Project

General

Profile

Bug #14394

WEBrick server version disclosure

Added by Brandon Weeks over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

WEBrick by default is configured with a verbose HTTP server header that includes key information about the server. While this isn't the most significant information disclosure vulnerability in isolation, the relative obscurity of WEBrick in production environments and the use of non-standard HTTP ports make identifying publicly facing Smart Proxy servers trivial. I was able to find ~400 publicly facing servers in a few minutes using Shodan.

Example header: "WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e"
Shodan search: https://www.shodan.io/search?query=WEBrick+X-Cascade%3A+pass+port%3A"8443"


Related issues

Related to Smart Proxy - Feature #24631: Implement httpboot moduleClosed

Associated revisions

Revision 97dd5257 (diff)
Added by Shlomi Zadok almost 4 years ago

Fixes #14394 - Undisclose WEBrick server version

History

#1 Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Brandon Weeks
  • Pull request https://github.com/theforeman/smart-proxy/pull/402 added

#2 Updated by The Foreman Bot almost 4 years ago

  • Pull request https://github.com/theforeman/smart-proxy/pull/482 added

#3 Updated by Shlomi Zadok almost 4 years ago

  • Assignee changed from Brandon Weeks to Shlomi Zadok
  • Bugzilla link set to 1404867
  • Pull request deleted (https://github.com/theforeman/smart-proxy/pull/402)

#4 Updated by Shlomi Zadok almost 4 years ago

  • Target version set to 1.10.1

#5 Updated by Shlomi Zadok almost 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Dominic Cleal almost 4 years ago

  • Legacy Backlogs Release (now unused) set to 209

#7 Updated by Lukas Zapletal over 2 years ago

#8 Updated by Lukas Zapletal over 2 years ago

  • Triaged set to No

Setting it to empty string breaks Grub2 HTTP client for HTTP UEFI BOOT feature (#24631) therefore we are putting this back, but we will not expose webrick or openssl versions, but foreman-proxy version itself, which is publicly available via /features endpoint anyway.

Also available in: Atom PDF