Changing apache status / information-line

06/02/2007, 07h57

Hi NG,

how can I prevent apache2 from telling everyone about its
configuration during the access to webdav or a directory listing? The
wdav client can tell me what modules are activated in my config, and
when browsing the directory there´s even a line at the bottom of the
page saying

Apache/2.0.52 (Unix) DAV/2 Catacomb/0.9.2 SVN/1.2.1 mod_ssl/2.0.50
OpenSSL/0.9.7d PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.5 Server at
yes.look.for.an.exploit.u.know.everything.com Port 443

Is there any way to fake that information?

Thank you!

Dennis

06/02/2007, 08h42

On 6 Feb, 07:57, "dennis_divine" <idontlikes...@denniswinter.de>
wrote:
> Hi NG,
>
> how can I prevent apache2 from telling everyone about its
> configuration during the access to webdav or a directory listing? The
> wdav client can tell me what modules are activated in my config, and
> when browsing the directory there´s even a line at the bottom of the
> page saying
>
> Apache/2.0.52 (Unix) DAV/2 Catacomb/0.9.2 SVN/1.2.1 mod_ssl/2.0.50
> OpenSSL/0.9.7d PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.5 Server at
> yes.look.for.an.exploit.u.know.everything.com Port 443
>
> Is there any way to fake that information?
>
> Thank you!

> Dennis

its in the httpd.conf or derivatives:

#
# ServerTokens
# This directive configures what you return as the Server HTTP
response Header.
#The default is 'Full' which sends info about OS-Type and compiled in
modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP
directory
# listings, mod_status and mod_info output etc., but not CGI
generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature Off

And yes you can fake (the string) it using mod_security. However using
network profiling and other bits like looking for
..php
/manual
/icons
return codes on requests like .htaccess
standard error codes.
special characters like %
and looking for the lack of the other server/OS stuff etc...
it's possible to find out what server and OS/server side language you
are using pretty much.

I'm sure there are automated tools out there!

06/02/2007, 11h25

On Feb 6, 9:42 am, "shimmyshack" <matt.fa...@gmail.com> wrote:
> its in the httpd.conf or derivatives:
> [...]

thanks alot, Shimmyshack!

06/02/2007, 07h57	#1
dennis_divine Messages: n/a Hébergeur:	Changing apache status / information-line Hi NG, how can I prevent apache2 from telling everyone about its configuration during the access to webdav or a directory listing? The wdav client can tell me what modules are activated in my config, and when browsing the directory there´s even a line at the bottom of the page saying Apache/2.0.52 (Unix) DAV/2 Catacomb/0.9.2 SVN/1.2.1 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.5 Server at yes.look.for.an.exploit.u.know.everything.com Port 443 Is there any way to fake that information? Thank you! Dennis

06/02/2007, 08h42	#2
shimmyshack Messages: n/a Hébergeur:	Re: Changing apache status / information-line On 6 Feb, 07:57, "dennis_divine" <idontlikes...@denniswinter.de> wrote: > Hi NG, > > how can I prevent apache2 from telling everyone about its > configuration during the access to webdav or a directory listing? The > wdav client can tell me what modules are activated in my config, and > when browsing the directory there´s even a line at the bottom of the > page saying > > Apache/2.0.52 (Unix) DAV/2 Catacomb/0.9.2 SVN/1.2.1 mod_ssl/2.0.50 > OpenSSL/0.9.7d PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.5 Server at > yes.look.for.an.exploit.u.know.everything.com Port 443 > > Is there any way to fake that information? > > Thank you! > Dennis its in the httpd.conf or derivatives: # # ServerTokens # This directive configures what you return as the Server HTTP response Header. #The default is 'Full' which sends info about OS-Type and compiled in modules. # Set to one of: Full \| OS \| Minor \| Minimal \| Major \| Prod # where Full conveys the most information, and Prod the least. # ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On \| Off \| EMail # ServerSignature Off And yes you can fake (the string) it using mod_security. However using network profiling and other bits like looking for ..php /manual /icons return codes on requests like .htaccess standard error codes. special characters like % and looking for the lack of the other server/OS stuff etc... it's possible to find out what server and OS/server side language you are using pretty much. I'm sure there are automated tools out there!

06/02/2007, 11h25	#3
dennis_divine Messages: n/a Hébergeur:	Re: Changing apache status / information-line On Feb 6, 9:42 am, "shimmyshack" <matt.fa...@gmail.com> wrote: > its in the httpd.conf or derivatives: > [...] thanks alot, Shimmyshack!

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email