Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Can X-Powered-By response header be removed?
#1
We are currently using IntraWeb 14.2.3 with Delphi 10.1 Berlin and have an ISAPI application running under IIS 8.5.  We have recently had a scan done on our app which uncovered the "Information Leakage in Server Response" vulnerability.  Specifically it shows X-Powered-By: IntraWeb which we cannot figure out how to remove.  We have tried adding <remove name="X-Powered-By" /> to the custom headers section of the web.config however that did not seem to have an effect.  We don't see where in the Server Controller this can be done either.  Can the X-Powered-By header be removed or at the very least overwritten?  If so please explain.
Reply
#2
In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
Reply
#3
(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.

I just tried this and it worked:

   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;

Is there a more elegant way to accomplish this task?
Reply
#4
(10-03-2018, 04:51 PM)LorenSzendre Wrote:
(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.

I just tried this and it worked:

   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;

Is there a more elegant way to accomplish this task?

We do plan on upgrading during our freeze period in December.   Regarding that snippet of code, in what method/event did you do that?
Reply
#5
(10-03-2018, 05:12 PM)rchristi12 Wrote:
(10-03-2018, 04:51 PM)LorenSzendre Wrote:
(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.

I just tried this and it worked:

   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;

Is there a more elegant way to accomplish this task?

We do plan on upgrading during our freeze period in December.   Regarding that snippet of code, in what method/event did you do that?

procedure TIWServerController.IWServerControllerBaseMetaTag(
  ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;
Reply
#6
(10-03-2018, 05:17 PM)LorenSzendre Wrote:
(10-03-2018, 05:12 PM)rchristi12 Wrote:
(10-03-2018, 04:51 PM)LorenSzendre Wrote:
(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.

I just tried this and it worked:

   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;

Is there a more elegant way to accomplish this task?

We do plan on upgrading during our freeze period in December.   Regarding that snippet of code, in what method/event did you do that?

procedure TIWServerController.IWServerControllerBaseMetaTag(
  ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;


Thanks.  I guess I will revisit this once we upgrade to version 15.
Reply
#7
(10-03-2018, 05:35 PM)rchristi12 Wrote:
(10-03-2018, 05:17 PM)LorenSzendre Wrote:
(10-03-2018, 05:12 PM)rchristi12 Wrote:
(10-03-2018, 04:51 PM)LorenSzendre Wrote:
(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.

I just tried this and it worked:

   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;

Is there a more elegant way to accomplish this task?

We do plan on upgrading during our freeze period in December.   Regarding that snippet of code, in what method/event did you do that?

procedure TIWServerController.IWServerControllerBaseMetaTag(
  ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;


Thanks.  I guess I will revisit this once we upgrade to version 15.
15 is really impressive, I like it a lot. Migrating to it was simple, but it was not without hiccups. I found two serious bugs, one of which was a corner case and was fixed, and the other of which will shortly be fixed. I already have an easy workaround, so I'm already using 15 effectively in production.

I've very glad to be on 15. If you don't have any 3rd party IW components, you can literally be compiling and running on 15 in as long as it takes to run the installer.
Reply
#8
(10-03-2018, 08:35 PM)LorenSzendre Wrote:
(10-03-2018, 05:35 PM)rchristi12 Wrote:
(10-03-2018, 05:17 PM)LorenSzendre Wrote:
(10-03-2018, 05:12 PM)rchristi12 Wrote:
(10-03-2018, 04:51 PM)LorenSzendre Wrote: I just tried this and it worked:

   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;

Is there a more elegant way to accomplish this task?

We do plan on upgrading during our freeze period in December.   Regarding that snippet of code, in what method/event did you do that?

procedure TIWServerController.IWServerControllerBaseMetaTag(
  ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
   if Pos('IntraWeb', vMetaValue) > 0 then
   begin
      vMetaValue := '';
   end;


Thanks.  I guess I will revisit this once we upgrade to version 15.
15 is really impressive, I like it a lot. Migrating to it was simple, but it was not without hiccups. I found two serious bugs, one of which was a corner case and was fixed, and the other of which will shortly be fixed. I already have an easy workaround, so I'm already using 15 effectively in production.

I've very glad to be on 15. If you don't have any 3rd party IW components, you can literally be compiling and running on 15 in as long as it takes to run the installer.

That's good to know.  Unfortunately you need to purchase a new license for version 15 otherwise we would have tried to upgrade already.  We do use TMS components but it appears they support version 15 now.

By the way it turns out I was able to suppress the powered by message without upgrading.  I did so by using URL Rewrite and creating an outbound rule.

Thanks again guys for the info.
Reply
#9
(10-03-2018, 08:44 PM)rchristi12 Wrote: Can you show me some code for how to use URL Rewrite?

And Chad -- is there a chance that I could remove the empty lines in the header? Perhaps a property of the ServerController to do some basic minification. Folks spend a fortune reducing the size of their output. It seems to me there is some low-lying fruit here...
Reply
#10
(10-03-2018, 10:15 PM)LorenSzendre Wrote:
(10-03-2018, 08:44 PM)rchristi12 Wrote: Can you show me some code for how to use URL Rewrite?

And Chad -- is there a chance that I could remove the empty lines in the header? Perhaps a property of the ServerController to do some basic minification. Folks spend a fortune reducing the size of their output. It seems to me there is some low-lying fruit here...

Once you install URL Rewrite it shows up as an icon in the IIS configuration for your web application.  You can then double click it and use the GUI to create an outbound rule.  Or you can simply add the following inside your web.config file : 

<system.webServer>
  <rewrite>
     <outboundRules>
         <rule name="X-Powered-By">
             <match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*" />
             <action type="Rewrite" />
         </rule>
     </outboundRules>
  </rewrite>
</system.webServer>

Keep in mind this does not eliminate the header X-Powered-By from being displayed entirely;  just replaces the value with nothing.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)