You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/02/12 05:27:20 UTC
[Bug 57573] New: Host Header Internal IP Address Disclosure
https://issues.apache.org/bugzilla/show_bug.cgi?id=57573
Bug ID: 57573
Summary: Host Header Internal IP Address Disclosure
Product: Tomcat 6
Version: 6.0.4
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: 1599409001@qq.com
I upgrade my tomcat server to 6.0.41, When accessed the web site using Chrome,
there is some response header in developer tools as below; The security team
said this was a risk and ask it must hide the IP in Parameter Location. Would
you like to correct the issue?
----------the response header from my web site----------------
Response Headersview source
Connection:Keep-alive
Content-Language:zh-CN
Content-Length:0
Content-Type:text/html;charset=UTF-8
Date:Thu, 12 Feb 2015 03:59:20 GMT
Keep-Alive:timeout=15, max=100
Location:http://218.201.202.225/seeyon/index.jsp
Server:Apache-Coyote/1.1
Via:1.1 ID-0001544136376125 uproxy-2
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57573] Host Header Internal IP Address Disclosure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57573
xinshouke <15...@qq.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |1599409001@qq.com
--- Comment #2 from xinshouke <15...@qq.com> ---
Created attachment 32461
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32461&action=edit
my connector configuration
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57573] Host Header Internal IP Address Disclosure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57573
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
This is likely a configuration problem.
What software are you using as a reverse proxy? What does Tomcat's <Connector>
configuration look like?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57573] Host Header Internal IP Address Disclosure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57573
--- Comment #3 from xinshouke <15...@qq.com> ---
I had no found there is a config about IP in my server.xml. Just a 'localhost'.
I attached my server.xml in the attachment.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57573] Host Header Internal IP Address Disclosure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57573
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |INVALID
--- Comment #4 from Konstantin Kolinko <kn...@gmail.com> ---
> Via:1.1 ID-0001544136376125 uproxy-2
http://tomcat.apache.org/tomcat-6.0-doc/proxy-howto.html
Also AFAIK, 218.201.202.225 is a public IP address.
Support questions must be asked on the users mailing list.
Bugzilla is not a support forum.
http://tomcat.apache.org/bugreport.html#Bugzilla_is_not_a_support_forum
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org