Pen test results - HTTP Header Information Disclosure
search cancel

Pen test results - HTTP Header Information Disclosure

book

Article ID: 228163

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

VApp 14.3 CP2

HTTP Header Information Disclosure – Page 43

-              Response headers can be checked in Chrome’s Dev Tools

-              Open Chrome’s DevTools (Option+CMD+J for Mac or Shift+Ctrl+J for Windows/Linux)

-              Navigate to the “Network” tab

-              In the browser request the URL used in the example

-              As the page loads select a request item for inspection by clicking on it in the left-hand column.

-              Select the “Headers” tab in the right-hand window

-              Expand the “Response Headers” section

-              Find the “X-Powered-By:” header.

Environment

Release : 14.3

Component : Virtual Appliance

Resolution

From the vApp side this will not be changed at this time.  If you have a Redhat login please see the link below. 

https://access.redhat.com/solutions/2740891

https://www.cvedetails.com/cve/CVE-2014-7816/

You will find two options.  Remove the header OR rename it. 

To Remove:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove

To Rename:
/subsystem=undertow/configuration=filter/response-header=server-header:write-attribute(name=header-value,value=foo)
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:write-attribute(name=header-value,value=bar)

You will need to add the user for vApp. This is done through CLI and the add-user.sh.  Below is from the CLI of vApp.  Bold shows the commands. 

You must sudo add-user.sh and create a new management console user.  I create a new "jbossuser".  You can create the user you need and password.  Run the commands in bold below.

 

[email protected] (10.0.0.9):/opt/CA/wildfly-idm/bin >                                            ls
add-user.bat         init.d                        standalone.bat
add-user.properties  jboss-cli.bat                 standalone.conf
add-user.sh          jboss-cli-logging.properties  standalone.conf.bat
appclient.bat        jboss-cli.sh                  standalone.conf.NOT_IN_USE
appclient.conf       jboss-cli.xml                 standalone.sh
appclient.conf.bat   jconsole.bat                  vault.bat
appclient.sh         jconsole.sh                   vault.sh
client               jdr.bat                       wsconsume.bat
domain.bat           jdr.sh                        wsconsume.sh
domain.conf          run.bat                       wsprovide.bat
domain.conf.bat      run.sh                        wsprovide.sh
domain.sh            service
[email protected] (10.0.0.9):/opt/CA/wildfly-idm/bin >              

[email protected] (10.0.0.9):/opt/CA/wildfly-idm/bin > sudo ./add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a):

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : jbossuser
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
 - The password should be different from the username
Password :
JBAS015266: Password must have at least 1 digit.
Are you sure you want to use the password entered yes/no? y
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
About to add user 'jbossuser' for realm 'ManagementRealm'
Is this correct yes/no? y
Added user 'jbossuser' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties'
Added user 'jbossuser' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties'
Added user 'jbossuser' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-groups.properties'
Added user 'jbossuser' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? n
[email protected] (10.0.0.9):/opt/CA/wildfly-idm/bin >
[email protected] (10.0.0.9):/opt/CA/wildfly-idm/bin >
[email protected] (10.0.0.9):/opt/CA/wildfly-idm/bin > ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
Authenticating against security realm: ManagementRealm
Username: jbossuser
Password:

 Once created, you will use the above commands to rename or remove.

To Remove:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove

To Rename:
/subsystem=undertow/configuration=filter/response-header=server-header:write-attribute(name=header-value,value=foo)
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:write-attribute(name=header-value,value=bar)

Powered by Wolken Software