Project

General

Profile

Actions

Bug #14394

closed

WEBrick server version disclosure

Added by Brandon Weeks over 8 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

WEBrick by default is configured with a verbose HTTP server header that includes key information about the server. While this isn't the most significant information disclosure vulnerability in isolation, the relative obscurity of WEBrick in production environments and the use of non-standard HTTP ports make identifying publicly facing Smart Proxy servers trivial. I was able to find ~400 publicly facing servers in a few minutes using Shodan.

Example header: "WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e"
Shodan search: https://www.shodan.io/search?query=WEBrick+X-Cascade%3A+pass+port%3A"8443"


Related issues 1 (0 open1 closed)

Related to Smart Proxy - Feature #24631: Implement httpboot moduleClosedLukas ZapletalActions
Actions

Also available in: Atom PDF