Page 1 of 1

Verbose Server Banner - Vulnerability

Posted: Thu Jan 24, 2019 1:09 pm
by yasanthau

Upon a vulnerability scan, it is requested to fix the above issue on Zimbra Server (8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition). Please refer the details below.

Verbose server information is sent in the HTTP responses from the server. The information included in the response contains the server name, type, and version number.
Below is an example of a HTTP response that contains verbose server banners:
HTTP/1.1 200 OKServer: Apache 2.0Cache-control: privateX-Powered-By: JSP/2.2ContentType: text/html;charset=utf-8Content-Language: en-USContent-Length: 3347

Verbose server banners provide additional information that allows an attacker to perform targeted attacks to the specific technology stack in use by the application and underlying infrastructure.

Verbose server information should be removed from all HTTP responses. This can be performed by modifying the server's configuration files or through the use and configuration of a web application firewall.

Any solution to this issue is highly appreciated.



Re: Verbose Server Banner - Vulnerability

Posted: Sun Jan 27, 2019 7:36 pm
by pup_seba
Thanks for all your reports mate! :)

Sadly, Zimbra decided to stop using Bugzilla and start using some "Zimbra access only JIRA bug tracking tool". I may be wrong, but I think that they are still not looking into forums to try to gather what could be usefull insights or feedback from the community...I truely hope I'm wrong here and with a little bit of luck, your valuable warnings do get to the proper eyes.