Verbose Server Banner - Vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yasanthau
Advanced member
Advanced member
Posts: 57
Joined: Sat Sep 13, 2014 12:52 am

Verbose Server Banner - Vulnerability

Postby yasanthau » Thu Jan 24, 2019 1:09 pm

Hi,

Upon a vulnerability scan, it is requested to fix the above issue on Zimbra Server (8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition). Please refer the details below.

Verbose server information is sent in the HTTP responses from the server. The information included in the response contains the server name, type, and version number.
Below is an example of a HTTP response that contains verbose server banners:
HTTP/1.1 200 OKServer: Apache 2.0Cache-control: privateX-Powered-By: JSP/2.2ContentType: text/html;charset=utf-8Content-Language: en-USContent-Length: 3347

Verbose server banners provide additional information that allows an attacker to perform targeted attacks to the specific technology stack in use by the application and underlying infrastructure.

Remediation:
Verbose server information should be removed from all HTTP responses. This can be performed by modifying the server's configuration files or through the use and configuration of a web application firewall.

Any solution to this issue is highly appreciated.

Thanks,

Yasantha


User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Verbose Server Banner - Vulnerability

Postby pup_seba » Sun Jan 27, 2019 7:36 pm

Thanks for all your reports mate! :)

Sadly, Zimbra decided to stop using Bugzilla and start using some "Zimbra access only JIRA bug tracking tool". I may be wrong, but I think that they are still not looking into forums to try to gather what could be usefull insights or feedback from the community...I truely hope I'm wrong here and with a little bit of luck, your valuable warnings do get to the proper eyes.

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 5 guests