Security
While scanning our website using https://www.securitymetrics.com/, I came across the following issues:
ServerName
The following
telnetsession detected our load balancer:patrick@noname:~$ telnet www.myserver.com 80 Trying 89.119.229.49... Connected to www.myserver.com. Escape character is '^]'. GET /images HTTP/1.0 HTTP/1.1 302 FOUND Date: Thu, 27 May 2010 08:10:23 GMT Server: Apache Vary: Cookie Location: http://web3.myserver.com/images/ Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 Connection closed by foreign host.
The redirection to a different URL returns the
Locationheader which gives the actual URL of the content.The
Locationheader has a different server name to the original request confirming the existence of a load balancer.The
Locationheader returns theServerNamefrom the Apache configuration file.To stop this vulnerability, set the Apache
ServerNameto the site name and add aServerAliaswith the actual name of the server e.g:ServerName www.myserver.com ServerAlias web1.myserver.com
Note: This vulnerability was difficult to detect. The HTTP response only contains the
Locationheader on a redirect. The browser did an automatic redirect, so we couldn’t see the header in FireBug. Thiscurlsession shows the problem:
patrick@noname:~$ curl www.myserver.com/images --head
HTTP/1.1 302 FOUND
Date: Thu, 27 May 2010 08:26:45 GMT
Server: Apache
Vary: Cookie
Location: http://web3.myserver.com/images/
Connection: close
Content-Type: text/html; charset=utf-8
patrick@noname:~$ curl www.myserver.com/images/ --head
HTTP/1.1 404 NOT FOUND
Date: Thu, 27 May 2010 08:27:36 GMT
Server: Apache
Vary: Cookie
Content-Length: 5539
Connection: close
Content-Type: text/html; charset=utf-8
ServerTokens Directive
Module Documentation - ServerTokens Directive
Changing the ‘ServerTokens’ directive in the Apache configuration to
resemble the following:
ServerTokens Prod
You can set this directive by editing the /etc/httpd/conf/httpd.conf file.
The ServerTokens directive will hide the web server information.
mod_status
Very useful ticket conversation with a Rackspace person…
../../misc/howto/apache/http/rackspace.txt