Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Apache Server Etag header had an information discloser

Posted on 2016-10-11
6
Medium Priority
?
298 Views
Last Modified: 2016-10-30
We recently had a scan done on our system and one of the findings was the title of this question. We are running windows 2008 r2 w/Apache.  The suggestion to fix the issue is "Modify the http Etag header of the web server to not include file inodes in the Etag header calculation".

I found some articles suggesting how to do this however Im not seeing what they do in there httpd.conf file. Any suggestions would be appreciated.

Thanks
0
Comment
Question by:bankadmin
  • 4
  • 2
6 Comments
 
LVL 30

Accepted Solution

by:
Dr. Klahn earned 2000 total points (awarded by participants)
ID: 41838957
See http://www.askapache.com/htaccess/apache-speed-etags/, which gives an example that can be included in either a .htaccess file or in httpd.conf.

As a side note, this is not the only information leak out of Apache.  See also http://www.miim.com/thebside/security/serverfield2.html
0
 

Author Comment

by:bankadmin
ID: 41839021
the top one is an article I had found also. I cant find a htaaccess file on my server.
This server is running my admin console for AV and that is what installed the apache on the server as part of the console. Im certainly not a web admin so Im a little confused on what to look for next.
0
 
LVL 30

Expert Comment

by:Dr. Klahn
ID: 41839025
There will not be a .htaccess file unless you have installed one.  In that case, install the commands in the httpd.conf file.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:bankadmin
ID: 41839056
The httpd.conf file is 16 pages long 95%+ of it is commented out. Im not really sure where to enter the commands in the file. Are these the commands you are referring to? I

 Header unset ETag
FileETag None
0
 
LVL 30

Expert Comment

by:Dr. Klahn
ID: 41839070
Those are the ones.

imo:  If the httpd.conf is that large, and you don't know where to install the lines, then you should call in someone who knows Apache site configuration who can do this for you.  It will not do to just drop them in anywhere.
0
 
LVL 30

Expert Comment

by:Dr. Klahn
ID: 41865738
EE email requested stale question closure.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month11 days, 14 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question