Details
-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-3.3.0.GA, EE-4.3.0.GA
-
Fix Version/s: EE-4.3.0.GA_P04, EE-3.3.0.GA_P10
-
Component/s: Framework
-
Labels:None
-
Environment:ICEfaces EE
Description
The "X-Powered-By: ICEfacesEE" HTTP header reveals that the application uses the ICEFacesEE, which may be used to attackers to formulate an attack.
This is considered to be a security vulnerability.
This JIRA is to remove this header from the ICEfaces EE products.
This is considered to be a security vulnerability.
This JIRA is to remove this header from the ICEfaces EE products.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Removed the "X-Powered-By" response header and verified that there wasn't another instance of it in the code. This was done for both the 3.x trunk and the 4.x trunk. Also launched Jenkins builds for both trunks, which completed successfully.
http://dev.icesoft.com/jenkins/job/ICEfaces%20EE%203%20Trunk%20(Nightly)/859/
http://dev.icesoft.com/jenkins/job/ICEfaces%20EE%204%20Trunk%20(Nightly)/868/
We can now proceed to create the tags for the upcoming releases.
Show
Arturo Zambrano
added a comment - Removed the "X-Powered-By" response header and verified that there wasn't another instance of it in the code. This was done for both the 3.x trunk and the 4.x trunk. Also launched Jenkins builds for both trunks, which completed successfully.
http://dev.icesoft.com/jenkins/job/ICEfaces%20EE%203%20Trunk%20(Nightly)/859/
http://dev.icesoft.com/jenkins/job/ICEfaces%20EE%204%20Trunk%20(Nightly)/868/
We can now proceed to create the tags for the upcoming releases.
ICEfaces EE 3.3.0.GA
The src for this is found in the ICEpushServlet.java class, line 73: "response.addHeader("X-Powered-By", ProductInfo.PRODUCT);"