You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2000/02/17 13:29:02 UTC
Re: Server: response header field and ServerTokens again
I see no reason not to extend ServerTokens as required.
Rodent of Unusual Size wrote:
>
> According to some mail I've been getting, at least one online
> 'security' consultancy <http://www.icsa.net/> is telling their
> customers that their Web servers need to omit the Server field
> from the response header, or at least any version information
> from it. This is to avoid helping crackers go directly to
> version-specific exploits. (Their specific instructions to
> customers describing how to change the field setting for Apache
> are laughable, but..) Apparently some Web customers are requiring
> 'ICSA compliance,' which means making their Web service providers
> make this happen.
>
> I'm not in favour of omitting the field altogether, but is it
> worthwhile to add something like "ServerTokens ProductOnly"
> so that the field look like only "Server: Apache"? 2616
> permits this; the product-version portion is optional.
>
> Of course, a cracker is going to try *all* the known exploits,
> not just some that seem to apply to a specific version, so
> the *need* for this is infinitesmal at best. But would adding
> this do any harm? It would avoid non-developer Apache people
> having to hack/rebuild the source, or possibly moving to another
> server just to satisfy their customers.. we *are* supposed to
> be the most featureful server. ;->
> --
> #ken P-)}
>
> Ken Coar <http://Golux.Com/coar/>
> Apache Software Foundation <http://www.apache.org/>
> "Apache Server for Dummies" <http://Apache-Server.Com/>
>
> Come to the first official Apache Software Foundation
> Conference! <http://ApacheCon.Com/>
>
--
===========================================================================
Jim Jagielski [|] jim@jaguNET.com [|] http://www.jaguNET.com/
"Are you suggesting coconuts migrate??"
Re: Server: response header field and ServerTokens again
Posted by Martin Kraemer <Ma...@Mch.SNI.De>.
On Thu, Feb 17, 2000 at 07:29:02AM -0500, Jim Jagielski wrote:
> I see no reason not to extend ServerTokens as required.
Dito. I've seen a patch on the 'net at
http://www.funkcity.com/0101/apache/
which effectively does the same.
Martin
--
<Ma...@MchP.Siemens.De> | Fujitsu Siemens
<ma...@apache.org> | 81730 Munich, Germany
((See you at ApacheCon 2000 in Orlanda, Florida, March 8-10, 2000!))
<URL:http://ApacheCon.Com/>