Version Disclosure (nginx) about manalyze HOT 9 CLOSED

I found a 403 forbidden page which is diclosing nginx version too.
URL: https://manalyzer.org/static/

from manalyze.

These are the known vulnerabilites of this version:
1.ginx Restriction Bypass Vulnerability

nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote attackers to bypass intended access restrictions and access restricted files via (1) a trailing . (dot) or (2) certain $index_allocation sequences in a request.

External References
•CVE-2011-4963

2.nginx Restriction Bypass Vulnerability

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.

External References
•CVE-2013-4547

3.nginx Request Line Parsing Vulnerability

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.

External References
•CVE-2013-4547

4.Nginx Plaintext Command Injection Attack

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a 'plaintext command injection' attack, a similar issue to CVE-2011-0411.

External References
•CVE-2014-3556

5.Nginx SSL Virtual Host Confusion Attacks

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct 'virtual host confusion' attacks.

External References
•CVE-2014-3616

from manalyze.

Thanks for reporting this. Have you tried exploiting these vulnerabilities? All relevant patches have most likely been backported by Debian's security team.
I might just disable server tokens anyway, because I'm getting too many reports based just on the version number.

from manalyze.

from manalyze.

As mentioned in the bug bounty rule page, exploitability needs to be demonstrated. A simple application version is not sufficient to indicate a vulnerability as security patches may be backported by distribution maitainers.

Is my report is eligible for bounty or swag.

Please accept this free Manalyzer logo as thanks for banner grabbing my server:

from manalyze.

from manalyze.

To quote the bug bounty rules again :
Security issues in the manalyzer.org machine are eligible as well. However, only bugs which have an actual security impact will be rewarded with money. (Emphasis also in the original document)

Information disclosures are eligible for bounty or swag if and only if the rules say they do, and they specifically indicate otherwise.

from manalyze.

from manalyze.

You just got swag (a free copy of the manalyzer logo).
I also think actual security impact should be rewarded with money. Sadly, you report is neither impactful, security-related or even actual (a CVE from 2011).

from manalyze.