Security Advisory
ZAA-2020-08
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2020-08
- Date: 03/03/2020
- Title: Information Disclosure in HTTP Headers of default config example
- Severity: low
- Product: Zammad 1.0.x up to 3.2.0
- Fixed in: Zammad 3.2.1, 3.3.0
- References:
--> CVE: pending
Vulnerability Descriptions
Information Disclosure in HTTP Headers of default config example (CVE pending)
HTTP response headers from the Zammad application include the type and version of the web server software deployed for the system. An attacker could use this information to find public vulnerabilities and target attacks against specific types and versions of the server.
It is also possible to determine the exact version of the NginX/Apache2 used by the application from the HTTP response headers that were configured with the example/default configuration.
Special 🙏 and 🤘 and ❤️ to:
-
N: Guardian Project
-
N: Center for Digital Resilience
-
N: TÜV Rheinland i-sec GmbH
-
D: Security Researcher
Recommended Resolution
Existing Webserver/Reverse Proxies installations can't be updated automatically. Therefore manual action is required.
-
For NginX: Extend your "server" block with "server_tokens off;" as in
https://github.com/zammad/zammad/blob/develop/contrib/nginx/zammad.conf -
For Apache2: Extend your "VirtualHost" with "ServerTokens Prod" and "ServerSignature Off" as in
https://github.com/zammad/zammad/blob/develop/contrib/apache2/zammad_ssl.conf
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2020-08
Send all remarks to security issues to security@zammad.com.