Solved

Apache Server Etag header had an information discloser

Posted on 2016-10-11
6
11 Views
Last Modified: 2016-10-30
We recently had a scan done on our system and one of the findings was the title of this question. We are running windows 2008 r2 w/Apache.  The suggestion to fix the issue is "Modify the http Etag header of the web server to not include file inodes in the Etag header calculation".

I found some articles suggesting how to do this however Im not seeing what they do in there httpd.conf file. Any suggestions would be appreciated.

Thanks
0
Comment
Question by:bankadmin
  • 4
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
Dr. Klahn earned 500 total points (awarded by participants)
Comment Utility
See http://www.askapache.com/htaccess/apache-speed-etags/, which gives an example that can be included in either a .htaccess file or in httpd.conf.

As a side note, this is not the only information leak out of Apache.  See also http://www.miim.com/thebside/security/serverfield2.html
0
 

Author Comment

by:bankadmin
Comment Utility
the top one is an article I had found also. I cant find a htaaccess file on my server.
This server is running my admin console for AV and that is what installed the apache on the server as part of the console. Im certainly not a web admin so Im a little confused on what to look for next.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
There will not be a .htaccess file unless you have installed one.  In that case, install the commands in the httpd.conf file.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:bankadmin
Comment Utility
The httpd.conf file is 16 pages long 95%+ of it is commented out. Im not really sure where to enter the commands in the file. Are these the commands you are referring to? I

 Header unset ETag
FileETag None
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
Those are the ones.

imo:  If the httpd.conf is that large, and you don't know where to install the lines, then you should call in someone who knows Apache site configuration who can do this for you.  It will not do to just drop them in anywhere.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
EE email requested stale question closure.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now