Tuesday, April 22, 2014

Apache fingerprinting with icons directory

Sometimes webservers don't return "Server" header in HTTP response or return fake value. It doesn't increase security in any way and it's clear example of Security through obscurity, however some administrators want to hide this information or even change it to some odd values.

If you are one of them and you're running apache don't forget about default /icons/ alias. Anyone can use it to guess that you're using apache, for example:

http://apache.org/icons/apache_pb.gif

Directory content can be different between apache versions, so it also may reveal which version you are using.

For example:

Apache 2.2 (icons/apache_pb.gif):
Apache 2.2

Apache 2.4 (icons/apache_pb.gif):
Apache 2.2

For more differences you can take a look in apache source code repository history:
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/icons/

You can disable this alias in the httpd.conf file, simply comment out the line:
Alias /icons/ "/var/www/icons/"

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete