Glassfish security vulnerability

When you deploy IT components like operating systems, application servers, web servers in a Web 2.0 hosting environment, it’s very important to have a hardened configuration before you have your public launch and before your web apps are reachable with HTTP Port 80 and 443 by the internet. In environments without firewalls, e.g. on cheap “root servers”, you’re often online and connected to all internet users hackers after the initial setup of your Web Stack.

IT-Administrators and Web 2.0 Developers are always working under pressure, and there’s lack of time to find all the security vulnerabilies in the used software products, Open Source as well as commercial products. In times, where most of the attacks against Web 2.0 apps are within the HTTP / HTTPS Protocol e.g. SQL-Injection, Cross Site Scripting and so on, its important, that the installation of Web Stack components are secure by default.

An example: A basic rule for a secure web configuration since over a decade is the have directory listings switched off in web servers and app servers.

What about glassfish 2.0 and security, are there any concerns?

Back to the directory listing example.

The Glassfish default is to have directory listings on and you have to modify the

glassfish/domains/domain1/config/default-web.xml

to have a secure glassfish configuration, as also mentioned by hobione.


Another thing are the default HTTP headers from glassfish. They’re too noisy by default, they’re tellling everyone in the web, which version of glassfish you’re using:

Server: Sun Java System Application Server 9.1

X-Powered-By:Servlet/2.5

So my suggestion for the glassfish project members is to modify

these defaults to a secure ones, this means

  • Directory Listing “off”
  • HTTP Header at least without any software version information

8 comments

  1. Andy says:

    Do you know how to remove that part from the header? Is there an option or is it necessary to implement a filter or something which removes these entries?

  2. baltixz says:

    Usually, server info on headers appears on a 404 page not found or similar errors. The following below turns off the directory listing from Glassfish as well as custome Error page. Change the values accordingly.

    [Dissable Directory-Listing to be modified on /gf-install-dir/domains/domain1/config/default-web.xml]
       
          listings
          false 
       
        1

    [Custom error page to be modified in /gf-install-dir/domains/domain1/config/domain.xml]

  3. baltixz says:

    [Dissable Directory-Listing to be modified on /gf-install-dir/domains/domain1/config/default-web.xml]
       
          listings
          false 
       
        1

Comments are closed.