolinko <kn...@gmail.com> ---

> Via:1.1 ID-0001544136376125 uproxy-2

http://tomcat.apache.org/tomcat-6.0-doc/proxy-howto.html

Also AFAIK, 218.201.202.225 is a public IP address.

Support questions must be asked on the users mailing list.
Bugzilla is not a support forum.
http://tomcat.apache.org/bugreport.html#Bugzilla_is_not_a_support_forum

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org