Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
SERVER_SOFTWARE
andrew at www
Jul 27, 1995, 5:34 PM
Post #1 of 10 (765 views)
Permalink
Hi,

this is just a thought prompted by Paul Richards. It'd be kind of
nice to figure out what OS people are running their server on.

A browser can sent a User-agent: header containing additional
information about the OS/software version, inside leg measurement etc of
the browser's host. Why not allow the same for the Server: header
sent back from the server? eg:

32> telnet localhost 80
Trying 127.0.0.1 ...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Thu, 27 Jul 1995 16:30:56 GMT
---> Server: Apache/0.6.4b (SunOS www 4.1.3_U1 2 sun4m)
Content-type: text/html

Connection closed by foreign host.
33>

Is this a stupid idea, does Server: have a strictly interpreted meaning
or can we play god?

Thoughts?

Yeah, -1 on putting this in before the proper release, it's just an idea.

Cheers,
Ay.

Andrew Wilson URL: http://www.cm.cf.ac.uk/User/Andrew.Wilson/
Elsevier Science, Oxford Office: +44 01865 843155 Mobile: +44 0589 616144
Re: SERVER_SOFTWARE [ In reply to ]
blong at uiuc
Jul 27, 1995, 10:29 AM
Post #2 of 10 (750 views)
Permalink
Last time, Andrew Wilson uttered the following other thing:
>
> Hi,
>
> this is just a thought prompted by Paul Richards. It'd be kind of
> nice to figure out what OS people are running their server on.
>
> A browser can sent a User-agent: header containing additional
> information about the OS/software version, inside leg measurement etc of
> the browser's host. Why not allow the same for the Server: header
> sent back from the server? eg:
>
> 32> telnet localhost 80
> Trying 127.0.0.1 ...
> Connected to localhost.
> Escape character is '^]'.
> HEAD / HTTP/1.0
>
> HTTP/1.0 200 OK
> Date: Thu, 27 Jul 1995 16:30:56 GMT
> ---> Server: Apache/0.6.4b (SunOS www 4.1.3_U1 2 sun4m)
> Content-type: text/html
>
> Connection closed by foreign host.
> 33>
>
> Is this a stupid idea, does Server: have a strictly interpreted meaning
> or can we play god?
>
> Thoughts?

Some servers do things like this, for instance, this is a server name
I've seen:

CMSHTTPD/1.2.1 VM_ESA/2.0000 CMS/9.000 REXX/3.48 CMS_Pipelines/2.0101 REXX_SOCKETS/2.01 VMSECURE_E/01.1

or

Webshare/1.2.3 VM_ESA/1.1.0101 CMS/8.101 REXX/3.48 CMS_Pipelines/2.0101 REXX_SOCKETS/2.01

It seems mainframes can't do anything small

Other people have just changed the name:

NCSA/1.3 (with CIAC F-11 patch - ASM 14/2/95)


Dates:

web500gw 1.5alpha (Fri Nov 11 17:14:27 EST 1994)


Brandon
--
Brandon Long (N9WUC) "I think, therefore, I am confused." -- RAW
Computer Engineering Run Linux '95. It's that Easy.
University of Illinois blong@uiuc.edu http://www.uiuc.edu/ph/www/blong
Don't worry, these aren't even my views.
Re: SERVER_SOFTWARE [ In reply to ]
blong at uiuc
Jul 27, 1995, 3:37 PM
Post #3 of 10 (755 views)
Permalink
Last time, Robert S. Thau uttered the following other thing:
>
> Hmmm... platform ID is an interesting idea. Another thing which I had on
> my mind is that if people start writing hairy custom modules, they might
> want to be able to herald those in the Server: header as well, just to
> announce that they are using FooSearch/3.6, or MyDbQueryLink/2.3, in
> addition to the version of their base server platform.

I was thinking about adding an INFO method which would return
information about the server (with administrative control) including
platform, compile time, etc. This could be used by browsers to
determine what was supported, etc. You could easily list the modules
at that point as well.

Brandon

--
Brandon Long (N9WUC) "I think, therefore, I am confused." -- RAW
Computer Engineering Run Linux '95. It's that Easy.
University of Illinois blong@uiuc.edu http://www.uiuc.edu/ph/www/blong
Don't worry, these aren't even my views.
Re: SERVER_SOFTWARE [ In reply to ]
brian at organic
Jul 27, 1995, 4:27 PM
Post #4 of 10 (744 views)
Permalink
On Thu, 27 Jul 1995, Andrew Wilson wrote:
> this is just a thought prompted by Paul Richards. It'd be kind of
> nice to figure out what OS people are running their server on.

Many would consider this a security hole, and most internet daemons have
removed this information (i.e. wu-ftpd, sendmail, etc). The recent spat
of "Olga" messages made themselves untraceable by specifically going
through broken IBM VMS mailers who trusted whatever the client told them
in the HELO message. I'd consider putting information about extensions
in there a security hole too, perhaps even worse. Just a note of
caution, I wouldn't veto it but I wouldn't +1 it either.

The Anal Retentive Computerist

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/
Re: SERVER_SOFTWARE [ In reply to ]
rst at ai
Jul 27, 1995, 5:23 PM
Post #5 of 10 (760 views)
Permalink
Hmmm... platform ID is an interesting idea. Another thing which I had on
my mind is that if people start writing hairy custom modules, they might
want to be able to herald those in the Server: header as well, just to
announce that they are using FooSearch/3.6, or MyDbQueryLink/2.3, in
addition to the version of their base server platform.

