| VID |
22135 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache web server allows remote users to access configuration information for the server by requesting the URL of http://servername/server-info. The default installation of the Apache web server supports the feature designed to help administrate the system by displaying server configuration information, such as Server Root path, Config File path, and so on. A malicious user viewing this information may be able to use it to stage further attacks on the server.
* References:
http://cgi.nessus.org/plugins/dump.php3?id=10678 |
| Recommendation |
If you don't use this feature, comment the appropriate section in your httpd.conf file. Or If you really need it, limit its access only to the administrator's machine.
To enable configuration reports only for browsers from the foo.com domain add this code to your access.conf configuration file:
<Location /server-info>
SetHandler server-info
order deny,allow
deny from all
allow from .foo.com
</Location>
Before the configuration goes into effect, you need to force httpd to re-read it's configuration file:
# apachectl restart |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
