Bug #14394: WEBrick server version disclosure - Smart Proxy - Foreman

Actions

Copy link

Bug #14394

closed

WEBrick server version disclosure

Added by Brandon Weeks almost 9 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Shlomi Zadok

Category:

Security

Target version:

1.15.0

Difficulty:

Triaged:

Bugzilla link:

1404867

Pull request:

https://github.com/theforeman/smart-proxy/pull/482

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

WEBrick by default is configured with a verbose HTTP server header that includes key information about the server. While this isn't the most significant information disclosure vulnerability in isolation, the relative obscurity of WEBrick in production environments and the use of non-standard HTTP ports make identifying publicly facing Smart Proxy servers trivial. I was able to find ~400 publicly facing servers in a few minutes using Shodan.

Example header: "WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e"
Shodan search: https://www.shodan.io/search?query=WEBrick+X-Cascade%3A+pass+port%3A"8443"

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Foreman » Smart Proxy

Custom queries

Bug #14394

WEBrick server version disclosure

Updated by The Foreman Bot almost 9 years ago

Updated by The Foreman Bot about 8 years ago

Updated by Shlomi Zadok about 8 years ago

Updated by Shlomi Zadok about 8 years ago

Updated by Shlomi Zadok about 8 years ago

Updated by Dominic Cleal about 8 years ago

Updated by Lukas Zapletal over 6 years ago

Updated by Lukas Zapletal over 6 years ago