DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21736>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21736 not possible to modify response header when default_handler result a HTTP_NOT_MODIFIED [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Enhancement |Normal ------- Additional Comments From [EMAIL PROTECTED] 2003-09-30 20:16 ------- Hi, I'm running version 2.0.47 of Apache, and I use mod_headers to change the Server: header to "none of your business" or "dummyserver" as to hide the Apache Identity. But on not-modified, the Server: Apache header jumps out to the "public" (i.e. hackers), revealing Apache's identity and rendering my Header Set Server useless. This ALSO happens with 500 errors and 404-on-404's. I tried to redirect the 304 with an ErrorDocument to a zero-length dummyfile, but then i'd have to worry about hiding that dummyfile from outsider access. If i use mod_rewrite to fake a 404, then on not modified files i get a 404 instead. The result: Someone trying to hack my site will EASILY know not only what server, but also what scripting language i'm using on my scripts (If you're using Apache, you are very probably using PHP). So, PLEASE, fix this bug, since it involves a security issue (stealth). Possible quick-fixes: Add a new directive to the httpd.conf (AND .htaccess!) as to report the "new" server name. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
