Highlighted

Information leakage fix due to invalid host generating response with too much information

Explorer ,
Apr 22, 2020

Copy link to clipboard

Copied

Hi,

Our site was tested by one of the security scanner companies and found known vulnerability. It sounds as "Information Leakage is an application weakness where an application reveals sensitive data".

 

I need help to update server settings to hide error details, not do display server technlogy details.

 

They run curl command as:

 

 

 

 

C:\curl\bin\curl.exe -i -s -k -X "GET" -H "Accept: application/json,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" -H "Accept-Language: en-us,en;q=0.5" -H "Host: whs'check" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Software Security Group" "https://www.[mysite.com]/"

 

 

 

 

The output is resulting in java stack error as:

 

 

 

 

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> The character [&#39;] is never valid in a domain name.</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: The character [&#39;] is never valid in a domain name.
        org.apache.tomcat.util.http.parser.HttpParser$DomainParseState.next(HttpParser.java:966)
        org.apache.tomcat.util.http.parser.HttpParser.readHostDomainName(HttpParser.java:842)
        org.apache.tomcat.util.http.parser.Host.parse(Host.java:66)
        org.apache.tomcat.util.http.parser.Host.parse(Host.java:40)
        org.apache.coyote.AbstractProcessor.parseHost(AbstractProcessor.java:293)
        org.apache.coyote.ajp.AjpProcessor.prepareRequest(AjpProcessor.java:1062)
        org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:523)
        org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.lang.Thread.run(Thread.java:745)

 

 

 

 

 

The culprit is: "Host: whs'check". Where the illegal character single quotation "'".

 

I ran the test with different characters. I replaced "'" with "|" or "{". The application is generating just 400 error with no java stack as:

 

 

 

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>

 

 

 

 

 

I tried few things like adding an entry to server.xml file 

 

 

 

 

<Connector port=".... relaxedQueryChars="'">

 

 

 

 

 

 

 Also, I tried to add to catalina.properties

 

 

 

 

 

 

tomcat.util.http.parser.HttpParser.requestTargetAllow='
or
tomcat.util.http.parser.HttpParser.requestTargetAllow="'"

 

 

 

 

 

Nothing seem to work.

We run CF2016 with Tomcat 8.5.42

 

Thank you

TOPICS
Security, Server administration

Views

2.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Information leakage fix due to invalid host generating response with too much information

Explorer ,
Apr 22, 2020

Copy link to clipboard

Copied

Hi,

Our site was tested by one of the security scanner companies and found known vulnerability. It sounds as "Information Leakage is an application weakness where an application reveals sensitive data".

 

I need help to update server settings to hide error details, not do display server technlogy details.

 

They run curl command as:

 

 

 

 

C:\curl\bin\curl.exe -i -s -k -X "GET" -H "Accept: application/json,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" -H "Accept-Language: en-us,en;q=0.5" -H "Host: whs'check" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Software Security Group" "https://www.[mysite.com]/"

 

 

 

 

The output is resulting in java stack error as:

 

 

 

 

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> The character [&#39;] is never valid in a domain name.</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: The character [&#39;] is never valid in a domain name.
        org.apache.tomcat.util.http.parser.HttpParser$DomainParseState.next(HttpParser.java:966)
        org.apache.tomcat.util.http.parser.HttpParser.readHostDomainName(HttpParser.java:842)
        org.apache.tomcat.util.http.parser.Host.parse(Host.java:66)
        org.apache.tomcat.util.http.parser.Host.parse(Host.java:40)
        org.apache.coyote.AbstractProcessor.parseHost(AbstractProcessor.java:293)
        org.apache.coyote.ajp.AjpProcessor.prepareRequest(AjpProcessor.java:1062)
        org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:523)
        org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.lang.Thread.run(Thread.java:745)

 

 

 

 

 

The culprit is: "Host: whs'check". Where the illegal character single quotation "'".

 

I ran the test with different characters. I replaced "'" with "|" or "{". The application is generating just 400 error with no java stack as:

 

 

 

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>

 

 

 

 

 

I tried few things like adding an entry to server.xml file 

 

 

 

 

<Connector port=".... relaxedQueryChars="'">

 

 

 

 

 

 

 Also, I tried to add to catalina.properties

 

 

 

 

 

 

tomcat.util.http.parser.HttpParser.requestTargetAllow='
or
tomcat.util.http.parser.HttpParser.requestTargetAllow="'"

 

 

 

 

 

Nothing seem to work.

We run CF2016 with Tomcat 8.5.42

 

Thank you

TOPICS
Security, Server administration

Views

2.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Apr 22, 2020 0
LEGEND ,
Apr 23, 2020

Copy link to clipboard

Copied

If an apostrophe or any other non alphanumeric character is part of the host name, then the host name is the issue.  I have no idea what "whs'check" is, but it's obviously the culprit.  Remove the apostrophe, and the issue should resolve itself.

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
Explorer ,
Apr 23, 2020

Copy link to clipboard

Copied

Sorry, may be I was not clear. I know the issue. But this a deliberate attempt to hack the host name, basically it is a security check. I am trying to find a way to hide the error details, not do display server tech details.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
LEGEND ,
Apr 23, 2020

Copy link to clipboard

Copied

If I understand correctly, you want to trigger this information to be emailed to you, and just show a generic error message to the user?

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
Explorer ,
Apr 23, 2020

Copy link to clipboard

Copied

No, I just want the error detail in the form of java stack to be hidden and error details did not include server information as this is a security issue.

The error is generated by curl command below. It is not visible otherwise.

 

 

 C:\curl -i -s -k -X "GET" -H "Accept: application/json,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" -H "Accept-Language: en-us,en;q=0.5" -H "Host: whs'check" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Mercer Software Security Group" "https://www.mysite.com/"

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
LEGEND ,
Apr 23, 2020

Copy link to clipboard

Copied

AFAIK, you can either display it by doing nothing (as you've noted, this is a security concern), or display a generic error message to the user.  I don't think you can display part of the error message.  Unless you create an error.cfm page and use reFindReplaceNoCase() to display only part of the error message.  Which would be more work than just displaying a generic error message and sending the error details to an admin account.

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
Explorer ,
Apr 23, 2020

Copy link to clipboard

Copied

I have a generic error page but, it doesnt work here. It works fine from browser. But not from Curl. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
LEGEND ,
Apr 23, 2020

Copy link to clipboard

Copied

Okay.. I think I'm understanding a bit more.. curl returns the contents of a page and ideally places it into a string for the security company to retrieve and view.  You want to limit the output from CF so that no one can see your internal information.

 

This sounds to me like more of a CFAdmin thing, or IIS/Apache thing, than a programming thing.

 

You _might_ be able to do what you want by limiting what IP addresses can see errors, or some other method in CFAdmin:

https://helpx.adobe.com/coldfusion/configuring-administering/using-the-coldfusion-administrator.html

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 1
Explorer ,
Apr 23, 2020

Copy link to clipboard

Copied

I checked CF Admin Debugging & Logging > Debugging IP Addresses. There was an entry for local machine IP. Will look up may be Tomcat has something on the subject.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 1
LEGEND ,
Apr 23, 2020

Copy link to clipboard

Copied

Just out of curiosity, have you followed the Lockdown Guide?

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 0
Explorer ,
Apr 23, 2020

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 23, 2020 1