73520 2002-08-20 02:05 /42 rader/ Hector A. Paterno <apaterno@dsnargentina.com.ar> Importerad: 2002-08-20 02:05 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <1176> Ärende: Information disclosure on mod_auth ( apache 1.3.26 ) ? ------------------------------------------------------------ Hi, I have found a discrepancy between mod_auth and ServerTokens Prod. Using, openbsd CURRENT , apache 1.3.26, as the example: I add the following line to the httpd.conf file : ServerTokens Prod So, when I try to get the version/modules of apache with the HEAD method, I obtain as a reply only the type of the server : HEAD / HTTP/1.0\r\n\r\n [info] Server: Apache [info] But , when I enable mod_auth and try to access the protected directory with an invalid username / password, I obtain the following errror : 401 Authorization Required [bleh bleh info] Apache/1.3.26 Server at xxxxx Port 80 Giving me the version of the apache server. I'm not an apache guru, but from from my point of view this seems to be a flaw(?) in the mod_auth module. Comments appreciated. Best Regards. -- Hector A. Paterno Digital Security Networks S.A. Mail : apaterno@dsnargentina.com.ar Fido : 4:901/343.5 pub 1024D/C1F2348C 2001-12-04 Hector A. Paterno <apaterno@dsnargentina.com.ar> Key Fingerprint : D741 154E 5CA0 C446 1A7B 4750 0469 0BEB C1F2 348C Key ID : 0xC1F2348C ( pgp.mit.edu ) (73520) /Hector A. Paterno <apaterno@dsnargentina.com.ar>/(Ombruten) 73521 2002-08-20 02:10 /31 rader/ Jacques A. Vidrine <nectar@FreeBSD.org> Importerad: 2002-08-20 02:10 av Brevbäraren Extern mottagare: dvdman <dvdman@l33tsecurity.com> Mottagare: Bugtraq (import) <1177> Ärende: Re: Freebsd FD exploit ------------------------------------------------------------ On Sun, Aug 18, 2002 at 09:01:13PM -0400, dvdman wrote: > /* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd > thought they fixed this months ago well guess again :P Thanks to the > Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */ [...] > And Freebsd thought they fixed this :P Well, it _is_ fixed, as of July 30. [...] > thanks Georgi Guninski for ideas [...] > Several months ago Joost Pol <joost@pine.nl> made public almost the same > problem. FreeBSD fixed it, but the patch does not cover all the cases. [...] > PROOF: > [dvdman@xxxx:~]$ uname -a > FreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT 2002 dvdman@xxxx:/usr/obj/usr/src/sys/xxx i386 Yes, there was a case missed. Georgi caught it and let us know about it (thanks, Georgi!), and it was repaired around 2002-07-30 15:40:46 UTC in all branches. We released an updated advisory around then, as well. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se (73521) /Jacques A. Vidrine <nectar@FreeBSD.org>/--- 73720 2002-08-22 17:30 /49 rader/ Alex Muntada <alexm+bugtraq@ac.upc.es> Importerad: 2002-08-22 17:30 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <1208> Ärende: Re: Information disclosure on mod_auth ( apache 1.3.26 ) ? ------------------------------------------------------------ Quoting Hector A. Paterno: > I have found a discrepancy between mod_auth and ServerTokens Prod. > > Using, openbsd CURRENT , apache 1.3.26, as the example: > > I add the following line to the httpd.conf file : > > ServerTokens Prod > > So, when I try to get the version/modules of apache with the HEAD > method, I obtain as a reply only the type of the server : > > HEAD / HTTP/1.0\r\n\r\n > > [info] > Server: Apache > [info] > > But , when I enable mod_auth and try to access the protected directory > with an invalid username / password, I obtain the following errror : > > 401 Authorization Required > [bleh bleh info] > Apache/1.3.26 Server at xxxxx Port 80 > > Giving me the version of the apache server. > > I'm not an apache guru, but from from my point of view this seems to be a > flaw(?) in the mod_auth module. Hector, to disable apache server signature (it's on by default) you should add this to your httpd.conf and restart apache: ServerSignature Off The ServerTokens directive applies to HTTP Server response header only. Take a look at apache manual for more details: http://httpd.apache.org/docs/mod/core.html#serversignature http://httpd.apache.org/docs/mod/core.html#servertokens Best regards. -- Alex Muntada <alexm at ac.upc.es> http://people.ac.upc.es/alexm/ (73720) /Alex Muntada <alexm+bugtraq@ac.upc.es>/----