Bug #14394
closed
WEBrick server version disclosure
Description
WEBrick by default is configured with a verbose HTTP server header that includes key information about the server. While this isn't the most significant information disclosure vulnerability in isolation, the relative obscurity of WEBrick in production environments and the use of non-standard HTTP ports make identifying publicly facing Smart Proxy servers trivial. I was able to find ~400 publicly facing servers in a few minutes using Shodan.
Example header: "WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e"
Shodan search: https://www.shodan.io/search?query=WEBrick+X-Cascade%3A+pass+port%3A"8443"
Updated by The Foreman Bot about 8 years ago
- Status changed from New to Ready For Testing
- Assignee set to Brandon Weeks
- Pull request https://github.com/theforeman/smart-proxy/pull/402 added
Updated by The Foreman Bot over 7 years ago
- Pull request https://github.com/theforeman/smart-proxy/pull/482 added
Updated by Shlomi Zadok over 7 years ago
- Assignee changed from Brandon Weeks to Shlomi Zadok
- Bugzilla link set to 1404867
- Pull request deleted (
https://github.com/theforeman/smart-proxy/pull/402)
Updated by Shlomi Zadok over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 97dd5257a881028b2d9154dd634326793460dd33.
Updated by Dominic Cleal over 7 years ago
- translation missing: en.field_release set to 209
Updated by Lukas Zapletal over 5 years ago
- Related to Feature #24631: Implement httpboot module added
Updated by Lukas Zapletal over 5 years ago
- Triaged set to No
Setting it to empty string breaks Grub2 HTTP client for HTTP UEFI BOOT feature (#24631) therefore we are putting this back, but we will not expose webrick or openssl versions, but foreman-proxy version itself, which is publicly available via /features endpoint anyway.