You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rick Kosbab <Ro...@woh.rr.com> on 2002/02/16 02:04:35 UTC
PHP Solution for Apache 2.0.28?
Is there any PHP fix or workaround for Apache 2.0.28? Also, what would you
recomend? PHP 4 or 3?
Rick
rombus@woh.rr.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: PHP Solution for Apache 2.0.28?
Posted by Webmaster <we...@rolysvirtualpets.com>.
Apache 2.0.28:I don'y know
PHPVersion:PHP 3 is obselte so use PHP 4.0.6 (4.1.x sucks)
Rick Kosbab wrote:
>
> Is there any PHP fix or workaround for Apache 2.0.28? Also, what would you
> recomend? PHP 4 or 3?
>
> Rick
> rombus@woh.rr.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Return Version
Posted by Robert <ro...@iremote.com>.
Sterling:
You can have Apache divulge a lot or a little information about itself
(in the HTTP headers, at least) using the ServerTokens directive...
http://httpd.apache.org/docs/mod/core.html#servertokens
I know this was said earlier, but it seems odd to me that you'd want to
keep people from knowing this information. On the surface it sounds
like a security measure, but in practice it doesn't really make your
system more secure.
Also, I don't think this is a very common security practice. Check out
NetCraft. It's rare to see a site that makes any system information secret.
http://www.netcraft.com/
Just my $0.02.
~ Robert
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Return Version
Posted by Robert <ro...@iremote.com>.
Sterling:
A couple others thing while I'm thinking about this...
You should also make sure to change the default error pages. By default
they return server information in the footer. Also turn off directory
listings (see Options directive) for the server since they have info in
the footer. Of course, you'd probably want to turn these off anyway.
...ah, that's all I can think of at this late hour.
~ Robert
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Return Version
Posted by "J. Greenlees" <ja...@shaw.ca>.
yup, read a bit further, turn servertokens off to remove all the data
about the box.
default is full info.
J. Greenlees wrote:
> from the docs:
>
> The |ServerAdmin| and |ServerTokens| directives control what
> information about the server will be presented in server-generated
> documents such as error messages. The |ServerTokens| directive sets
> the value of the Server HTTP response header field.
>
> The |ServerName| and |UseCanonicalName| directives are used by the
> server to determine how to construct self-referential URLs. For
> example, when a client requests a directory, but does not include the
> trailing slash in the directory name, Apache must redirect the client
> to the full name including the trailing slash so that the client will
> correctly resolve relative references in the document.
>
> ------------------------------------------------------------------------
>
> this might be a way to get apache to not identify itself, not lie but
> at least no hand out information about the server and box.
>
> John K. Sterling wrote:
>
>>
>> On Wednesday, August 28, 2002, at 10:03 AM, Chris Taylor wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Recompile it and change the version somewhere in the source.
>>>
>>> Apache won't lie like you want out-of-the-box :)
>>>
>>> Out of interest, why make it lie for the audit? You have an
>>> up-to-date version that works very well and is pretty secure.
>>>
>>
>> It has nothing to do with the current opinion about this version of
>> apache - It is not uncommon people consider it a security issue to
>> immediately divulge your what os/app/version you are running....
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Return Version
Posted by "J. Greenlees" <ja...@shaw.ca>.
from the docs:
The |ServerAdmin| and |ServerTokens| directives control what information
about the server will be presented in server-generated documents such as
error messages. The |ServerTokens| directive sets the value of the
Server HTTP response header field.
The |ServerName| and |UseCanonicalName| directives are used by the
server to determine how to construct self-referential URLs. For example,
when a client requests a directory, but does not include the trailing
slash in the directory name, Apache must redirect the client to the full
name including the trailing slash so that the client will correctly
resolve relative references in the document.
------------------------------------------------------------------------
this might be a way to get apache to not identify itself, not lie but at
least no hand out information about the server and box.
John K. Sterling wrote:
>
> On Wednesday, August 28, 2002, at 10:03 AM, Chris Taylor wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Recompile it and change the version somewhere in the source.
>>
>> Apache won't lie like you want out-of-the-box :)
>>
>> Out of interest, why make it lie for the audit? You have an
>> up-to-date version that works very well and is pretty secure.
>>
>
> It has nothing to do with the current opinion about this version of
> apache - It is not uncommon people consider it a security issue to
> immediately divulge your what os/app/version you are running....
>
> sterling
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Return Version
Posted by "John K. Sterling" <jo...@sterls.com>.
On Wednesday, August 28, 2002, at 10:03 AM, Chris Taylor wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Recompile it and change the version somewhere in the source.
>
> Apache won't lie like you want out-of-the-box :)
>
> Out of interest, why make it lie for the audit? You have an
> up-to-date version that works very well and is pretty secure.
>
It has nothing to do with the current opinion about this version of
apache - It is not uncommon people consider it a security issue to
immediately divulge your what os/app/version you are running....
sterling
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Return Version
Posted by Chris Taylor <ch...@x-bb.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Recompile it and change the version somewhere in the source.
Apache won't lie like you want out-of-the-box :)
Out of interest, why make it lie for the audit? You have an
up-to-date version that works very well and is pretty secure.
Chris Taylor - chris@x-bb.org - The guy with the PS2 WebServer -
http://www.x-bb.org/chris.asc
- ----- Original Message -----
From: "James Pifer" <ap...@tnjinfl.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, August 28, 2002 3:01 PM
Subject: [users@httpd] Return Version
> Can someone tell me how to make Apache return a bogus version or no
> information at all on Apache 1.3.26 running on win32?
>
> I need to do this for a security audit. My searching so far has not
> given me an answer.
>
> Thanks.
> James
>
>
>
> --------------------------------------------------------------------
> - The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPWzYLyqf8lmE2RZkEQLl4wCfejqCmSERNc+fVb/N4HOVf/aCBFcAoKdX
d+KVGpepSE7maNbg0I4/nrjH
=RoFT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Return Version
Posted by James Pifer <ap...@tnjinfl.com>.
Can someone tell me how to make Apache return a bogus version or no
information at all on Apache 1.3.26 running on win32?
I need to do this for a security audit. My searching so far has not
given me an answer.
Thanks.
James
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org