Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Information disclosure on mod_auth ( apache 1.3.26 ) ?

From: Alex Muntada <alexm+bugtraq () ac upc es>
Date: Thu, 22 Aug 2002 11:07:36 +0200
Quoting Hector A. Paterno:


I have found  a discrepancy between mod_auth and ServerTokens Prod.
 
Using, openbsd CURRENT , apache 1.3.26, as the example:
 
I add the following line to the httpd.conf file :

ServerTokens Prod
 
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
 
 HEAD / HTTP/1.0\r\n\r\n
 
[info]
Server: Apache
[info]
 
But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror : 
 
401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80
 
Giving me the version of the apache server.
 
I'm not an apache guru, but from from my point of view this seems to be a  
flaw(?) in the mod_auth module.


Hector,
to disable apache server signature (it's on by default) you
should add this to your httpd.conf and restart apache:

  ServerSignature Off

The ServerTokens directive applies to HTTP Server response
header only. Take a look at apache manual for more details:

  http://httpd.apache.org/docs/mod/core.html#serversignature
  http://httpd.apache.org/docs/mod/core.html#servertokens

Best regards.

--
Alex Muntada <alexm at ac.upc.es>
http://people.ac.upc.es/alexm/
Previous By Date Next
Previous By Thread Next

Current thread: