Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Information disclosure on mod_auth ( apache 1.3.26 ) ?
From: Alex Muntada <alexm+bugtraq () ac upc es>
Date: Thu, 22 Aug 2002 11:07:36 +0200
Quoting Hector A. Paterno:


I have found  a discrepancy between mod_auth and ServerTokens Prod.
 
Using, openbsd CURRENT , apache 1.3.26, as the example:
 
I add the following line to the httpd.conf file :

ServerTokens Prod
 
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
 
 HEAD / HTTP/1.0\r\n\r\n
 
[info]
Server: Apache
[info]
 
But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror : 
 
401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80
 
Giving me the version of the apache server.
 
I'm not an apache guru, but from from my point of view this seems to be a  
flaw(?) in the mod_auth module.


Hector,
to disable apache server signature (it's on by default) you
should add this to your httpd.conf and restart apache:

  ServerSignature Off

The ServerTokens directive applies to HTTP Server response
header only. Take a look at apache manual for more details:

  http://httpd.apache.org/docs/mod/core.html#serversignature
  http://httpd.apache.org/docs/mod/core.html#servertokens

Best regards.

--
Alex Muntada <alexm at ac.upc.es>
http://people.ac.upc.es/alexm/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]