WebApp Sec mailing list archives
Re: About web server version
From: "Kurt Seifried" <bt () seifried org>
Date: Sat, 26 Apr 2003 14:56:10 -0700
Hi everybody, i would like to know if it is possible to modify information returned by web server (apache) about version, type : apache I have found the solution to hide the version by adding this rule to the httpd.conf : ServerTokens Prod But I would like that this information also not returned to a malicious user that try to collect information about the web server
You will need to modify the source code. Unfortunately that won't really fool anyone. Error messages, header formats/etc all provide plenty of information. Check out Rain.Forest.Puppy's presentation on this and his whisker tool available at wiretrip.net. In any event it doesn't matter, most "generic" web attacks I have seen are not targeted, they simply take a shotgun approach, or if it's a worm it just blasts out at everyone. Much better to spend the time and effort keeping Apache up to date. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- About web server version ystar m (Apr 26)
- Re: About web server version Kurt Seifried (Apr 26)
- Re: About web server version Jeremiah Grossman (Apr 28)
- <Possible follow-ups>
- Re: About web server version ystar m (Apr 28)