[jira] [Assigned] (RANGER-2360) [security] Admin WebUI - Server information disclosure

Tue, 28 Jan 2020 21:21:23 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-2360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal reassigned RANGER-2360:
---------------------------------------

    Assignee: Pradeep Agrawal

> [security] Admin WebUI - Server information disclosure
> ------------------------------------------------------
>
>                 Key: RANGER-2360
>                 URL: https://issues.apache.org/jira/browse/RANGER-2360
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, Ranger
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Assignee: Pradeep Agrawal
>            Priority: Trivial
>
> |Revealing server information or system data helps an attacker learn about 
> the technologies used by the application, which can aid him in forming a plan 
> of attack. The information revealed could then be abused to craft more 
> effective exploits against the application and underlying platforms.|
> |All HTTP Responses and error messages disclosed server information names and 
> version. 
>  Apache-Coyote/1.1
>  Apache Tomcat/7.0.82|
> |Threat actors can include external and internal users with malicious intent. 
> A potential attacker would first conduct a review of the system and try to 
> identify the technologies that the system is running on, by inducing errors 
> on the site, looking at the HTTP headers sent in response to requests and by 
> looking at the HTML source code generated by the application. Though these 
> bits of information are not vulnerabilities themselves, an attacker, equipped 
> with this information, can proceed to use targeted vulnerability tests and 
> exploits against the platform/technology in use. 
>  Given the following server information, a would-be attacker can infer the 
> following information: Server product, version, operating system, and 
> vulnerability publications. These are helpful in planning an attack and 
> minimises the possibility of detection.|
> Remove the information from application’s HTTP headers in response. Modify or 
> remove the banner to limit the amount of information disclosed over the 
> Internet. 
>  
> GET /login.jsp reveals Apache-Coyote/1.1
> PROFIND /index.html reveals Apache Tomcat/7.0.82
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to