You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Joy Obba <jo...@gtbank.com> on 2013/09/18 11:04:21 UTC
Audit Exceptions on Apache
Hello Team,
Some security issues were raised by our audit team and these issues were
forwarded to security@apache.org.
We got a response from Mark Thomas from the Security team
Theses issues are listed below:
1. Banner Disclosure
We observed that the GTApplication web server disclosed the Apache
Coyote version in its HTTP response. The extracted version is:
Apache-Coyote/1.1
*Risk *
This information might help an attacker gain a greater
understanding of the systems in use and potentially develop further
attacks targeted at the specific version of Apache.
***Response *
Not a vulnerability in Apache Tomcat. Every currently supported version
of Apache Tomcat includes that information in the header. All it tells
an attacker is that you are running Apache Tomcat.
If you really want to change it, a configuration option to do that is
available on the connector.
2. The Character Set was not set.
The Character set (Charset) was not explicitly set by the server.
* Risk*
There is a risk that characters in content are incorrectly
interpreted by the server. Lack of charset can cause the browser to
guess the encoding type and this could lead to Cross-site Scripting by
encoding the payload in
encoding types like UTF-7.
* Response*
Not a vulnerability in Apache Tomcat. RFC2616 requires clients to treat
responses without a character encoding as being encoding with
ISO-8859-1. Clients that try to guess the charset are in breach of
RFC2616. Further that they might do so in an unsafe manner is a security
vulnerability in those clients and should be reported to the appropriate
vendor.
If the vendor(s) of the vulnerable client(s) are unwilling to fix this
vulnerability there are multiple ways that it could be mitigated. For
example, with a filter that always sets the character set.
Kindly send documents that will assist us in resolving these
vulnerabilities
Kind Regards
--
*Joy Obba *
Relationship Management, IT Service Management Group
Guaranty Trust Bank plc
------------------------------------------------------------------------
Guaranty Trust Bank plc
Plot 714 Adetokunbo Ademola Street, Victoria Island, Lagos, Nigeria.
*Tel: * +234-4484000 *| Web: * www.gtbank.com
*
Wouldn't you rather bank with us? *
Guaranty Trust Bank plc
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete
the original. Any use of the email by you is prohibited. If you have
received this communication in error, please notify the author by
replying to this e-mail immediately.
Re: Audit Exceptions on Apache
Posted by Michael-O <19...@gmx.net>.
Am 2013-09-18 11:04, schrieb Joy Obba:
> Hello Team,
>
> Some security issues were raised by our audit team and these issues were
> forwarded to security@apache.org.
> We got a response from Mark Thomas from the Security team
> Theses issues are listed below:
>
> 1. Banner Disclosure
> We observed that the GTApplication web server disclosed the Apache Coyote
> version in its HTTP response. The extracted version is: Apache-Coyote/1.1
> *Risk *
> This information might help an attacker gain a greater understanding of
> the systems in use and potentially develop further attacks targeted at the
> specific version of Apache.
>
> ***Response *
>
> Not a vulnerability in Apache Tomcat. Every currently supported version
> of Apache Tomcat includes that information in the header. All it tells
> an attacker is that you are running Apache Tomcat.
>
> If you really want to change it, a configuration option to do that is
> available on the connector.
I absolutely agree with Mark. Security by obscurity has never worked out
and you should not rely on.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Audit Exceptions on Apache
Posted by Obba Joy <jo...@yahoo.com>.
Hello David,
Kindly assist with the documentation I need to use
Regards
________________________________
From: David kerber <dc...@verizon.net>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Wednesday, September 18, 2013 2:09 PM
Subject: Re: Audit Exceptions on Apache
On 9/18/2013 5:04 AM, Joy Obba wrote:
> Hello Team,
>
> Some security issues were raised by our audit team and these issues were
> forwarded to security@apache.org.
> We got a response from Mark Thomas from the Security team
> Theses issues are listed below:
>
> 1. Banner Disclosure
> We observed that the GTApplication web server disclosed the Apache
> Coyote version in its HTTP response. The extracted version is:
> Apache-Coyote/1.1
> *Risk *
> This information might help an attacker gain a greater
> understanding of the systems in use and potentially develop further
> attacks targeted at the specific version of Apache.
>
> ***Response *
>
> Not a vulnerability in Apache Tomcat. Every currently supported version
> of Apache Tomcat includes that information in the header. All it tells
> an attacker is that you are running Apache Tomcat.
>
> If you really want to change it, a configuration option to do that is
> available on the connector.
>
> 2. The Character Set was not set.
> The Character set (Charset) was not explicitly set by the server.
> * Risk*
> There is a risk that characters in content are incorrectly
> interpreted by the server. Lack of charset can cause the browser to
> guess the encoding type and this could lead to Cross-site Scripting by
> encoding the payload in
> encoding types like UTF-7.
>
> * Response*
>
> Not a vulnerability in Apache Tomcat. RFC2616 requires clients to treat
> responses without a character encoding as being encoding with
> ISO-8859-1. Clients that try to guess the charset are in breach of
> RFC2616. Further that they might do so in an unsafe manner is a security
> vulnerability in those clients and should be reported to the appropriate
> vendor.
>
> If the vendor(s) of the vulnerable client(s) are unwilling to fix this
> vulnerability there are multiple ways that it could be mitigated. For
> example, with a filter that always sets the character set.
>
>
> Kindly send documents that will assist us in resolving these
> vulnerabilities
I think Mark's responses above tell you what you need to know in order
to resolve these. Just look in the documentation for the implementation
details.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Audit Exceptions on Apache
Posted by David kerber <dc...@verizon.net>.
On 9/18/2013 5:04 AM, Joy Obba wrote:
> Hello Team,
>
> Some security issues were raised by our audit team and these issues were
> forwarded to security@apache.org.
> We got a response from Mark Thomas from the Security team
> Theses issues are listed below:
>
> 1. Banner Disclosure
> We observed that the GTApplication web server disclosed the Apache
> Coyote version in its HTTP response. The extracted version is:
> Apache-Coyote/1.1
> *Risk *
> This information might help an attacker gain a greater
> understanding of the systems in use and potentially develop further
> attacks targeted at the specific version of Apache.
>
> ***Response *
>
> Not a vulnerability in Apache Tomcat. Every currently supported version
> of Apache Tomcat includes that information in the header. All it tells
> an attacker is that you are running Apache Tomcat.
>
> If you really want to change it, a configuration option to do that is
> available on the connector.
>
> 2. The Character Set was not set.
> The Character set (Charset) was not explicitly set by the server.
> * Risk*
> There is a risk that characters in content are incorrectly
> interpreted by the server. Lack of charset can cause the browser to
> guess the encoding type and this could lead to Cross-site Scripting by
> encoding the payload in
> encoding types like UTF-7.
>
> * Response*
>
> Not a vulnerability in Apache Tomcat. RFC2616 requires clients to treat
> responses without a character encoding as being encoding with
> ISO-8859-1. Clients that try to guess the charset are in breach of
> RFC2616. Further that they might do so in an unsafe manner is a security
> vulnerability in those clients and should be reported to the appropriate
> vendor.
>
> If the vendor(s) of the vulnerable client(s) are unwilling to fix this
> vulnerability there are multiple ways that it could be mitigated. For
> example, with a filter that always sets the character set.
>
>
> Kindly send documents that will assist us in resolving these
> vulnerabilities
I think Mark's responses above tell you what you need to know in order
to resolve these. Just look in the documentation for the implementation
details.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org