[ZendTo] Re: Security

Joao Alexandre jalexandre1964 at gmail.com
Fri Dec 9 18:46:03 GMT 2011


Hi Brad,

I also found references to these directives and have already implemented.

Thanks anyway.

If you remember anything else to stealth Apache.

Regards,

Joao


On Fri, Dec 9, 2011 at 5:47 PM, Brad Beckenhauer <bbecken at aafp.org> wrote:

>  Since we're on the subject of security.
> Consider changing the below Apache configurations:
>
>  ServerSignature On   to   ServerSignature Off
> ServerTokens OS   to   ServerTokens Prod   ( or just remark it out to
> disable it).
>
> ( Blatant web scape below).
> The first line “ServerSignature Off” instructs Apache not to display a
> trailing footer line under server-generated documents<http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#>(error messages, mod_proxy ftp directory listings, mod_info output, and
> etc) which displays server version number, ServerName of the serving virtual
> host<http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#>,
> email setting, and creates a “mailto:” reference to the ServerAdmin of
> the referenced document.
>
> The second line “ServerTokens Prod” configures Apache to return only
> Apache as product in the server response header on very page request,
> suppressing OS, major and minor version info.
>
> >>> On 12/9/2011 at 5:00 AM, Jules <Jules at zend.to> wrote:
>
>
> On 09/12/2011 10:42, Joao Alexandre wrote:
> > Hi Jules,
> >
> > All of our internet facing structure was evaluated/scanned for
> > security problems and regarding ZendTo they found two issues. They
> > don't seem to be related itself with ZendTo but maybe you can help us
> > resolve or lead us to the solution:
> >
> > 1.
> > Vulnerability details -
> > Script ID    201167
> > Name    Directory Browsing
> > Port    443/TCP - http
> > Risk factor    Medium risk
> > CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)
> > (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> > Family    http
> > Product    HTTP
> > Description    This service lists the contents of various directories.
> > Information    Browsable directories:
> > Location
> > /js/
> > /images/
> > /icons/
> > /css/
> > Solution    Disable directory browsing
> > History    First seen : 2011-12-09 08:02 - New finding
> This one you can fix in your Apache configuration. Look for a line
> saying something like
>      Options All Indexes FollowSymLinks MultiViews
> and remove the word "Indexes" from it. (Basically just search all the
> Apache configuration files you can find for the word "Indexes" and
> remove it!)
> Then restart Apache.
> I have just applied this fix to the VMs I distribute.
> >
> > 2.
> > Script ID    236788
> > Name    SSL/TLS Cipher Suite Detect MD5
> > Port    443/TCP - http
> > Risk factor    Medium risk
> > CVSS Score    5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)
> > (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)
> > Family    ssl
> > Product    SSL
> > Description    The MD5 Message-Digest Algorithm is not collision
> > resistant, which makes it easier for context-
> > dependent attackers to conduct spoofing attacks, as demonstrated by
> > attacks on the use of MD5 in the
> > signature algorithm of an X.509 certificate.
> > Information     SSLv3 Cipher Suite  OpenSSL Cipher
> > Name
> > Algorithm Bits Bits Used Cipher Strength
> > RSA_WITH_RC4_1
> > 28_MD5
> > RC4-MD5 128 128 medium
> > TLSv1 Cipher Suite  OpenSSL Cipher
> > Name
> > Algorithm Bits Bits Used Cipher Strength
> > RSA_WITH_RC4_1
> > 28_MD5
> > RC4-MD5 128 128 medium
> > Solution    Reconfigure the service to disallow the listed cipher suites
> > Reference    url - http://www.kb.cert.org/vuls/id/836068CVE
> CVE-2004-2761
> > History    First seen : 2011-12-09 08:02 - New finding
> This is related to your https SSL certificate, and the encryption method
> it uses. Most certificate providers are switching away from MD5 to SHA-1
> so hopefully the next time you renew your certificate this problem
> should disappear.
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'It's okay to live without all the answers' - Charlie Eppes, 2011
> 'All programs have a desire to be useful' - Tron, 1982
> 'That is the land of lost content,
>   I see it shining plain,
>   The happy highways where I went,
>   And cannot come again.' - A.E. Houseman
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20111209/73a989a4/attachment-0001.html 


More information about the ZendTo mailing list