On Wed, Feb 6, 2013 at 9:55 AM, Martijn Brinkers <martijn(a)djigzo.com> wrote:
On 02/05/2013 05:34 PM, bentscrewdriver wrote:
[ Sorry - previous message posted with wrong
We had a pen test performed on our external facing hosts and the Djigzo
> appliance (188.8.131.52) had a finding where the internal IP address was
> disclosed by performing a HTTP 1.0 GET request (redirect response link
> show's IP rather than hostname). Do you have any guidance on how to set the
> response to return the hostname?
The internal IP address is added by Tomcat. With HTTP 1.1, the browser
sends the hostname with the request. HTTP 1.0 however works differently
since HTTP 1.0 has no notion of hostname.
See for example this link for some background info:
The best way to solve this is by setting the proxyName attribute on the
HTTP connector (in /etc/tomcat6/server.xml):
<Connector port="8080" maxHttpHeaderSize="8192"
proxyName="example.com" <!--- proxyName
The proxyName should be equal to the name of the external IP address (or
the external IP address if there is no A record for the external IP address)
Also make sure that the proxyName is set on the HTTPS connector
I will see whether I can make this a user configurable option from the
DJIGZO email encryption
Users mailing list
I have implemented the solution outlined in Martijn's post any my
testing reveals that it now properly returns the hostname rather than
internal IP. I had the finding re-tested by the org performing the pen
test and they too found that the IP disclosure is now fixed.
It should be noted that this is the only finding they found on this
host, and it was rated low, so I now have a clean bill of health.