729459 - (wh-9580021) Some addons resources show system information in response headers

Status: RESOLVED WONTFIX

(Cloud Services :: Operations: Marketplace, task)

Description

[Mark Goodwin [:mgoodwin]]

Issue:
Requests to some resources (see bug URL) result in x-powered-by headers divulging PHP version info.  This is puzzling as these appear to be static files.

There is a security risk posed by this due to the fact that an attacker can use version info to target attacks.

Steps to reproduce:
1) request https://static.addons.mozilla.net/en-US/firefox/pages/js_constants.js using something which allows you to view response headers
2) Observe the X-Powered-By header in the response


Remediation:
Configure the server not to do this

Comment 1

[Wil Clouser [:clouserw]]

-> ops.  If we ignore this it goes away as soon as we turn off PHP anyway.

Comment 2

[Jeremy Orem [:oremj]]

Mark, PHP is going away soon on AMO. Can we close this and expect it to resolve itself after PHP is gone?

Comment 3

[Mark Goodwin [:mgoodwin]]

(In reply to Jeremy Orem [:oremj] from comment #2)
> PHP is going away soon on AMO. Can we close this and expect it to
> resolve itself after PHP is gone?

That could be reasonable.

How certain is 'is' and how soon is 'soon'?

Comment 4

[Wil Clouser [:clouserw]]

(In reply to Mark Goodwin [:mgoodwin] from comment #3)
> (In reply to Jeremy Orem [:oremj] from comment #2)
> > PHP is going away soon on AMO. Can we close this and expect it to
> > resolve itself after PHP is gone?
> 
> That could be reasonable.
> 
> How certain is 'is' and how soon is 'soon'?

100% and a couple months

Comment 5

[Jeremy Orem [:oremj]]

Assuming we can close this out. Reopen if any action is needed.