httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject RE: [users@httpd] Apache/1.3.28 Server at Port 80
Date Tue, 18 Nov 2003 15:23:28 GMT

[This thread has pretty-much concluded in my absence, but there are a
couple things here I should really correct.]

On Tue, 18 Nov 2003, Rafael Faura wrote:
> --- Fortunately we aren't talking about IIS ;). My logs are full of IIS
> unicode/decode attempt exploit lines, nothing that can affect Apache. And
> script kiddies, specially script kiddies, have **no idea** about exploiting
> Apache bugs, they only run simple IIS unicode/decode scanners.

Not at all true.  I don't know of any worms targetting the core apache
code, but there have certainly been worms targetting apache together with
certain other programs.  Take the recent OpenSSL worm, for example.

> 2. Smart crackers can easily figure out this information with high
> accuracy regardless of whether you display it publicly.
> --- Smart crackers?... well, i suposse that you're talking about smart
> hackers.


Personally, I don't have any problem with people mucking with their
ServerSignature and Server: header; you can do what you want with your own
server.  But I do have a problem with people recommending this as a
security enhancement.  It's not.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message