X-Powered-By: Undertow/1
search cancel

X-Powered-By: Undertow/1

book

Article ID: 228577

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Description
X-Powered-By headers provide no benefit and leak supported technologies and version information.


Additional Resources: CWE Microsoft OWASP WASC


Recommendations
In PHP remove the X-Powered-By header by setting "expose_php = Off". More information can be found at http://www.php.net/manual/en/ini.core.php. For Apache Tomcat set the xpoweredBy attribute to "false" in the http connector. More information can be found at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html. For Microsoft IIS, remove the X-Powered-By header from the HTTP Headers tab of the Web Site Properties dialog. More information can be found at http://www.4guysfromrolla.com/articles/120209-1.aspx#postadlink. For other application servers, consult documentation to determine how to disable extraneous headers.

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

 

xpoweredBy

Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification. The default value is false

Environment

Release : 14.3

Component : Virtual Appliance

Resolution

If you have a Redhat login please see the link below.  

https://access.redhat.com/solutions/2740891

More information.

https://www.cvedetails.com/cve/CVE-2014-7816/

Please note; Per our engineering team's review, this can not be exploited in Virtual Appliance. 


In reviewing the articles and pdf above you could remove or rename the header.   

To Remove:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove

To Rename:
/subsystem=undertow/configuration=filter/response-header=server-header:write-attribute(name=header-value,value=foo)
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:write-attribute(name=header-value,value=bar)

You will need to add the jbossuser user for vApp. This is done through CLI and the add-user.sh.  Below is from the CLI of vApp.  Bold shows the commands.  Please make a full backup of your system before changes.

You must sudo add-user.sh and create a new management console user.  I create a new "jbossuser".  You can create the user you need and password.  Run the commands in bold below.

 

config@Vapp03 VAPP-14.3.0:/opt/CA/wildfly-idm/bin >                                            ls
add-user.bat         init.d                        standalone.bat
add-user.properties  jboss-cli.bat                 standalone.conf
add-user.sh          jboss-cli-logging.properties  standalone.conf.bat
appclient.bat        jboss-cli.sh                  standalone.conf.NOT_IN_USE
appclient.conf       jboss-cli.xml                 standalone.sh
appclient.conf.bat   jconsole.bat                  vault.bat
appclient.sh         jconsole.sh                   vault.sh
client               jdr.bat                       wsconsume.bat
domain.bat           jdr.sh                        wsconsume.sh
domain.conf          run.bat                       wsprovide.bat
domain.conf.bat      run.sh                        wsprovide.sh
domain.sh            service
config@Vapp03 VAPP-14.3.0:/opt/CA/wildfly-idm/bin >              

config@Vapp03 VAPP-14.3.0:/opt/CA/wildfly-idm/bin > sudo ./add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a):

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : jbossuser
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
 - The password should be different from the username
Password :
JBAS015266: Password must have at least 1 digit.
Are you sure you want to use the password entered yes/no? y
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
About to add user 'jbossuser' for realm 'ManagementRealm'
Is this correct yes/no? y
Added user 'jbossuser' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties'
Added user 'jbossuser' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties'
Added user 'jbossuser' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-groups.properties'
Added user 'jbossuser' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? n
config@Vapp03 VAPP-14.3.0:/opt/CA/wildfly-idm/bin >
config@Vapp03 VAPP-14.3.0:/opt/CA/wildfly-idm/bin >
config@Vapp03 VAPP-14.3.0:/opt/CA/wildfly-idm/bin > ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
Authenticating against security realm: ManagementRealm
Username: jbossuser
Password:


Once created, you will use the below commands to rename or remove.

To Remove:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove

To Rename:
/subsystem=undertow/configuration=filter/response-header=server-header:write-attribute(name=header-value,value=foo)
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:write-attribute(name=header-value,value=bar)

 

Powered by Wolken Software