Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

Hello everyone,



Is there any idea of how to fix,



"Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability"  in tomcat6.



Thanks,



Haluk.


________________________________
Bu elektronik posta mesajı ve ekleri, isimleri yazılı alıcılar dışındaki kişilere açıklanmaması, dağıtılmaması ve iletilmemesi gereken kişiye özel ve gizli bilgiler içerebilir. Mesajın muhatabı değilseniz lütfen gönderici ile irtibat kurunuz, mesaj ve eklerini siliniz. Elektronik posta sistemlerinin taşıdığı güvenlik risklerinden dolayı, mesajların gizlilikleri ve bütünlükleri bozulabilir, mesaj virüs içerebilir. Bilinen virüslere karşı kontrolleri yapılmış olarak yollanan mesajın sisteminizde yaratabileceği olası zararlardan Pegasus Hava Taşımacılığı A.Ş. sorumlu tutulamaz.
This e-mail and its attachments may contain private and confidential information intended for the use of the addresses only, which should not be announced, copied or forwarded. If you are not the intended recipient, please contact the sender, delete the message and its attachments. Due to security risks of e-mail systems, the confidentiality and integrity of the message may be damaged, the message may contain viruses. This message is scanned for known viruses and Pegasus Airlines will not be liable for possible system damages caused by the message.

HALUK YUZUCU wrote:
> Hello everyone,
>
> Is there any idea of how to fix,
>
> "Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability"  in tomcat6.

Could you provide a reference for this please. All a Google search turns up
is an issue with IIS, not Tomcat.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Description of this vulnerabilities and solutions for Apache and IIS as follows. But I could not find any information about tomcat web server.

Thanks.

------------------------------------------------------
Vulnerability :
Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability port 80/tcp

THREAT:
Some Web servers contain a vulnerability giving remote attackers the ability to attain your internal IP address or internal network name. An attacker connected to a host on your network using HTTPS (typically on port 443) could craft a specially formed GET request from the Web server resulting in a 3XX Object Moved error message containing the internal IP address or internal network name of the Web server. A target host using HTTP may also be vulnerable to this issue.

IMPACT:
Successful exploitation of this vulnerability results in the disclosure of your internal IP address or internal network name, which could then be used in further attacks against the target host.

SOLUTION:
There are no patches available at this time. Please contact your vendor for updates.

Workarounds:
For IIS Web Server:
Check the Microsoft arcticle on how to set the Hostname instead of internal IP address for IIS.

For Apache Web Server:
Modify the Apache configuration file as follows:
- Set "ServerName" to a proper FQDN.

or

- Use module mod_rewrite to modify the 3xx error message returned by the server.
No workaround information is available for other Web servers at this time. Refer to your vendor for an appropriate workaround.
----------------------------------------------------------------------------------------

Haluk.


-----Original Message-----
From: Mark Thomas [mailto:markt@...]
Sent: Thursday, May 15, 2008 5:57 PM
To: Tomcat Users List
Subject: Re: Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

HALUK YUZUCU wrote:
> Hello everyone,
>
> Is there any idea of how to fix,
>
> "Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability"  in tomcat6.

Could you provide a reference for this please. All a Google search turns up
is an issue with IIS, not Tomcat.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...


Bu elektronik posta mesajı ve ekleri, isimleri yazılı alıcılar dışındaki kişilere açıklanmaması, dağıtılmaması ve iletilmemesi gereken kişiye özel ve gizli bilgiler içerebilir. Mesajın muhatabı değilseniz lütfen gönderici ile irtibat kurunuz, mesaj ve eklerini siliniz. Elektronik posta sistemlerinin taşıdığı güvenlik risklerinden dolayı, mesajların gizlilikleri ve bütünlükleri bozulabilir, mesaj virüs içerebilir. Bilinen virüslere karşı kontrolleri yapılmış olarak yollanan mesajın sisteminizde yaratabileceği olası zararlardan Pegasus Hava Taşımacılığı A.Ş. sorumlu tutulamaz.
This e-mail and its attachments may contain private and confidential information intended for the use of the addresses only, which should not be announced, copied or forwarded. If you are not the intended recipient, please contact the sender, delete the message and its attachments. Due to security risks of e-mail systems, the confidentiality and integrity of the message may be damaged, the message may contain viruses. This message is scanned for known viruses and Pegasus Airlines will not be liable for possible system damages caused by the message.

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Haluk,

HALUK YUZUCU wrote:
| Description of this vulnerabilities and solutions for Apache and IIS
as follows. But I could not find any information about tomcat web server.

Where did you get this report?

<tents fingers>The internal IP address of the server is ...
192.168.1.100! Nobody would have ever guessed that! Excellent! Now I can
take over the world! Muahahaha!</tents fingers>

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgsXFcACgkQ9CaO5/Lv0PCV/wCdE+/6Gl5vNSnVGWfmwLp2ubzp
UOMAn3g9NwuZIhz484IocASNOPFOBc1I
=V4Ln
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

> From: Christopher Schultz [mailto:chris@...]
> <tents fingers>The internal IP address of the server is ...
> 192.168.1.100! Nobody would have ever guessed that!
> Excellent! Now I can
> take over the world! Muahahaha!</tents fingers>

*Chuckle*  Chris, all you need now is the white cat and the secret base in the garden shed.

You might not be able to take over the world, but you might be able to take over the server more easily if you can crack something else on the same internal network.  The OP's correct that it's an information disclosure vulnerability, though I'm not sure whether it's present in Tomcat's error pages.  Certainly if you're going through the checklist of "generic" vuls so that you can demonstrate your installation is hardened against those attacks, it's fair to ask whether Tomcat's susceptible.

                - Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter,

Peter Crowther wrote:
|> From: Christopher Schultz [mailto:chris@...]
|> <tents fingers>The internal IP address of the server is ...
|> 192.168.1.100! Nobody would have ever guessed that!
|> Excellent! Now I can
|> take over the world! Muahahaha!</tents fingers>
|
| *Chuckle*  Chris, all you need now is the white cat and the secret
base in the garden shed.
|
| You might not be able to take over the world, but you might be able
| to take over the server more easily if you can crack something else
| on the same internal network.

Absolutely, especially if there is either no firewall or one configured
poorly or a foolish TCP/IP stack, you could forge an internal IP address
as the source for a request that originates externally. If special
services (like SHUTDOWN) are accepted without authentication from local
addresses, you've got yourself a problem.

| The OP's correct that it's an information disclosure vulnerability,
| though I'm not sure whether it's present in Tomcat's error pages.
| Certainly if you're going through the checklist of "generic" vuls so
| that you can demonstrate your installation is hardened against those
| attacks, it's fair to ask whether Tomcat's susceptible.

I just couldn't resist.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgsX4MACgkQ9CaO5/Lv0PCiUACfVisrtn47r3oOE4GNJ1mtrhr3
TosAn3/yJmSbIKJGVGkrxKbQHLifaXAa
=vrU/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

HALUK YUZUCU wrote:
> Description of this vulnerabilities and solutions for Apache and IIS as follows.
This doesn't help very much. Could you provide the actual link or better
yet the CVE number for this issue.

> But I could not find any information about tomcat web server.
Probably because it isn't an issue but with a CVE number I can get all the
information I need to be sure.

Alternatively, you could just test Tomcat yourself.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...