Server information disclosure with default configuration

Question

Server information disclosure with default configuration

jkushmaul opened this issue a year ago · 3 comments

jkushmaul commented a year ago

Expected result:

To not have stack trace or server iden information by default in any responses.

Actual:

There is stack trace and server version information exposed by default configurations

Reproduce:

Run default config

docker run --rm --name tomcat-fail-demo -it -p 8080:8080 tomcat:9.0.79-jdk17

Provoke an http level error:

curl -v 'http://localhost:8080/showmesomeinfo"'

(The improper encoding of " is the trigger for the exception, it's invalid but curl doesn't care so sends it as is)

Response:

> GET /showmesomeinfo" HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 400 
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 2035
< Date: Fri, 25 Aug 2023 19:18:41 GMT
< Connection: close
< 
<!doctype html><html lang="en"><head><title>HTTP Status 400
...
 The valid characters are defined in RFC 7230 and RFC 3986
        org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:490)
        org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:263)
        org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
...
<h3>Apache Tomcat/9.0.79</h3>

Versions reproduced:

tomcat:9.0.79-jdk17
tomcat:10.1.12-jdk17
tomcat:11.0.0-jdk17

Workaround:
patching the file is a terrible way to do this - obviously would use some kind of xpath etc. But for this issue I'm trying to give a fully isolated and reproducible example so keeping it simple with a patch.

DOCKER_FILE='FROM tomcat:9.0.79-jdk17-temurin-focal as base
FROM base as patcher
RUN apt-get -y update && apt-get install -y patch && apt-get -y clean &&  rm -rf /var/lib/apt/lists/*
ARG DIFF_SERVER_XML
RUN echo "$DIFF_SERVER_XML" > server.xml.patch
RUN patch /usr/local/tomcat/conf/server.xml server.xml.patch
FROM base as patched
COPY --from=patcher /usr/local/tomcat/conf/server.xml /usr/local/tomcat/conf/server.xml
'

DIFF_SERVER_XML='--- docker/server.orig.xml      2023-08-08 16:41:26.000000000 -0400
+++ docker/server.xml   2023-08-25 16:38:40.277441440 -0400
@@ -161,6 +161,9 @@
       <Host name="localhost"  appBase="webapps"
             unpackWARs="true" autoDeploy="true">

+        <Valve className="org.apache.catalina.valves.ErrorReportValve"
+               showReport="false"
+               showServerInfo="false" />
         <!-- SingleSignOn valve, share authentication between web applications
              Documentation at: /docs/config/valve.html -->
         <!--
'
echo "$DOCKER_FILE" |  docker build --progress plain -t mod-tomcat:9.0.79-jdk17 --build-arg DIFF_SERVER_XML="$DIFF_SERVER_XML" -

Run it: docker run --rm -it --name mod-tomcat -p 8080:8080 mod-tomcat:9.0.79-jdk17
Cause the error: curl -v 'http://localhost:8080/showmesomeinfo"'
Note that there is no longer an error - also - the server identification is also gone.

Answer 1 · 2023-08-28T12:51:51.000Z

Since the configuration file is used directly from the dist of tomcat - I will copy this ticket there as well. More than likely you'll want it fixed there, instead.