Opened 3 years ago

Closed 3 years ago

#2337 closed defect (invalid)

Version disclosure when server_tokens is set off

Reported by: tanji@… Owned by:
Priority: minor Milestone: nginx-1.21
Component: nginx-core Version:
Keywords: Cc: tanji@…
uname -a: Linux http-stage-r1-2 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.20.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.20.2/debian/debuild-base/nginx-1.20.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

With server_tokens set to off:

$ curl -I localhost
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json

Header is correctly set off.
However, if error 500 is hit:

$ curl -I http://localhost/%3c%%3d77%2a77%%3e/185/products
HTTP/1.1 500 Internal Server Error
Server: nginx/1.20.2
Date: Fri, 18 Mar 2022 08:57:46 GMT
Content-Type: text/html
Content-Length: 177
Connection: close

Version is disclosed in the headers and in the HTML error page.

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Resolution: invalid
Status: newclosed

It looks like you are trying to set server_tokens off; in a name-based virtual server. While this works for normal requests, in many cases it is possible to trigger errors before the Host header is parsed and therefore nginx is able to select appropriate name-based server configuration. In this case the server_tokens setting from the default server applies. To make sure version information is not disclosed in such errors, consider configuring server_tokens in the default server.

Note well that hiding information about software and versions used is more or less pointless, and might easily cause more harm than good. Even if configured properly, there are a lot of ways to find out which version is used, and how to attack it. Security by obscurity isn't a proper way to secure your systems, see here.

Note: See TracTickets for help on using tickets.