Open Bug 1603435 Opened 6 years ago

Server information leak in error response

Categories

(mozilla.org :: Miscellaneous, enhancement)

Product:
mozilla.org
Component:
Miscellaneous
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: ek15518, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36

Steps to reproduce:

Triggered an error by requesting the following link:

https://people.mozilla.org/~

The full request:

GET /~ HTTP/1.1
Host: people.mozilla.org
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: hr-HR,hr;q=0.9,en-GB;q=0.8,en;q=0.7,en-US;q=0.6,bs;q=0.5
Cookie: _ga=GA1.2.1609626389.1560868786; _gid=GA1.2.405376608.1576156201; request_uri=L2FzZGFzZA==; OAuth_Token_Request_State=2a625462-5553-487e-9130-d029d9400216

Actual results:

The server responded with a 404 error, the HTML content indicated ngingx/1.17.6 while the server header indicated nginx/1.15.10.

HTTP/1.1 404 Not Found
Date: Thu, 12 Dec 2019 14:07:02 GMT
Server: nginx/1.15.10
Connection: close
Content-Type: text/html
X-Frame-Options: DENY
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; font-src https://fonts.gstatic.com; img-src 'self' data: blob:; script-src 'self' 'sha256-4qKuKHlhZHVtOHkzV6IoRxvJyftFsU9Bzug8piLac2s=' 'sha256-wFlxiON/IU9ZZ5PD6RqOAhUMQtTTYSO6Fh/5V470Tdo='; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'
Strict-Transport-Security: max-age=15724800; includeSubDomains
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
Access-Control-Allow-Credentials: true
Content-Length: 555

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>

However, when the Host header was modified to Host: attacker.site, and the same request resent, the server responded with nginx/1.15.10 in the HTML too:

HTTP/1.1 404 Not Found
Date: Thu, 12 Dec 2019 14:09:13 GMT
Server: nginx/1.15.10
Connection: close
Content-Type: text/html
Strict-Transport-Security: max-age=15724800; includeSubDomains
Content-Length: 556

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.15.10</center>
</body>
</html>

Expected results:

Suppress the server header completely. Return a generic error message.

You need to log in before you can comment on or make changes to this bug.