I agree with James. "Security by obscurity" is no security at all. Even the
feature in the
latest version of Apache to only return "Apache" as the server version is
limited, since
everyone will know at present that it's 1.3.14 anyway!
What really matters is that people upgrade to the latest version at the
earliest possible time. This is far easier using Apache and mod_ssl than the
MS offering.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
-----Original Message-----
From: James Treworgy [mailto:[EMAIL PROTECTED]]
Sent: 24 October 2000 05:10
To: [EMAIL PROTECTED]
Subject: Re: PHP Info www search and server info gathering (fwd)
Doesn't seem like a big deal to me.. even _without_ the phpinfo() function
i could probably tell you with about 80% accuracy what directories stuff on
any given server is installed in, since most people use the defaults
anyway. And any technical mailing list such as this one would tell you
exactly this information (and a lot more) about any of the thousands of
people who post to the list.
So what use is this information from a security threat standpoint? While
knowing an exact server version might conceivably help a hacker know what
explots to try (or not try), one should hardly consider that the _lack_ of
published info about their server is any sort of security.
Jamie
At 10:59 PM 10/23/00, R. DuFresne wrote:
>I am not sure if this is an issue that is seems bad for
>a servers security to most people, but to me it is a
>really bad looking problem. The phpinfo() function
>available from PHP versions gives out a _LOT_ of server
>information, directories things are installed in, versions
>etc.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
