[26736] in bugtraq
Information disclosure on mod_auth ( apache 1.3.26 ) ?
daemon@ATHENA.MIT.EDU (Hector A. Paterno)
Mon Aug 19 19:34:51 2002
Date: Fri, 16 Aug 2002 22:12:32 -0300
From: "Hector A. Paterno" <apaterno@dsnargentina.com.ar>
To: bugtraq@securityfocus.com
Message-ID: <20020816221232.A10322@igmp.com.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi, I have found a discrepancy between mod_auth and ServerTokens Prod.
Using, openbsd CURRENT , apache 1.3.26, as the example:
I add the following line to the httpd.conf file :
ServerTokens Prod
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
HEAD / HTTP/1.0\r\n\r\n
[info]
Server: Apache
[info]
But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror :
401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80
Giving me the version of the apache server.
I'm not an apache guru, but from from my point of view this seems to be a
flaw(?) in the mod_auth module.
Comments appreciated.
Best Regards.
--
Hector A. Paterno
Digital Security Networks S.A.
Mail : apaterno@dsnargentina.com.ar
Fido : 4:901/343.5
pub 1024D/C1F2348C 2001-12-04 Hector A. Paterno <apaterno@dsnargentina.com.ar>
Key Fingerprint : D741 154E 5CA0 C446 1A7B 4750 0469 0BEB C1F2 348C
Key ID : 0xC1F2348C ( pgp.mit.edu )
