[Pki-users] Tomcat version information disclosure in default dogtag installation
Aleksander Adamowski
aleksander.adamowski.dogtag at altkom.pl
Mon May 26 12:38:13 UTC 2008
Hi!
I've noticed that it's trivial to discover the exact version information
about the servlet container that runs a particular CA instance, one only
has to visit an invalid URL for a given instance, e.g.:
https://CA_SERVER:9443/qwerty
===================
HTTP Status 404 - /qwerty
type Status report
message /qwerty
description The requested resource (/qwerty) is not available.
Apache Tomcat/5.5.26
===================
Security by obscurity arguments aside, IMHO it's not so wise to
immediately provide exact version information for the server running
such security critical service. This information isn't a vulnerability
in itself, but makes it so much easier to plan an attack strategy for a
potential intruder.
In Apache, it's enough to use the "ServerTokens" configuration directive
to suppress giving out the exact server version, but AFAIK in Tomcat one
has to prepare a customised error page and configure it in web app's
web.xml (the <error-page> element -
http://www.apache-korea.org/tomcat/faq/misc.html#error).
With Tomact, most admins won't bother since it requires so much labour.
I think it would be nice to package simple error pages that don't
divulge version information in the pki RPMs by default - do you agree?
That would require modifying the following (all webapps' contexts have
to be customised):
/usr/share/pki/INSTANCE_NAME/conf/web.xml
/usr/share/pki/INSTANCE_NAME/webapps/ROOT/WEB-INF/web.xml
/usr/share/pki/INSTANCE_NAME/webapps/INSTANCE_NAME/WEB-INF/web.xml
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
More information about the Pki-users
mailing list