← Older revision
Revision as of 16:49, 5 October 2015
(5 intermediate revisions by the same user not shown)
Line 2:
Line 2:
== Summary ==
== Summary ==
+
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.
+
== Important Files of Apache Server ==
−
==
Common Misconfigurations
==
+
==
= Apache Configuration Files =
==
−
===
Misconfiguration 1
=
==
+
====
Linux
====
−
==== Description
====
+
−
%ProductName% allows unauthorized attacker to list all users of the system
...
+
Debian
+
<pre>/etc/apache2/apache2
.
conf</pre>
+
RHEL / Red Hat / CentOS / Fedora Linux
+
<pre>/etc/httpd/conf/httpd
.
conf</pre>
+
FreeBSD
+
<pre>/usr/local/etc/apache2x/httpd
.
conf
+
Note:x represents the version number
+
</pre>
+
==== Windows ====
−
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
+
=== Apache Error Files ===
−
====
How to test
====
+
====
Linux
====
−
In order to test for %Misconfiguration_1%, one should .
..
+
Debian
+
<pre>/var/log/apache2/error
.
log</pre>
+
RHEL / Red Hat / CentOS / Fedora Linux
+
<pre>var/log/httpd/error_log</pre>
+
FreeBSD
+
<pre>/var/log/httpd-error
.
log</pre>
−
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
+
==== Windows ====
−
==
== Remediation ==
==
+
==
Apache Server Information Leakage
==
−
Initial/common value of parameter "listUsers" from config.xml is set to "true".
+
=== Server Token ===
−
To assess
the
vulnerability it is enough to change the value to false:
+
==== Description ====
+
+
By Default Apache ServerToken directive reveals
the
below information.
<pre>
<pre>
−
<security>
+
Server: Apache
/
2.2.14 (Unix) mod_ssl
/
2.2.14 OpenSSL/0.9.8e-fips-rhel5
−
<listUsers>false<
/
listUsers>
+
−
<
/
security>
+
</pre>
</pre>
+
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities
+
are dependent upon specific software versions.
−
==
Misconfigurations
==
+
====
How to test ====
+
In order to test for ServerToken configuration, one should check the Apache configuration file.
−
'''Server-status'''
+
==== Misconfiguration ====
−
Common misconfiguration is to have server-status enabled.
+
<pre>
−
When navigating to website's url/server-status
+
ServerTokens Full
−
an html page showing all ip's connected to server and software running on the server is shown.
+
<
/
pre>
−
This can be very embarrassing, and can be dangerous for people running websites using tor hidden services, because it will reveal their IP address.
+
−
+
−
Read more about it here:
+
−
*[http:
/
/httpd.apache.org/docs/2.2/mod/mod_status.html Mod Status Apache]
+
−
*[http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html Blog Post on server Status showing some sites with server-status enabled]
+
−
+
−
1. Version details disclosed in headers
+
−
disable apache tokens
+
+
==== Remediation ====
−
2. Proper SSL cipher selection
+
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly
−
Cipher orders
+
−
Disable specific ciphers
+
−
3. Guidelines on how to store ssl private keys on server
+
<pre>
−
stuff like not to store private keys on /var/www/
+
ServerTokens Prod
−
+
or
−
4. Detailing about various authentication types
+
ServerTokens ProductOnly
−
+
</pre>
−
basic, digest, X509, LDAP
or
others.
+
−
+
−
Detailing about authoentication types and which one to use in which situation.
+
== References ==
== References ==