You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "J. Bakshi" <jo...@infoservices.in> on 2010/01/02 15:54:59 UTC
[users@httpd] not working
Dear list,
I have tested my webserver ( opensuse 11; apache2-2.2.8-28.4) through nikto. I have found
` ` `
+ Server: Apache
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.9
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 4347 items checked: 5 item(s) reported on remote host
+ End Time: 2010-01-03 17:56:35 (2228 seconds)
` ` `
To block TRACE I have added the following in httpd.conf folder
` ` `
<Directory /srv/www/htdocs/>
# Prevents TRACE from allowing attackers to find a
# path through cache or proxy servers.
<LimitExcept GET POST>
deny from all
</LimitExcept>
</Directory>
` ` `
After restarting the apache; nikto still able to find TRACE. I have a no. of VHOSTS, hence rather than .htaccess I like to add it in httpd.conf What am I missing here ? How can I prevent the other info also like php header, then icons/ folder etc.. ? I will be grateful if any one kindly suggest me .
Thanks
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org