WEBrick server version disclosure
WEBrick by default is configured with a verbose HTTP server header that includes key information about the server. While this isn't the most significant information disclosure vulnerability in isolation, the relative obscurity of WEBrick in production environments and the use of non-standard HTTP ports make identifying publicly facing Smart Proxy servers trivial. I was able to find ~400 publicly facing servers in a few minutes using Shodan.
Example header: "WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e"
Shodan search: https://www.shodan.io/search?query=WEBrick+X-Cascade%3A+pass+port%3A"8443"
#8 Updated by Lukas Zapletal over 2 years ago
- Triaged set to No
Setting it to empty string breaks Grub2 HTTP client for HTTP UEFI BOOT feature (#24631) therefore we are putting this back, but we will not expose webrick or openssl versions, but foreman-proxy version itself, which is publicly available via /features endpoint anyway.