[ Sorry - previous message posted with wrong subject]
We had a pen test performed on our external facing hosts and the Djigzo
appliance (2.4.0.3) had a finding where the internal IP address was
disclosed by performing a HTTP 1.0 GET request (redirect response link
show's IP rather than hostname). Do you have any guidance on how to set the
response to return the hostname?Thanks
Can you post your security scan details please?
Thanks,
B
On Tue, Feb 5, 2013 at 10:34 AM, bentscrewdriver <bentscrewdriver(a)gmail.com>wrote:
[ Sorry - previous message posted with wrong subject]
We had a pen test performed on our external facing hosts and the Djigzo
> appliance (2.4.0.3) had a finding where the internal IP address was
> disclosed by performing a HTTP 1.0 GET request (redirect response link
> show's IP rather than hostname). Do you have any guidance on how to set
the
> response to return the hostname?
>
> Thanks
>
>
>
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
FYI,
The internal IP address is added by Tomcat. With HTTP 1.1, the browser
sends the hostname with the request. HTTP 1.0 however works differently
since HTTP 1.0 has no notion of hostname.
See for example this link for some background info:
https://issues.jboss.org/browse/JBAS-5507?page=all
The best way to solve this is by setting the proxyName attribute on the
HTTP connector (in /etc/tomcat6/server.xml):
<Service name="Catalina">
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="http"
proxyName="example.com" <!--- proxyName
/>
The proxyName should be equal to the name of the external IP address (or
the external IP address if there is no A record for the external IP address)
Also make sure that the proxyName is set on the HTTPS connector
I will see whether I can make this a user configurable option from the
commandline interface.
Kind regards,
Martijn Brinkers
On 02/05/2013 05:34 PM, bentscrewdriver wrote:
[ Sorry - previous message posted with wrong subject]
We had a pen test performed on our external facing hosts and the Djigzo
appliance (2.4.0.3) had a finding where the internal IP address was
disclosed by performing a HTTP 1.0 GET request (redirect response link
show's IP rather than hostname). Do you have any guidance on how to set the
response to return the hostname?
--
DJIGZO email encryption
I have implemented the solution outlined in Martijn's post any my
testing reveals that it now properly returns the hostname rather than
internal IP. I had the finding re-tested by the org performing the pen
test and they too found that the IP disclosure is now fixed.
It should be noted that this is the only finding they found on this
host, and it was rated low, so I now have a clean bill of health.
Thanks!
On Wed, Feb 6, 2013 at 9:55 AM, Martijn Brinkers <martijn(a)djigzo.com> wrote:
On 02/05/2013 05:34 PM, bentscrewdriver wrote:
[ Sorry - previous message posted with wrong subject]
We had a pen test performed on our external facing hosts and the Djigzo
appliance (2.4.0.3) had a finding where the internal IP address was
disclosed by performing a HTTP 1.0 GET request (redirect response link
show's IP rather than hostname). Do you have any guidance on how to set the
response to return the hostname?FYI,
The internal IP address is added by Tomcat. With HTTP 1.1, the browser
sends the hostname with the request. HTTP 1.0 however works differently
since HTTP 1.0 has no notion of hostname.See for example this link for some background info:
The best way to solve this is by setting the proxyName attribute on the
HTTP connector (in /etc/tomcat6/server.xml):<Service name="Catalina">
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="http"
proxyName="example.com" <!--- proxyName
/>The proxyName should be equal to the name of the external IP address (or
the external IP address if there is no A record for the external IP address)Also make sure that the proxyName is set on the HTTPS connector
I will see whether I can make this a user configurable option from the
commandline interface.Kind regards,
Martijn Brinkers
--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users