Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Summary-Talk] internal summary Apache
Summary does not use Apache internally, nor does Summary's built in web
server have any features which correspond to what ServerSignature or
ServerTokens control. In effect, they are always turned off in Summary.
The closest correspondence that I can think of is that Summary puts the
release date of the version of Summary you are running in the page
footer by default. It is not at all clear how a hacker could take
advantage of that, since there are no known security issues in Summary
that the release date could help them take advantage of. If it troubles
you, and you have Summary SP Lite or SP, you can change the default page
footer to remove the release date.
My guess is that Hacker Safe has gotten confused. They presumably saw
something that vaguely resembles the signature of a known vulnerability
in Apache. Since Apache is not involved here, those known issues in
older versions of Apache can't possibly apply to Summary.
Jason
Alex Pilson wrote:
> One of my clients signed up for the Hacker Safe program, and they
> flagged the Summary app for exposing the web server banner. (only
> level 2) but I was wondering if it is possible to modify the config
> for it with the following directives:
>
> # Edit your httpd.conf
> # Add the line "ServerSignature Off"
> # Add the line "ServerTokens ProductOnly"
--
Jason@Summary.Net
--
Dr. Seuss books . . . can be read and enjoyed on several levels. For
example, 'One Fish Two Fish, Red Fish Blue Fish' can be deconstructed
as a searing indictment of the narrow-minded binary counting system.
-- Peter van der Linden, Expert C Programming, Deep C Secrets
-------------
Go to <http://summary.net/list.html> to update subscription info.
|