[ZendTo] Re: Security

Brad Beckenhauer bbecken at aafp.org
Fri Dec 9 17:47:30 GMT 2011 

Since we're on the subject of security.
Consider changing the below Apache configurations:
 
ServerSignature On   to   ServerSignature Off
ServerTokens OS   to   ServerTokens Prod   ( or just remark it out to
disable it).
 
( Blatant web scape below).
The first line “ServerSignature Off” instructs Apache not to display a
trailing footer line under server-generated documents (
http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#
) (error messages, mod_proxy ftp directory listings, mod_info output,
and etc) which displays server version number, ServerName of the serving
virtual host (
http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#
), email setting, and creates a “mailto:” reference to the ServerAdmin
of the referenced document.

The second line “ServerTokens Prod” configures Apache to return only
Apache as product in the server response header on very page request,
suppressing OS, major and minor version info.

>>> On 12/9/2011 at 5:00 AM, Jules <Jules at zend.to> wrote:



On 09/12/2011 10:42, Joao Alexandre wrote:
> Hi Jules,
>
> All of our internet facing structure was evaluated/scanned for
> security problems and regarding ZendTo they found two issues. They
> don't seem to be related itself with ZendTo but maybe you can help
us
> resolve or lead us to the solution:
>
> 1.
> Vulnerability details -
> Script ID    201167
> Name    Directory Browsing
> Port    443/TCP - http
> Risk factor    Medium risk
> CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)
> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> Family    http
> Product    HTTP
> Description    This service lists the contents of various
directories.
> Information    Browsable directories:
> Location
> /js/
> /images/
> /icons/
> /css/
> Solution    Disable directory browsing
> History    First seen : 2011-12-09 08:02 - New finding
This one you can fix in your Apache configuration. Look for a line 
saying something like
     Options All Indexes FollowSymLinks MultiViews
and remove the word "Indexes" from it. (Basically just search all the 
Apache configuration files you can find for the word "Indexes" and 
remove it!)
Then restart Apache.
I have just applied this fix to the VMs I distribute.
>
> 2.
> Script ID    236788
> Name    SSL/TLS Cipher Suite Detect MD5
> Port    443/TCP - http
> Risk factor    Medium risk
> CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)
> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> Family    ssl
> Product    SSL
> Description    The MD5 Message-Digest Algorithm is not collision
> resistant, which makes it easier for context-
> dependent attackers to conduct spoofing attacks, as demonstrated by
> attacks on the use of MD5 in the
> signature algorithm of an X.509 certificate.
> Information     SSLv3 Cipher Suite  OpenSSL Cipher
> Name
> Algorithm Bits Bits Used Cipher Strength
> RSA_WITH_RC4_1
> 28_MD5
> RC4-MD5 128 128 medium
> TLSv1 Cipher Suite  OpenSSL Cipher
> Name
> Algorithm Bits Bits Used Cipher Strength
> RSA_WITH_RC4_1
> 28_MD5
> RC4-MD5 128 128 medium
> Solution    Reconfigure the service to disallow the listed cipher
suites
> Reference    url - http://www.kb.cert.org/vuls/id/836068CVE   
CVE-2004-2761
> History    First seen : 2011-12-09 08:02 - New finding
This is related to your https SSL certificate, and the encryption
method 
it uses. Most certificate providers are switching away from MD5 to
SHA-1 
so hopefully the next time you renew your certificate this problem 
should disappear.

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  A
nd cannot come again.' - A.E. Houseman

_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20111209/9305ff98/attachment.html

More information about the ZendTo mailing list