httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Fixing HTTP Service / Server Version Detected
Date Wed, 10 Jun 2009 18:14:13 GMT
Singh, Sukhjeet wrote:
> 
> The server allows capture of the HTTP service banner. Service banners
> can contain sensitive information, such as application and Operating
> System (OS) version numbers. An attacker can use the version information
> from your Web server to determine if there are any known vulnerabilities
> present, or can use such information to create attacks towards the
> specific application or OS.
> 
> SSL HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4;
> JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA
> date=200807181417)/JBossWeb-2.0 ETag: W/1570-1216412442000
> Last-Modified: Fri, 18 Jul 2008 20:20:42 GMT Content-Type: text/html
> Content-Length: 1570 Date: Wed, 11 Mar 2009 02:11:24 GMT

Repeat noise, you get noise in response.  Exploits are rarely sophisticated
in their attack.  They will probe for vulnerable URI's until they achieve
success.  You can cloak your Tomcat as IIS, your IIS as Apache or your httpd
as whatever and it won't matter one iota.

But no matter, "there's a directive for that"(TM)[1].  See

 http://httpd.apache.org/docs/2.2/mod/core.html#servertokens

Sadly, this information is useless to you.  This is not an httpd issue,
it's a JBoss issue.  Take it to their user forum.  This is not a JBoss
support forum.

[1] "there's a directive for that" is a Trademark of the Apache Software
    Foundation, created by the Apache httpd Project.  :)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message