[Cialug] Disclosing Apache and PHP version numbers
Jerry Heiselman
jerry at heiselman.com
Thu Apr 2 09:48:21 CDT 2009
On Thu, Apr 2, 2009 at 9:31 AM, David Champion <dave at dchamp.net> wrote:
> You've pretty much answered your own question. At the SANS PHP security
> class I was at this winter, they mentioned that any extra version info
> you give out can be used by attackers to help them find vulnerable
> servers to attack.
>
> I can't think of a good reason really to leave them on. There may be a
> RFC or something that says you're supposed to show it...
>
> -dc
>
>
There is no RFC that I'm aware of that says you need to disclose the
version. I believe that is really only used by companies like Netcraft that
come out with those reports of how many sites are running Apache or IIS and
how many are using PHP or Perl or <insert you langauge here>.
Just kind of a way to stand and be counted, but I'm sure they don't rely
solely on the headers/version information for that data.
--
Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20090402/9ba76c92/attachment.htm
More information about the Cialug
mailing list