[26766] in bugtraq
Re: Information disclosure on mod_auth ( apache 1.3.26 ) ?
daemon@ATHENA.MIT.EDU (Alex Muntada)
Thu Aug 22 11:36:01 2002
Date: Thu, 22 Aug 2002 11:07:36 +0200
From: Alex Muntada <alexm+bugtraq@ac.upc.es>
To: bugtraq@securityfocus.com
Message-ID: <20020822090736.GH9599@ac.upc.es>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020816221232.A10322@igmp.com.ar>
Quoting Hector A. Paterno:
> I have found a discrepancy between mod_auth and ServerTokens Prod.
>
> Using, openbsd CURRENT , apache 1.3.26, as the example:
>
> I add the following line to the httpd.conf file :
>
> ServerTokens Prod
>
> So, when I try to get the version/modules of apache with the HEAD
> method, I obtain as a reply only the type of the server :
>
> HEAD / HTTP/1.0\r\n\r\n
>
> [info]
> Server: Apache
> [info]
>
> But , when I enable mod_auth and try to access the protected directory
> with an invalid username / password, I obtain the following errror :
>
> 401 Authorization Required
> [bleh bleh info]
> Apache/1.3.26 Server at xxxxx Port 80
>
> Giving me the version of the apache server.
>
> I'm not an apache guru, but from from my point of view this seems to be a
> flaw(?) in the mod_auth module.
Hector,
to disable apache server signature (it's on by default) you
should add this to your httpd.conf and restart apache:
ServerSignature Off
The ServerTokens directive applies to HTTP Server response
header only. Take a look at apache manual for more details:
http://httpd.apache.org/docs/mod/core.html#serversignature
http://httpd.apache.org/docs/mod/core.html#servertokens
Best regards.
--
Alex Muntada <alexm at ac.upc.es>
http://people.ac.upc.es/alexm/
