httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Passaniti" <jp...@rochester.rr.com>
Subject Identifying server platform
Date Mon, 01 Jul 2002 15:53:25 GMT
> Maybe so people out on the 'net won't know what
> platform you *are* using?

Security by obscurity is the weakest form of protection.  Most systems
can be "fingerprinted" with tools like nmap and xprobe and others to
determine the operating system.  And there are other less technical
means to do the same thing.

For example, looking at your web page on golux.com with telnet, I can
guess that you're on a Unix system, because this was returned after I
issued a bad request:

	Server: Apache/1.3.27-dev (Unix) PHP/4.3.0-dev DAV/1.0.3-dev

Your server might be lying... but assuming not, I know what version of
PHP and DAV you're using-- very handy if in the future there is a
vulnerability found in either.  And if the server is lying... well,
there are other ways to figure out the platform.

Anyone foolish enough to believe that simply getting rid of a .pl
extension will keep the platform they're using hidden probably isn't
aware of the various other ways an operating system can be identified.

Incidentally, I use the .pl extension while under Linux for my CGI
scripts.  Why?  Because when I'm editing scripts, my editor can
associate language-specific settings (tab stops, syntax highlighting,
etc.).  So I guess this means there are a class of people who believe
that some of my scripts are running under Windows?  How cute.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message