Dear list, I have tested my webserver ( opensuse 11; apache2-2.2.8-28.4) through nikto. I have found
` ` ` + Server: Apache + OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.9 + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3233: GET /icons/README : Apache default file found. + 4347 items checked: 5 item(s) reported on remote host + End Time: 2010-01-03 17:56:35 (2228 seconds) ` ` ` To block TRACE I have added the following in httpd.conf folder ` ` ` <Directory /srv/www/htdocs/> # Prevents TRACE from allowing attackers to find a # path through cache or proxy servers. <LimitExcept GET POST> deny from all </LimitExcept> </Directory> ` ` ` After restarting the apache; nikto still able to find TRACE. I have a no. of VHOSTS, hence rather than .htaccess I like to add it in httpd.conf What am I missing here ? How can I prevent the other info also like php header, then icons/ folder etc.. ? I will be grateful if any one kindly suggest me . Thanks --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
