WebApp Sec mailing list archives

Re: About web server version

From: "Kurt Seifried" <bt () seifried org>
Date: Sat, 26 Apr 2003 14:56:10 -0700

Hi everybody,
i would like to know if it is possible to modify
information returned by web server (apache) about
version, type :  apache
I have found the solution to hide the version by adding
this rule to the httpd.conf :
ServerTokens Prod
But I would like that this information also not
returned to a malicious user that try to collect
information about  the web server


You will need to modify the source code. Unfortunately that won't really
fool anyone. Error messages, header formats/etc all provide plenty of
information. Check out Rain.Forest.Puppy's presentation on this and his
whisker tool available at wiretrip.net.


In any event it doesn't matter, most "generic" web attacks I have seen are
not targeted, they simply take a shotgun approach, or if it's a worm it just
blasts out at everyone. Much better to spend the time and effort keeping
Apache up to date.


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

Current thread:

About web server version ystar m (Apr 26)
- Re: About web server version Kurt Seifried (Apr 26)
- Re: About web server version Jeremiah Grossman (Apr 28)
- <Possible follow-ups>
- Re: About web server version ystar m (Apr 28)