You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Francis Daly <de...@daoine.org> on 2002/08/21 10:56:28 UTC
[PATCH] Re: Information disclosure on mod_auth ( apache 1.3.26 ) ?
On Tue, Aug 20, 2002 at 02:54:52AM -0400, Cliff Woolley wrote:
> On Fri, 16 Aug 2002, Hector A. Paterno wrote:
>
> > Hi, I have found a discrepancy between mod_auth and ServerTokens Prod.
> > HEAD / HTTP/1.0\r\n\r\n
> > Server: Apache
> > 401 Authorization Required
> > [bleh bleh info]
> > Apache/1.3.26 Server at xxxxx Port 80
> > Giving me the version of the apache server.
> This is a misconfiguration. See also the ServerSignature directive.
Is it configurable enough, though? (Note: it's not specifically
mod_auth doing this, it's every server-generated page.)
Only considering apache 2, the current "generate the signature" code,
ap_psignature in server/core.c, seems to allow the following output,
based purely on the value of ServerSignature:
- no signature at all
- Apache/2.0.40 Server at web.example.com Port 80
- Apache/2.0.40 Server at web.example.com Port 80, with "web.example.com"
being a link to the admin email address.
What I think the original poster wants is the option of
- Apache Server at web.example.com Port 80
with or without the email address. Whatever about the original poster,
that's something that I would like to have.
One way to achieve this could be to base it on "ServerTokens ProductOnly",
and change the signature-generating lines lines like
return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
" Server at ", ap_get_server_name(r), " Port ", sport,
"</address>\n", NULL);
to
return apr_pstrcat(r->pool, prefix, "<address>",
ap_server_tokens == SrvTk_PRODUCT_ONLY ?
AP_SERVER_BASEPRODUCT : AP_SERVER_BASEVERSION,
" Server at ", ap_get_server_name(r), " Port ", sport,
"</address>\n", NULL);
Included is a patch which does just that for core.c version 1.199,
the current one in CVS. It makes the above three-line change in two
places (one with email address, one without), and then moves the
whole ap_psignature function down the file a bit, to below where
ap_server_tokens is declared -- most of the patch is just moving
otherwise-unchanged lines.
Built and tested on 1.184 (2.0.39), it applies cleanly to 1.199.
This *does* change the content of server-generated pages where someone
has explicitly configured "ServerTokens ProductOnly" and has not also
explicitly configured "ServerSignature off"; and it doesn't include a
configurable means of reverting to current behaviour.
For this reason the patch may be inappropriate, and it might be worth
instead introducing a new ServerSignature option to achieve this
output; I don't think it's worth it, myself. Certainly, the few times
I've configured "ServerTokens ProductOnly" with "ServerSignature on",
I've taken the time to modify core.c so the HTTP headers and the HTML
generated matched.
f
--
Francis Daly deva@daoine.org
--- server/core.c.2039 Sat Jun 15 06:49:06 2002
+++ server/core.c Wed Aug 21 09:52:10 2002
@@ -2222,33 +2222,6 @@
return NULL;
}
-AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r)
-{
- char sport[20];
- core_dir_config *conf;
-
- conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
- &core_module);
- if ((conf->server_signature == srv_sig_off)
- || (conf->server_signature == srv_sig_unset)) {
- return "";
- }
-
- apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r));
-
- if (conf->server_signature == srv_sig_withmail) {
- return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
- " Server at <a href=\"mailto:",
- r->server->server_admin, "\">",
- ap_get_server_name(r), "</a> Port ", sport,
- "</address>\n", NULL);
- }
-
- return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
- " Server at ", ap_get_server_name(r), " Port ", sport,
- "</address>\n", NULL);
-}
-
/*
* Load an authorisation realm into our location configuration, applying the
* usual rules that apply to realms.
@@ -2292,6 +2265,37 @@
SrvTk_PRODUCT_ONLY /* eg: Apache */
};
static enum server_token_type ap_server_tokens = SrvTk_FULL;
+
+AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r)
+{
+ char sport[20];
+ core_dir_config *conf;
+
+ conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
+ &core_module);
+ if ((conf->server_signature == srv_sig_off)
+ || (conf->server_signature == srv_sig_unset)) {
+ return "";
+ }
+
+ apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r));
+
+ if (conf->server_signature == srv_sig_withmail) {
+ return apr_pstrcat(r->pool, prefix, "<address>",
+ ap_server_tokens == SrvTk_PRODUCT_ONLY ?
+ AP_SERVER_BASEPRODUCT : AP_SERVER_BASEVERSION,
+ " Server at <a href=\"mailto:",
+ r->server->server_admin, "\">",
+ ap_get_server_name(r), "</a> Port ", sport,
+ "</address>\n", NULL);
+ }
+
+ return apr_pstrcat(r->pool, prefix, "<address>",
+ ap_server_tokens == SrvTk_PRODUCT_ONLY ?
+ AP_SERVER_BASEPRODUCT : AP_SERVER_BASEVERSION,
+ " Server at ", ap_get_server_name(r), " Port ", sport,
+ "</address>\n", NULL);
+}
static apr_status_t reset_version(void *dummy)
{