Opened 2 years ago
Closed 2 years ago
#2337 closed defect (invalid)
Version disclosure when server_tokens is set off
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | nginx-1.21 |
| Component: | nginx-core | Version: | |
| Keywords: | Cc: | tanji@… | |
| uname -a: | Linux http-stage-r1-2 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.20.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1k 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.20.2/debian/debuild-base/nginx-1.20.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
With server_tokens set to off:
$ curl -I localhost
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Header is correctly set off.
However, if error 500 is hit:
$ curl -I http://localhost/%3c%%3d77%2a77%%3e/185/products
HTTP/1.1 500 Internal Server Error
Server: nginx/1.20.2
Date: Fri, 18 Mar 2022 08:57:46 GMT
Content-Type: text/html
Content-Length: 177
Connection: close
Version is disclosed in the headers and in the HTML error page.
Note:
See TracTickets
for help on using tickets.
It looks like you are trying to set
server_tokens off;in a name-based virtual server. While this works for normal requests, in many cases it is possible to trigger errors before theHostheader is parsed and therefore nginx is able to select appropriate name-based server configuration. In this case theserver_tokenssetting from the default server applies. To make sure version information is not disclosed in such errors, consider configuringserver_tokensin the default server.Note well that hiding information about software and versions used is more or less pointless, and might easily cause more harm than good. Even if configured properly, there are a lot of ways to find out which version is used, and how to attack it. Security by obscurity isn't a proper way to secure your systems, see here.