Suppressing software version numbers?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Suppressing software version numbers?

Postby Boogerhead » 29. June 2008 04:02

Kind folks,

When I have a directory listing, Apache spits out every version number, e.g.:
Apache/2.2.8 (Win32) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8g mod_autoindex_color PHP/5.2.5 Server at blahblahblah port blah

I'm really not a big fan of advertising security holes that I don't even know about -- why should I give extra information to someone who could find a security hole in my software? So I'd really, really like to disable this (and suggest that it be off by default in future versions of XAMPP, as it offers no useful information to users and potentially dangerous information to hackers).

I found suggestions for a CentOS install of Apache that suggested these be put in httpd.conf:
ServerSignature Off
ServerTokens ProductOnly

I did that, restarted the service, and still have the same problem, still have that big string of version numbers coming at me. I don't see directives anywhere else (e.g., within fancyindexing) that can suppress this.

Ideas? Suggestions?


Mike
Boogerhead
 
Posts: 8
Joined: 29. June 2008 03:56

Postby x-files » 29. June 2008 04:54

Mine says:
ServerSignature Off
ServerTokens Prod

and info is no longer sent. 8)
x-files
 
Posts: 23
Joined: 16. November 2007 02:57

Postby Milligan » 29. June 2008 05:52

Last edited by Milligan on 17. July 2008 04:55, edited 1 time in total.
Milligan
 
Posts: 136
Joined: 03. March 2008 06:23

Re: Suppressing software version numbers?

Postby Nobbie » 29. June 2008 13:12

Boogerhead wrote:(and suggest that it be off by default in future versions of XAMPP, as it offers no useful information to users and potentially dangerous information to hackers).


Of course not, as Xampp is supposed to be used for local development and not for use on webservers.

If you wish to install Xampp on a public webserver anyway, it's on you to protect your server properly.
Nobbie
 
Posts: 8775
Joined: 09. March 2008 13:04

Postby Boogerhead » 30. June 2008 05:38

Milligan wrote:Try changing the defaults in \xampp\apache\conf\extra\httpd-default.conf


That did it! I'm much obliged.

Nobbie wrote:Of course not, as Xampp is supposed to be used for local development and not for use on webservers.


Again, I'm a bit confused, as a local developer surely knows which versions of the software are installed, or knows how to find out; there's no useful information given to the developer; no useful information given to any additional users; and potentially dangerous information given to people with ill will. Regardless of the intended userbase of XAMPP, it's difficult for me to imagine why creating security problems without a corresponding benefit to any possible audience, when it's so easily fixed, is a good idea. I may be missing something really big here, but I simply don't see the harm in reducing the information and see some potential benefit.
Boogerhead
 
Posts: 8
Joined: 29. June 2008 03:56


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 29 guests