Bugtraq mailing list archives
Re: Information disclosure on mod_auth ( apache 1.3.26 ) ?
From: Alex Muntada <alexm+bugtraq () ac upc es>
Date: Thu, 22 Aug 2002 11:07:36 +0200
Quoting Hector A. Paterno:
I have found a discrepancy between mod_auth and ServerTokens Prod. Using, openbsd CURRENT , apache 1.3.26, as the example: I add the following line to the httpd.conf file : ServerTokens Prod So, when I try to get the version/modules of apache with the HEAD method, I obtain as a reply only the type of the server : HEAD / HTTP/1.0\r\n\r\n [info] Server: Apache [info] But , when I enable mod_auth and try to access the protected directory with an invalid username / password, I obtain the following errror : 401 Authorization Required [bleh bleh info] Apache/1.3.26 Server at xxxxx Port 80 Giving me the version of the apache server. I'm not an apache guru, but from from my point of view this seems to be a flaw(?) in the mod_auth module.
Hector, to disable apache server signature (it's on by default) you should add this to your httpd.conf and restart apache: ServerSignature Off The ServerTokens directive applies to HTTP Server response header only. Take a look at apache manual for more details: http://httpd.apache.org/docs/mod/core.html#serversignature http://httpd.apache.org/docs/mod/core.html#servertokens Best regards. -- Alex Muntada <alexm at ac.upc.es> http://people.ac.upc.es/alexm/
Current thread:
- Information disclosure on mod_auth ( apache 1.3.26 ) ? Hector A. Paterno (Aug 19)
- Re: Information disclosure on mod_auth ( apache 1.3.26 ) ? Alex Muntada (Aug 22)