+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: Can X-Powered-By response header be removed? (/thread-708.html)
Can X-Powered-By response header be removed? - rchristi12 - 10-02-2018
We are currently using IntraWeb 14.2.3 with Delphi 10.1 Berlin and have an ISAPI application running under IIS 8.5. We have recently had a scan done on our app which uncovered the "Information Leakage in Server Response" vulnerability. Specifically it shows X-Powered-By: IntraWeb which we cannot figure out how to remove. We have tried adding <remove name="X-Powered-By" /> to the custom headers section of the web.config however that did not seem to have an effect. We don't see where in the Server Controller this can be done either. Can the X-Powered-By header be removed or at the very least overwritten? If so please explain.
RE: Can X-Powered-By response header be removed? - kudzu - 10-03-2018
In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
RE: Can X-Powered-By response header be removed? - LorenSzendre - 10-03-2018
(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
I just tried this and it worked:
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Is there a more elegant way to accomplish this task?
RE: Can X-Powered-By response header be removed? - rchristi12 - 10-03-2018
(10-03-2018, 04:51 PM)LorenSzendre Wrote:(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
I just tried this and it worked:
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Is there a more elegant way to accomplish this task?
We do plan on upgrading during our freeze period in December. Regarding that snippet of code, in what method/event did you do that?
RE: Can X-Powered-By response header be removed? - LorenSzendre - 10-03-2018
(10-03-2018, 05:12 PM)rchristi12 Wrote:(10-03-2018, 04:51 PM)LorenSzendre Wrote:(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
I just tried this and it worked:
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Is there a more elegant way to accomplish this task?
We do plan on upgrading during our freeze period in December. Regarding that snippet of code, in what method/event did you do that?
procedure TIWServerController.IWServerControllerBaseMetaTag(
ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
RE: Can X-Powered-By response header be removed? - rchristi12 - 10-03-2018
(10-03-2018, 05:17 PM)LorenSzendre Wrote:(10-03-2018, 05:12 PM)rchristi12 Wrote:(10-03-2018, 04:51 PM)LorenSzendre Wrote:(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
I just tried this and it worked:
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Is there a more elegant way to accomplish this task?
We do plan on upgrading during our freeze period in December. Regarding that snippet of code, in what method/event did you do that?
procedure TIWServerController.IWServerControllerBaseMetaTag(
ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Thanks. I guess I will revisit this once we upgrade to version 15.
RE: Can X-Powered-By response header be removed? - LorenSzendre - 10-03-2018
(10-03-2018, 05:35 PM)rchristi12 Wrote:15 is really impressive, I like it a lot. Migrating to it was simple, but it was not without hiccups. I found two serious bugs, one of which was a corner case and was fixed, and the other of which will shortly be fixed. I already have an easy workaround, so I'm already using 15 effectively in production.(10-03-2018, 05:17 PM)LorenSzendre Wrote:(10-03-2018, 05:12 PM)rchristi12 Wrote:(10-03-2018, 04:51 PM)LorenSzendre Wrote:(10-03-2018, 04:31 PM)kudzu Wrote: In 15 there is an option to remove such headers. I think it includes that one, if not it can be expanded to do so.
I just tried this and it worked:
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Is there a more elegant way to accomplish this task?
We do plan on upgrading during our freeze period in December. Regarding that snippet of code, in what method/event did you do that?
procedure TIWServerController.IWServerControllerBaseMetaTag(
ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Thanks. I guess I will revisit this once we upgrade to version 15.
I've very glad to be on 15. If you don't have any 3rd party IW components, you can literally be compiling and running on 15 in as long as it takes to run the installer.
RE: Can X-Powered-By response header be removed? - rchristi12 - 10-03-2018
(10-03-2018, 08:35 PM)LorenSzendre Wrote:(10-03-2018, 05:35 PM)rchristi12 Wrote:15 is really impressive, I like it a lot. Migrating to it was simple, but it was not without hiccups. I found two serious bugs, one of which was a corner case and was fixed, and the other of which will shortly be fixed. I already have an easy workaround, so I'm already using 15 effectively in production.(10-03-2018, 05:17 PM)LorenSzendre Wrote:(10-03-2018, 05:12 PM)rchristi12 Wrote:(10-03-2018, 04:51 PM)LorenSzendre Wrote: I just tried this and it worked:
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Is there a more elegant way to accomplish this task?
We do plan on upgrading during our freeze period in December. Regarding that snippet of code, in what method/event did you do that?
procedure TIWServerController.IWServerControllerBaseMetaTag(
ASession: TIWApplication; const AMetaName: string; var vMetaValue: string);
begin
if Pos('IntraWeb', vMetaValue) > 0 then
begin
vMetaValue := '';
end;
Thanks. I guess I will revisit this once we upgrade to version 15.
I've very glad to be on 15. If you don't have any 3rd party IW components, you can literally be compiling and running on 15 in as long as it takes to run the installer.
That's good to know. Unfortunately you need to purchase a new license for version 15 otherwise we would have tried to upgrade already. We do use TMS components but it appears they support version 15 now.
By the way it turns out I was able to suppress the powered by message without upgrading. I did so by using URL Rewrite and creating an outbound rule.
Thanks again guys for the info.
RE: Can X-Powered-By response header be removed? - LorenSzendre - 10-03-2018
(10-03-2018, 08:44 PM)rchristi12 Wrote: Can you show me some code for how to use URL Rewrite?
And Chad -- is there a chance that I could remove the empty lines in the header? Perhaps a property of the ServerController to do some basic minification. Folks spend a fortune reducing the size of their output. It seems to me there is some low-lying fruit here...
RE: Can X-Powered-By response header be removed? - rchristi12 - 10-04-2018
(10-03-2018, 10:15 PM)LorenSzendre Wrote:(10-03-2018, 08:44 PM)rchristi12 Wrote: Can you show me some code for how to use URL Rewrite?
And Chad -- is there a chance that I could remove the empty lines in the header? Perhaps a property of the ServerController to do some basic minification. Folks spend a fortune reducing the size of their output. It seems to me there is some low-lying fruit here...
Once you install URL Rewrite it shows up as an icon in the IIS configuration for your web application. You can then double click it and use the GUI to create an outbound rule. Or you can simply add the following inside your web.config file :
<system.webServer>
<rewrite>
<outboundRules>
<rule name="X-Powered-By">
<match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*" />
<action type="Rewrite" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
Keep in mind this does not eliminate the header X-Powered-By from being displayed entirely; just replaces the value with nothing.