You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Arina Ielchiieva (Jira)" <ji...@apache.org> on 2019/09/05 15:21:00 UTC

[jira] [Updated] (DRILL-7367) Remove Server details from response headers

     [ https://issues.apache.org/jira/browse/DRILL-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arina Ielchiieva updated DRILL-7367:
------------------------------------
    Description: 
Drill response headers include Server information which is considered to be a vulnerability.
{noformat}
curl http://localhost:8047/cluster.json -v -k
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8047 (#0)
> GET /cluster.json HTTP/1.1
> Host: localhost:8047
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2019 12:47:53 GMT
< Content-Type: application/json
< Content-Length: 436
< Server: Jetty(9.3.25.v20180904)
...
{noformat}

https://pentest-tools.com/blog/essential-http-security-headers/

After the fix headers should be without server information:
{noformat}
curl http://localhost:8047/cluster.json -v -k
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8047 (#0)
> GET /cluster.json HTTP/1.1
> Host: localhost:8047
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2019 13:55:25 GMT
< Content-Type: application/json
< Content-Length: 436
...
{noformat}

  was:
Drill response headers include Server information which is considered to be a vulnerability.
{noformat}
curl http://localhost:8047/cluster.json -v -k
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8047 (#0)
> GET /cluster.json HTTP/1.1
> Host: localhost:8047
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2019 12:47:53 GMT
< Content-Type: application/json
< Content-Length: 436
< Server: Jetty(9.3.25.v20180904)
{noformat}

https://pentest-tools.com/blog/essential-http-security-headers/


> Remove Server details from response headers
> -------------------------------------------
>
>                 Key: DRILL-7367
>                 URL: https://issues.apache.org/jira/browse/DRILL-7367
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Arina Ielchiieva
>            Assignee: Arina Ielchiieva
>            Priority: Major
>             Fix For: 1.17.0
>
>
> Drill response headers include Server information which is considered to be a vulnerability.
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> *   Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 12:47:53 GMT
> < Content-Type: application/json
> < Content-Length: 436
> < Server: Jetty(9.3.25.v20180904)
> ...
> {noformat}
> https://pentest-tools.com/blog/essential-http-security-headers/
> After the fix headers should be without server information:
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> *   Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 13:55:25 GMT
> < Content-Type: application/json
> < Content-Length: 436
> ...
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)