Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 407
  • Last Modified:

Apache Server Etag header had an information discloser

We recently had a scan done on our system and one of the findings was the title of this question. We are running windows 2008 r2 w/Apache.  The suggestion to fix the issue is "Modify the http Etag header of the web server to not include file inodes in the Etag header calculation".

I found some articles suggesting how to do this however Im not seeing what they do in there httpd.conf file. Any suggestions would be appreciated.

Thanks
0
bankadmin
Asked:
bankadmin
  • 4
  • 2
1 Solution
 
Dr. KlahnPrincipal Software EngineerCommented:
See http://www.askapache.com/htaccess/apache-speed-etags/, which gives an example that can be included in either a .htaccess file or in httpd.conf.

As a side note, this is not the only information leak out of Apache.  See also http://www.miim.com/thebside/security/serverfield2.html
0
 
bankadminAuthor Commented:
the top one is an article I had found also. I cant find a htaaccess file on my server.
This server is running my admin console for AV and that is what installed the apache on the server as part of the console. Im certainly not a web admin so Im a little confused on what to look for next.
0
 
Dr. KlahnPrincipal Software EngineerCommented:
There will not be a .htaccess file unless you have installed one.  In that case, install the commands in the httpd.conf file.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
bankadminAuthor Commented:
The httpd.conf file is 16 pages long 95%+ of it is commented out. Im not really sure where to enter the commands in the file. Are these the commands you are referring to? I

 Header unset ETag
FileETag None
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Those are the ones.

imo:  If the httpd.conf is that large, and you don't know where to install the lines, then you should call in someone who knows Apache site configuration who can do this for you.  It will not do to just drop them in anywhere.
0
 
Dr. KlahnPrincipal Software EngineerCommented:
EE email requested stale question closure.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now