Security

While scanning our website using https://www.securitymetrics.com/, I came across the following issues:

ServerName

  • The following telnet session detected our load balancer:

    patrick@noname:~$ telnet www.myserver.com 80
    Trying 89.119.229.49...
    
    Connected to www.myserver.com.
    Escape character is '^]'.
    GET /images HTTP/1.0
    
    HTTP/1.1 302 FOUND
    Date: Thu, 27 May 2010 08:10:23 GMT
    Server: Apache
    Vary: Cookie
    Location: http://web3.myserver.com/images/
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    Connection closed by foreign host.
    
  • The redirection to a different URL returns the Location header which gives the actual URL of the content.

  • The Location header has a different server name to the original request confirming the existence of a load balancer.

  • The Location header returns the ServerName from the Apache configuration file.

  • To stop this vulnerability, set the Apache ServerName to the site name and add a ServerAlias with the actual name of the server e.g:

    ServerName www.myserver.com
    ServerAlias web1.myserver.com
    

    Note: This vulnerability was difficult to detect. The HTTP response only contains the Location header on a redirect. The browser did an automatic redirect, so we couldn’t see the header in FireBug. This curl session shows the problem:

patrick@noname:~$ curl www.myserver.com/images --head
HTTP/1.1 302 FOUND
Date: Thu, 27 May 2010 08:26:45 GMT
Server: Apache
Vary: Cookie
Location: http://web3.myserver.com/images/
Connection: close
Content-Type: text/html; charset=utf-8

patrick@noname:~$ curl www.myserver.com/images/ --head
HTTP/1.1 404 NOT FOUND
Date: Thu, 27 May 2010 08:27:36 GMT
Server: Apache
Vary: Cookie
Content-Length: 5539
Connection: close
Content-Type: text/html; charset=utf-8

ServerTokens Directive

Module Documentation - ServerTokens Directive

Changing the ‘ServerTokens’ directive in the Apache configuration to resemble the following:

ServerTokens Prod

You can set this directive by editing the /etc/httpd/conf/httpd.conf file. The ServerTokens directive will hide the web server information.

mod_status