You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Arina Ielchiieva (Jira)" <ji...@apache.org> on 2019/09/05 15:21:00 UTC
[jira] [Updated] (DRILL-7367) Remove Server details from response
headers
[ https://issues.apache.org/jira/browse/DRILL-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arina Ielchiieva updated DRILL-7367:
------------------------------------
Description:
Drill response headers include Server information which is considered to be a vulnerability.
{noformat}
curl http://localhost:8047/cluster.json -v -k
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8047 (#0)
> GET /cluster.json HTTP/1.1
> Host: localhost:8047
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2019 12:47:53 GMT
< Content-Type: application/json
< Content-Length: 436
< Server: Jetty(9.3.25.v20180904)
...
{noformat}
https://pentest-tools.com/blog/essential-http-security-headers/
After the fix headers should be without server information:
{noformat}
curl http://localhost:8047/cluster.json -v -k
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8047 (#0)
> GET /cluster.json HTTP/1.1
> Host: localhost:8047
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2019 13:55:25 GMT
< Content-Type: application/json
< Content-Length: 436
...
{noformat}
was:
Drill response headers include Server information which is considered to be a vulnerability.
{noformat}
curl http://localhost:8047/cluster.json -v -k
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8047 (#0)
> GET /cluster.json HTTP/1.1
> Host: localhost:8047
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2019 12:47:53 GMT
< Content-Type: application/json
< Content-Length: 436
< Server: Jetty(9.3.25.v20180904)
{noformat}
https://pentest-tools.com/blog/essential-http-security-headers/
> Remove Server details from response headers
> -------------------------------------------
>
> Key: DRILL-7367
> URL: https://issues.apache.org/jira/browse/DRILL-7367
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.16.0
> Reporter: Arina Ielchiieva
> Assignee: Arina Ielchiieva
> Priority: Major
> Fix For: 1.17.0
>
>
> Drill response headers include Server information which is considered to be a vulnerability.
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> * Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 12:47:53 GMT
> < Content-Type: application/json
> < Content-Length: 436
> < Server: Jetty(9.3.25.v20180904)
> ...
> {noformat}
> https://pentest-tools.com/blog/essential-http-security-headers/
> After the fix headers should be without server information:
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> * Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 13:55:25 GMT
> < Content-Type: application/json
> < Content-Length: 436
> ...
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)