On Fri, Mar 07, 2003 at 11:48:53PM +0100, Rick Hoekman wrote:
> In Apache you can restrict the information that it reveals about
> itself setting ServerTokens to Prod for example, and it will give only
> Apache when you telnet to it.
>
> But in case of an error page it will present the version number along
> with it (I know you can redirect this error, but still). Does Nessus
> check for this when it finds an Apache webserver but cannot check for
> version?
It now does - thanks for the suggestion.
Index: http_version.nasl
===================================================================
RCS file: /usr/local/cvs/nessus-plugins/scripts/http_version.nasl,v
retrieving revision 1.35
diff -c -r1.35 http_version.nasl
*** http_version.nasl 6 Feb 2003 03:28:31 -0000 1.35
--- http_version.nasl 7 Mar 2003 23:17:17 -0000
***************
*** 41,58 ****
exit(0);
}
#
# The script code starts here
#
- include("http_func.inc");
port = get_kb_item("Services/www");
if (!port) port = 80;
if (get_port_state(port))
{
! soctcp80 = open_sock_tcp(port);
if (soctcp80)
{
--- 41,74 ----
exit(0);
}
+ include("http_func.inc");
+
#
# The script code starts here
#
+ function get_apache_version()
+ {
+ local_var req, soc, r, v;
+
+ req = http_get(item:"/nonexistent_please_dont_exist", port:port);
+ soc = http_open_socket(port);
+ if(!soc) return NULL;
+ send(socket:soc, data:req);
+ r = egrep(pattern:"<ADDRESS>.*</ADDRESS>", string:http_recv(socket:soc));
+ http_close_socket(soc);
+ v = ereg_replace(string:r, pattern:"<ADDRESS>(Apache/[^ ]*).*", replace:"\1");
+ if( r == v )
+ return NULL;
+ else return v;
+ }
port = get_kb_item("Services/www");
if (!port) port = 80;
if (get_port_state(port))
{
! soctcp80 = http_open_socket(port);
if (soctcp80)
{
***************
*** 64,76 ****
svrline = egrep(pattern:"^Server:", string:resultrecv);
svr = ereg_replace(pattern:"^Server: (.*)$", string:svrline, replace:"\1");
report = string("The remote web server type is :\n\n");
! report = report + svr;
if("Apache" >< svr) {
! if("Apache/" >< svr)report = report + string("\nSolution : You can set the directive 'ServerTokens Prod' to limit\nthe information emanating from the server in its response headers.");
else{
! report = report + string("\nand the 'ServerTokens' directive is ProductOnly\nApache does not permit to hide the server type\n");
}
}else{
if("Microsoft-IIS/" >< svr){
report = report + string("\n", "Solution : You can use urlscan to change reported server for IIS.");
}else{
--- 80,102 ----
svrline = egrep(pattern:"^Server:", string:resultrecv);
svr = ereg_replace(pattern:"^Server: (.*)$", string:svrline, replace:"\1");
report = string("The remote web server type is :\n\n");
!
if("Apache" >< svr) {
! if("Apache/" >< svr)report = report + svr + string("\n\nSolution : You can set the directive 'ServerTokens Prod' to limit\nthe information emanating from the server in its response headers.");
else{
! svr2 = get_apache_version();
! if( svr2 != NULL )
! {
! report = report + svr2 + string("\n\nThe 'ServerTokens' directect is set to ProductOnly\n",
! "but could however determine that the version of the remote\n",
! "server by requesting a non-existant page.\n");
! svrline = string("Server: ", svr2, "\r\n");
! set_kb_item(name:string("www/real_banner/", port), value:svrline);
! }
! else report = report + svr + string("\nand the 'ServerTokens' directive is ProductOnly\nApache does not permit to hide the server type.\n");
}
}else{
+ report = report + svr;
if("Microsoft-IIS/" >< svr){
report = report + string("\n", "Solution : You can use urlscan to change reported server for IIS.");
}else{
This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 15:14:50 PST