CWE 526 Information Exposure Through Environmental Variables

Web Server Publishing details

URL: https://AdminUI01.Broadcom.com:8443/iam/siteminder/console/ui7/index.jsp

PARAMETER: X-Powered-By: JSP/2.3

Release : 12.8.04

This web server appears to be in a default configuration. Default configurations of web servers often provide too much information about their platform and version in HTTP headers and on error pages.  This data is not itself dangerous, but it can help an attacker focus on vulnerabilities associated with your specific web server platform/version.  Remediation: Configure your web server to avoid having it announce its own details. 

1) Logon to the Siteminder AdminUI

2) Browse to the following location:

<Install_Dir>/adminui/standalone/config/configuration/

3) Create a backup of the "standalone-full.xml" file

4) locate the following section:

 <subsystem xmlns="urn:jboss:domain:undertow:8.0" default-security-domain="other" default-server="default-server" default-servlet-container="default" default-virtual-host="default-host">
 
5) Within the 'subsystem' listed (above) locate the following:

<servlet-container name="default">

6) Make the following changes:

<servlet-container name="default">
    <jsp-config x-powered-by="false"/>
    <websockets/>
</servlet-container>

7) Save the changes to the 'standalone-full.xml'

8) Stop, then start the Siteminder AdminUI.