You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Yehuda Katz <ye...@ymkatz.net> on 2020/02/03 02:42:47 UTC

Re: [users@httpd] Small difference on error messages

Hi Kazuhiko,

This change was in response to CVE-2019-10092.
People who aren't upgrading httpd for some reason should still remove the
path information from the error pages to prevent XSS.

- Y

On Thu, Jan 30, 2020 at 4:05 AM kohmoto <ko...@iris.eonet.ne.jp> wrote:

> Hi,
>
> I have learned small changes in httpd would cause to expose
> version information even we hide it though settings.
>
> The article indicating this realities is in the follow link.
>
> https://blog.eg-secure.co.jp/?m=1
>
> This article is written in Japanese. Please apologize this
> convenience, but you can understand what is there.
>
> Thank you for your cooperation.
>
> Yours truly,
> Kazuhiko Kohmoto
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>