Ideas for the future...

rst
Re: SERVER_SOFTWARE [ In reply to ]
fielding at beach
Jul 27, 1995, 7:55 PM
Post #6 of 10 (756 views)
Permalink
> this is just a thought prompted by Paul Richards. It'd be kind of
>nice to figure out what OS people are running their server on.
>
>...
>Is this a stupid idea, does Server: have a strictly interpreted meaning
>or can we play god?

Er, stupid isn't the word I'd use, but it's not a good idea. It simply
allows a cracker to determine exactly what hardware/software platform
is being used on that host, together with the server version, which
is sufficient information to allow all NCSA 1.3 servers to be
compromised on the first attempt (i.e., the cracker doesn't have to
guess at all, and nothing unusual will show in your logs until it is too
late to do anything about it).

Now, I'm not saying that Apache has any security holes, but I'm not
willing to guarantee that it doesn't either. It would be nice if all
such information (the entire header) could be easily removed by
paranoid server admins (like me). I'd certainly veto the supply
of any additional info.

......Roy
Re: SERVER_SOFTWARE [ In reply to ]
rst at ai
Jul 27, 1995, 9:48 PM
Post #7 of 10 (754 views)
Permalink
Date: Thu, 27 Jul 1995 16:27:03 -0700 (PDT)
From: Brian Behlendorf <brian@organic.com>
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Thu, 27 Jul 1995, Andrew Wilson wrote:
> this is just a thought prompted by Paul Richards. It'd be kind of
> nice to figure out what OS people are running their server on.

Many would consider this a security hole, and most internet daemons have
removed this information (i.e. wu-ftpd, sendmail, etc). The recent spat
of "Olga" messages made themselves untraceable by specifically going
through broken IBM VMS mailers who trusted whatever the client told them
in the HELO message. I'd consider putting information about extensions
in there a security hole too, perhaps even worse. Just a note of
caution, I wouldn't veto it but I wouldn't +1 it either.

Hmmm... if I understand the argument here, you're saying that server
software which identifies its particulars may thereby advertise which
holes it had. Taken to the limit, one could argue that it's best not
to say even what the server version is.

I think I'm missing something...

rst
Re: SERVER_SOFTWARE [ In reply to ]
brian at organic
Jul 27, 1995, 10:33 PM
Post #8 of 10 (748 views)
Permalink
On Thu, 27 Jul 1995, Robert S. Thau wrote:
> Hmmm... if I understand the argument here, you're saying that server
> software which identifies its particulars may thereby advertise which
> holes it had. Taken to the limit, one could argue that it's best not
> to say even what the server version is.

Perhaps, yeah. However, the odds of there being a bug in a particular
software program (say, apache), while not non-zero, are relatively less
than there being a bug in some software package on some particular OS.
The fact that one daemon could compromise information that could make
another vulnerable seems like a bad thing.

Again, I'm just playing Devil's Advocate here, and I won't veto a patch
to implement this.

Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/
Re: SERVER_SOFTWARE [ In reply to ]
paul at netcraft
Jul 28, 1995, 5:10 AM
Post #9 of 10 (752 views)
Permalink
In reply to Brian Behlendorf who said
>
> On Thu, 27 Jul 1995, Andrew Wilson wrote:
> > this is just a thought prompted by Paul Richards. It'd be kind of
> > nice to figure out what OS people are running their server on.
>
> Many would consider this a security hole, and most internet daemons have
> removed this information (i.e. wu-ftpd, sendmail, etc). The recent spat
> of "Olga" messages made themselves untraceable by specifically going
> through broken IBM VMS mailers who trusted whatever the client told them
> in the HELO message. I'd consider putting information about extensions
> in there a security hole too, perhaps even worse. Just a note of
> caution, I wouldn't veto it but I wouldn't +1 it either.
>

Well, having discussed this with some people I think you're right and that
this would be considered an undesirable feature on the part of users
although it's obviously very desirable on the part of us developers :-).
I probably would veto it now (do I even have a vote?) even though I sugeested
it in the first place :-)

--
Paul Richards, Bluebird Computer Systems. FreeBSD core team member.
Internet: paul@FreeBSD.org, http://www.freebsd.org/~paul
Phone: 0370 462071 (Mobile), +44 1222 457651 (home)
Re: SERVER_SOFTWARE [ In reply to ]
paul at netcraft
Jul 28, 1995, 5:15 AM
Post #10 of 10 (747 views)
Permalink
In reply to Robert S. Thau who said
>
> Hmmm... if I understand the argument here, you're saying that server
> software which identifies its particulars may thereby advertise which
> holes it had. Taken to the limit, one could argue that it's best not
> to say even what the server version is.
>
> I think I'm missing something...

No you're not, I was. Hey, we were sitting in a pub and I did just make
a of the top of my head remark that it would be nice to see how many
of these boxes were running FreeBSD :-)

You're right, it's a really bad idea the primary reason being the
one you mention, that advertising OS and version numbers is also advertising
security holes.

This is also true for the server and should be something you consider.


--
Paul Richards, Bluebird Computer Systems. FreeBSD core team member.
Internet: paul@FreeBSD.org, http://www.freebsd.org/~paul
Phone: 0370 462071 (Mobile), +44 1222 457651 (home)

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal