Integration

Hi

We installed Sun Java System Web server 6.1 update 10 in two machine (host1 & host2).Then this two machines are load balanced by F5.
When Pentest vendor scan our public IP, both web server is detected. I try to reproduce the result as below:

------
C:\Program Files\Tenable\Nessus>nessuscmd.exe -v -P0 -p 80 -i 12224 x.x.x.x
Starting nessuscmd 4.4.1 (Build 15078)
Scanning 'x.x.x.x'

Plugin 12224 reported a result on port http (80/tcp) of x.x.x.x
Results found on x.x.x.x :
Port http (80/tcp)
(i) Plugin ID 12224

Synopsis :


The remote web server is load-balanced.

Description :

The remote web server seems to be running in conjunction with several
others behind a load balancer. Knowing that there are multiple
systems behind a service could be useful to an attacker as the
underlying hosts may be running different operating systems,
patchlevels, etc.

Solution :
Update the web configuration to hide information disclosure.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)



Plugin output :_

Nessus queried the remote web server 20 times and was redirected to the following locations :

http://host2/images/
http://host1/images/
http://host2/images/
http://host1/images/
http://host2/images/
http://host1/images/
http://host2/images/
http://host1/images/
http://host2/images/
http://host1/images/


----------
Web Server config file_

magnus.conf_

# The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
# They will not be supported in future releases of the Web Server.
NetsiteRoot /opt/SUNWwbsvr
ServerName host1
ServerID https-host1
ServerString none
RqThrottle 128
DNS off
Security on
PidLog /opt/SUNWwbsvr/https-host1/logs/pid
User webservd
StackSize 131072
TempDir /tmp/https-host1-9d93b4d6

Init fn=flex-init access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%"
#Init fn="load-modules" shlib="/opt/SUNWwbsvr/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
#JBOSS config
Init fn="load-modules" funcs="jk_init,jk_service" shlib="/opt/SUNWwbsvr/plugins/nsapi/lib/nsapi_redirector.so"
Init fn="jk_init" worker_file="/opt/SUNWwbsvr/plugins/nsapi/lib/workers.properties" log_level="debug" log_file="/opt/SUNWwbsvr/https-host1/logs/nsapi.log"


obj.conf_

# You can edit this file, but comments and formatting changes
# might be lost when the admin server makes changes.

<Object name="default">
<Client security="false" internal="false">
NameTrans fn="redirect" from="/konsumer/" url-prefix="https://myip/konsumer/"
</Client>
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="assign-name" from="/konsumer*" name="jboss"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/SUNWwbsvr/ns-icons" name="es-internal"
NameTrans fn="home-page" path="/opt/SUNWwbsvr/docs/"
NameTrans fn="document-root" root="$docroot"
PathCheck fn="unix-uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/imagemap" fn="imagemap"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="send-error" path="/opt/SUNWwbsvr/docs/404.html"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Error fn="send-error" code="500" path="/opt/SUNWwbsvr/docs/500.html"
Error fn="send-error" code="403" path="/opt/SUNWwbsvr/docs/404.html"
Error fn="send-error" code="404" path="/opt/SUNWwbsvr/docs/404.html"
Error fn="send-error" code="503" path="/opt/SUNWwbsvr/docs/500.html"
AddLog fn="flex-log" name="access"
</Object>

<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi" user="$user" group="$group" chroot="$chroot" dir="$dir" nice="$nice"
</Object>

<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>

<Object name="jboss">
ObjectType fn="force-type" type="text/plain"
Service fn="jk_service" method="*" worker="balancer"
</Object>



-----------------

How can I hide the information disclosure from Sun Java System web server?
Thanks!

Edited by: ateh on Apr 4, 2011 9:24 AM