Penetration Testing mailing list archives

Re: vulnerability scanners not effective? or just a false-positive?


From: James Davis <jamesd () jml net>
Date: Thu, 30 Mar 2006 08:26:40 +0100

On Wed, 2006-03-29 at 21:33 +0530, Joel Jose wrote:

and one more quest. How many of you think that the existance of the default
banners in services(eg apache default error pages) are a security threat, if
not high, atleast medium?. I do.

Most compromises of Apache will be by automated scripts that won't be so
cleverly coded that they bother to check that the server is running
Apache before attempting an exploit. Look at the number of attempted IIS
exploits you see in any public facing Apache's logs for evidence of
this.

You can use the ServerTokens directive in the Apache configuration to
limit the amount of information given out.

James


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------


Current thread: