You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2000/02/17 13:29:02 UTC

Re: Server: response header field and ServerTokens again

I see no reason not to extend ServerTokens as required.

Rodent of Unusual Size wrote:
> 
> According to some mail I've been getting, at least one online
> 'security' consultancy <http://www.icsa.net/> is telling their
> customers that their Web servers need to omit the Server field
> from the response header, or at least any version information
> from it.  This is to avoid helping crackers go directly to
> version-specific exploits.  (Their specific instructions to
> customers describing how to change the field setting for Apache
> are laughable, but..)  Apparently some Web customers are requiring
> 'ICSA compliance,' which means making their Web service providers
> make this happen.
> 
> I'm not in favour of omitting the field altogether, but is it
> worthwhile to add something like "ServerTokens ProductOnly"
> so that the field look like only "Server: Apache"?  2616
> permits this; the product-version portion is optional.
> 
> Of course, a cracker is going to try *all* the known exploits,
> not just some that seem to apply to a specific version, so
> the *need* for this is infinitesmal at best.  But would adding
> this do any harm?  It would avoid non-developer Apache people
> having to hack/rebuild the source, or possibly moving to another
> server just to satisfy their customers..  we *are* supposed to
> be the most featureful server. ;->
> -- 
> #ken    P-)}
> 
> Ken Coar                    <http://Golux.Com/coar/>
> Apache Software Foundation  <http://www.apache.org/>
> "Apache Server for Dummies" <http://Apache-Server.Com/>
> 
> Come to the first official Apache Software Foundation
> Conference!  <http://ApacheCon.Com/>
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
                "Are you suggesting coconuts migrate??"

Re: Server: response header field and ServerTokens again

Posted by Martin Kraemer <Ma...@Mch.SNI.De>.

On Thu, Feb 17, 2000 at 07:29:02AM -0500, Jim Jagielski wrote:
> I see no reason not to extend ServerTokens as required.

Dito. I've seen a patch on the 'net at
  http://www.funkcity.com/0101/apache/
which effectively does the same.

     Martin
-- 
  <Ma...@MchP.Siemens.De>      |       Fujitsu Siemens
       <ma...@apache.org>              |   81730  Munich,  Germany
((See you at ApacheCon 2000 in Orlanda, Florida, March 8-10, 2000!))
		   <URL:http://ApacheCon.Com/>