[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)
Caspar Clemens Mierau
launchpad at mierau.eu
Wed Jul 29 15:29:02 BST 2009
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.
Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.
So from a server administrators point of view:
Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".
Just for your information a list of differences in the ServerTokens settings:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.
--
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list