DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043
can discover the server version number even if you have chooson to hide it
Summary: can discover the server version number even if you have
chooson to hide it
Product: Apache httpd-1.3
Version: 1.3.23
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Other
AssignedTo: bugs@httpd.apache.org
ReportedBy: skipper@ifrance.com
If you run a misconfigured Apache server, you can get the version number simply
by sending a request in telnet : GET / HTTP/1.0. If you tell Apache (in the
config file) not to show it, everything is okay but... get a URL protected
by .htaccess; when your browser ask you to enter the password, click Cancel or
enter bad credentials until you get the error page : the server's version is
wrote at the bottom of the page...
This is not a vulnerability but it could be used against a server to discover
what version it is running and to choose the correct exploit to use against it,
if there is one.
You should fix it in the next release.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043
can discover the server version number even if you have chooson to hide it
Summary: can discover the server version number even if you have
chooson to hide it
Product: Apache httpd-1.3
Version: 1.3.23
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Other
AssignedTo: bugs@httpd.apache.org
ReportedBy: skipper@ifrance.com
If you run a misconfigured Apache server, you can get the version number simply
by sending a request in telnet : GET / HTTP/1.0. If you tell Apache (in the
config file) not to show it, everything is okay but... get a URL protected
by .htaccess; when your browser ask you to enter the password, click Cancel or
enter bad credentials until you get the error page : the server's version is
wrote at the bottom of the page...
This is not a vulnerability but it could be used against a server to discover
what version it is running and to choose the correct exploit to use against it,
if there is one.
You should fix it in the next release.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org