Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protection against XSS by CSP & mask ReGaHss Servername #597

Merged
merged 1 commit into from
Apr 10, 2019
Merged

Protection against XSS by CSP & mask ReGaHss Servername #597

merged 1 commit into from
Apr 10, 2019

Conversation

psytester
Copy link
Contributor

  1. the setenv.set-response-header part will overwrite the possibly provided ReGaHss Server name on Lighttpd controlled ports
    The HTTP response header will not longer contain Server: ise GmbH HTTP-Server v2.0 --> it becomes Server: Server
    If a system is available on open port 80 by portforwarding, it is not longer identifiable by this special server name
    Currently there are 8303 open HomeMatic systems listed: https://www.shodan.io/search?query=ise+GmbH+HTTP-Server+v2.0
    It's (a little bit) harder for the attacker to find a HomeMatic system, if the Server HTTP header is obfuscated.

  2. The CSP setting protects against XSS attacks. It needs to allow remote host *.homematic.com to be able to load version check java script from http://ccu3-update.homematic.com/firmware/download?cmd=js_check_version&........
    You may adjust the host name for RaspberryMatic update check, too.

1. the setenv.set-response-header part will overwrite the possibly provided ReGaHss Server name on Lighttpd controlled ports
The HTTP response header will not longer contain ```Server: ise GmbH HTTP-Server v2.0``` --> it becomes ```Server: Server```
If a system is available on open port 80 by portforwarding, it is not longer identifiable by this special server name
Currently there are 8303 open HomeMatic systems listed: https://www.shodan.io/search?query=ise+GmbH+HTTP-Server+v2.0
It's (a little bit) harder for the attacker to find a HomeMatic system, if the Server HTTP header is obfuscated.

2. The CSP setting protects against XSS attacks. It needs to allow remote host ```*.homematic.com``` to be able to load version check java script from http://ccu3-update.homematic.com/firmware/download?cmd=js_check_version&........
You may adjust the host name for RaspberryMatic update check, too.
@jens-maus
Copy link
Owner

As your PR is for RaspverryMatic please provide the correct CSP setting and please provide references to appropriate documentation explaining the theory behind your changes in detail.

@psytester
Copy link
Contributor Author

I don't know the update check URLs used in RaspverryMatic, as the maintainer you should adapt them.

Which theory do you mean? The configuration usage or the help of response obfuscation?
Since 1.4.46 lighttpd is able to use the setenv.set-environment() refer to
https://redmine.lighttpd.net/issues/650
https://redmine.lighttpd.net/issues/2295
https://redmine.lighttpd.net/projects/1/wiki/Docs_ModSetEnv

@jens-maus jens-maus added 💡 enhancement-ideas New feature or change request 🔥 security relevant This is a security relevant issue/ticket labels Apr 10, 2019
@jens-maus jens-maus added this to the next release milestone Apr 10, 2019
@jens-maus jens-maus merged commit 2caee8c into jens-maus:master Apr 10, 2019
jens-maus added a commit that referenced this pull request Apr 10, 2019
for newer firmware devices for RaspberryMatic. Also added "X-WebKit-CSP"
response header to serve older webbrowsers as well. In addition, neither
lighttpd nor ReGa will now output any "Server:" response header anymore
to prevents detailed analyses on the web server type. This refs #597.
@jens-maus
Copy link
Owner

Thanks for your PR. After some checks I integrated it now and also enhanced it a bit.

jens-maus added a commit that referenced this pull request Apr 10, 2019
the cross site image reference to paypalobjects.com. This refs #597.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
💡 enhancement-ideas New feature or change request 🔥 security relevant This is a security relevant issue/ticket
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants