Technical information leak - Java

Technical information leak - Java

Need

Protection of sensitive technical information from unauthorized access

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications
  • Usage of javax.servlet.http for handling HTTP requests and responses in Java Servlets

Description

Non compliant code

        import javax.servlet.*;
import javax.servlet.http.*;

public class InformationLeakServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        
        //Setting HTTP headers with server information
        response.setHeader("Server", "Apache/2.4.1 (Unix)");
        
        //Setting specific configuration information
        response.setHeader("php.ini", "allow_url_fopen=On");
        response.setHeader("web.config", "");
        
        //Rest of the code...
    }
}
        
        

In the above code, we have a servlet that handles GET requests. In this servlet, we are setting HTTP response headers with technical information about the server and specific configuration settings.

The line response.setHeader("Server", "Apache/2.4.1 (Unix)"); is setting the Server header with the version of the server software that is being used. This is leaking technical information about the server which can be used by an attacker to exploit known vulnerabilities in that specific version of the server software.

The lines response.setHeader("php.ini", "allow_url_fopen=On"); and response.setHeader("web.config", ""); are setting headers with specific configuration settings. This is leaking specific configuration information about the server which can be used by an attacker to exploit potential vulnerabilities in these settings.

This is a serious security vulnerability as it provides potential attackers with valuable information about the system, which can be used to plan and execute more targeted and effective attacks.

Steps

  • Avoid exposing sensitive technical information in HTTP headers or response bodies.
  • Remove or obfuscate any server or component version information from the response headers.
  • Do not include specific configuration details in the response headers.
  • Consider implementing a custom error page to handle error responses instead of exposing technical information.
  • Regularly review and update the server and component configurations to ensure they are secure and up to date.

Compliant code

        import javax.servlet.*;
import javax.servlet.http.*;

public class InformationLeakServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        
        //Rest of the code...
    }
}
        
        

The original code was leaking sensitive technical information through HTTP headers. This information included server component versions and specific configuration details. This is a security vulnerability as it provides potential attackers with useful information about the system, which they could use to exploit known vulnerabilities.

The fixed code removes these headers, thus preventing this information from being exposed.

Here are the changes made:

- Removed the line response.setHeader("Server", "Apache/2.4.1 (Unix)"); which was setting the server version in the HTTP headers.
- Removed the line response.setHeader("php.ini", "allow_url_fopen=On"); which was exposing specific PHP configuration details.
- Removed the line response.setHeader("web.config", "<system.web><httpRuntime targetFramework=\\"4.5\\" /></system.web>"); which was exposing specific .NET configuration details.

In addition to these code changes, it is recommended to implement a custom error page to handle error responses. This prevents technical information from being exposed in the event of an error.

Also, it is important to regularly review and update the server and component configurations to ensure they are secure and up to date. This helps to protect against known vulnerabilities that may be present in older versions.

References