search

ironmansoftware / issues

Public Issue tracker for Ironman Software products.
https://ironmansoftware.com
31 stars 2 forks source link

Information Disclosure #3417

Closed djgrijalva closed 1 week ago

djgrijalva commented 2 weeks ago

Version

4.2.21

Severity

Low

Environment

msi

Steps to Reproduce

Information disclosure occurs when an application fails to adequately protect sensitive and confidential information from parties that are not supposed to access the subject matter in normal circumstances. While these flaws may not have a significant impact, they allow attackers to gather relevant system information to use later in the attack life cycle. Knowing the framework version ahead of time provides insight into how the application responds to different available payloads.

image

Expected behavior

Ensure that the application does not expose the versions of the technology, software, references to other servers, services, or server used in the application by removing the versions from the server response headers.

Actual behavior

Exploiting information exposure vulnerabilities allows attackers to harvest sensitive information to 
perform data exfiltration and even complete user account takeover. Exposed details about the application’s environment, users, or associated data (for example, pointer to another server address) could enable an attacker to find another flaw and help the attacker to mount an attack and even traverse to another internal server. Depending on the exposure, it may be possible to cause availability and integrity loss.

Additional Environment data

No response

Screenshots/Animations

No response

adamdriscoll commented 1 week ago

Had a customer request to make this configurable.

djgrijalva commented 1 week ago

Nice! That would be good for #3418 too