Getting nginx version

[ImMorpheus]

Normally the website (at least the home) hides server info/version, in fact

curl -I -L https://www.spongepowered.org
HTTP/2 200 
content-type: text/html; charset=utf-8
cache-control: max-age=3600, stale-if-error=86400
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
via: 1.1 varnish
accept-ranges: bytes
via: 1.1 varnish
age: 845926
x-served-by: cache-lcy1144-LCY, cache-dfw1826-DFW
x-cache: HIT, HIT
x-cache-hits: 1, 1
vary: Accept-Encoding
strict-transport-security: max-age=10886400; includeSubDomains; preload
content-length: 12502

Moreover 403 errors are redirected to 404, thus masking possible server info in the error page

curl -I -L https://www.spongepowered.org/assets/img/
HTTP/2 404 
content-type: text/plain; charset=utf-8
cache-control: max-age=3600, stale-if-error=86400
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
via: 1.1 varnish
accept-ranges: bytes
via: 1.1 varnish
age: 0
x-served-by: cache-lcy1150-LCY, cache-dfw1840-DFW
x-cache: MISS, MISS
x-cache-hits: 0, 0
strict-transport-security: max-age=10886400; includeSubDomains; preload
content-length: 19

But what if we try to get a 405 (Method not allowed) error page. Well, it is not redirected and returns the nginx version:

curl -X TRACE https://www.spongepowered.org
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.10.2</center>
</body>
</html>

Showing webserver version is bad :( . Also, why is there a sponge-debug header ? (curiosity)

PS. the nginx version is also send in the response header of the docs, however I thought this was more concerning because it was not directly shown.

[lukegb]

Thanks for your report. The Server header is actually sent in HTTP/1.1 responses, even on www:

$ curl --silent -I https://www.spongepowered.org | grep Server
Server: nginx/1.10.2

I'm not overly concerned about leaking the nginx version string.

The Sponge-Debug header is just there for me to put stuff in from time to time (although at the moment it's just the same as Date, give or take). If you're observant you'll notice that occasionally there are other Sponge- headers ;)

[ImMorpheus]

Sorry to bring the issue up again but I don't agree with this and think this is being underestimated. Maybe I didn't give this enough importance by saying "Showing webserver version is bad :( ". Web Server Fingerprint is a serious issue and hiding server info should be common practice (at least from a netsec point of view), (owasp has some good pages about the argument). For example, knowing the nginx version allow an attacker to determine known vulnerabilities and appropriate exploits (Yeah, it looks like I'm exaggerating, I mean it's not apache, but I don't feel like it should be settled so fast).

Thanks for the "Sponge-Debug header" explanation (sometimes I'm just curious)

[MichaelHillcox]

I highly agree with @ImMorpheus showing the server is a slight security issue... Although just doing a simple http post request to the server you can get the data back in the header of the responce.

[lukegb]

Web server fingerprinting is not a serious issue. At best, it's something that a pen tester would warn about, but it's not exactly a cause that anyone (competent) would fail a pentest for. nginx isn't even the main web server here, it's just acting as a reverse proxy (similarly to Varnish, which I notice you didn't point out at all in the headers).

If you follow your argument to its logical conclusion, this repository shouldn't contain the real source code because then an attacker could analyse it to find vulnerabilities - in the actual application serving content, no less.

FWIW, 404 being returned instead of 403 for attempting to fetch a directory listing isn't intentional; that just happens to be what the Go web framework in use does. The 404 page in question is Go's default 404 page, actually. That's also an indication we're using Go - oh no!

[ImMorpheus]

Yeah, maybe the gravity of the issue is subjective (given that it's a critical task for pentester), I was merely expressing my view on the argument which hasn't changed.

If you follow your argument to its logical conclusion, this repository shouldn't contain the real source code because then an attacker could analyse it to find vulnerabilities

The problem here was the server, not SpongeHome code. Having the code open sourced and avalaible for audit doesn't justify the fact that we leave behind security problems like this (even if they look small for certain people)

FWIW, 404 being returned instead of 403 for attempting to fetch a directory listing isn't intentional; that just happens to be what the Go web framework in use does. The 404 page in question is Go's default 404 page, actually. That's also an indication we're using Go - oh no!

Having 403 being redirected to 404 is certainly not an indicator you are using Go (I mean I did that with apache when I was a kid, so language-indepentent (crazy skillz)) The 404 page is literally a text with no distinctive sign, that's surely not an indicator of the home using go.

Now, If you don't want to hide the version I get it. It's not a problem.

PS: I'm starting to think jamie is some kind of bot which run every time someone doesn't agree with me, spamming emoji to other people comment. The other alternative is that there's some kind of competition, in that case I want to join.

[lukegb]

That's fine, we'll agree to disagree. Maybe the situation will change at some point and I'll start caring, but there are worse problems (which I will leave as an exercise to the reader).

Bear in mind, though, that HTTP requests pass through at least one layer of sanitisation before they even get to nginx, and nginx really isn't doing a whole lot.

My point with the 403 being redirected to 404 - the text with no distinctive sign is the distinctive part ;) It's a pretty decent way to pretend to be a simple Go API, since most people don't bother to change the 404 page from that. That's why it's so distinctive - if you go to the effort of customizing it, most people won't pick that.

[mbax]

Surely a bot trying to break in via exploit is just going to hit you with the exploit attempt whether your version matches or not? If it works, great! If it fails, oh well moving onto next target.

[lukegb]

Yeah, but it's really more about determined attackers.

[lol768]

Curse expose the IIS version string, so it must be a secure thing to do!

< Server: Microsoft-IIS/8.0
< X-Cobalt-Cache: Cached