DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043
can discover the server version number even if you have chooson to hide it
Summary: can discover the server version number even if you have
chooson to hide it
Product: Apache httpd-1.3
Version: 1.3.23
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Other
AssignedTo: bugs@httpd.apache.org
ReportedBy: skipper@ifrance.com
If you run a misconfigured Apache server, you can get the version number simply
by sending a request in telnet : GET / HTTP/1.0. If you tell Apache (in the
config file) not to show it, everything is okay but... get a URL protected
by .htaccess; when your browser ask you to enter the password, click Cancel or
enter bad credentials until you get the error page : the server's version is
wrote at the bottom of the page...
This is not a vulnerability but it could be used against a server to discover
what version it is running and to choose the correct exploit to use against it,
if there is one.
You should fix it in the next release.
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8043
can discover the server version number even if you have chooson to hide it
Summary: can discover the server version number even if you have
chooson to hide it
Product: Apache httpd-1.3
Version: 1.3.23
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Other
AssignedTo: bugs@httpd.apache.org
ReportedBy: skipper@ifrance.com
If you run a misconfigured Apache server, you can get the version number simply
by sending a request in telnet : GET / HTTP/1.0. If you tell Apache (in the
config file) not to show it, everything is okay but... get a URL protected
by .htaccess; when your browser ask you to enter the password, click Cancel or
enter bad credentials until you get the error page : the server's version is
wrote at the bottom of the page...
This is not a vulnerability but it could be used against a server to discover
what version it is running and to choose the correct exploit to use against it,
if there is one.
You should fix it in the next release.