httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roy Fielding <field...@beach.w3.org>
Subject Re: SERVER_SOFTWARE
Date Fri, 28 Jul 1995 02:55:56 GMT
>	this is just a thought prompted by Paul Richards.  It'd be kind of
>nice to figure out what OS people are running their server on.
>
>...
>Is this a stupid idea, does Server: have a strictly interpreted meaning
>or can we play god?

Er, stupid isn't the word I'd use, but it's not a good idea.  It simply
allows a cracker to determine exactly what hardware/software platform
is being used on that host, together with the server version, which
is sufficient information to allow all NCSA 1.3 servers to be 
compromised on the first attempt (i.e., the cracker doesn't have to
guess at all, and nothing unusual will show in your logs until it is too
late to do anything about it).

Now, I'm not saying that Apache has any security holes, but I'm not
willing to guarantee that it doesn't either.  It would be nice if all
such information (the entire header) could be easily removed by
paranoid server admins (like me).  I'd certainly veto the supply
of any additional info.

......Roy

Mime
View raw message