Potential Apache Security Vulnerability discloses iNode information with the FileETag method.
(Last modified: 12Nov2004)
This document (10090670) is provided subject to the disclaimer at the end of this document.
fact
Novell Apache on NetWare
Novell Apache 1.3.27
symptom
Potential Apache Security Vulnerability discloses iNode information with the FileETag method.
cause
From the apache group:"In Apache 1.3.22 and earlier, the ETag value was always formed from the file's inode, size, and last-modified time (mtime)."
fix
Versions of Apache 1.3.23 and later ETag configuration determines which of the above values are included.
With Apache 1.3.27 and later, the iNode information won't be displayed if the 'FileETag -INode' directive is added to the apache configuration file (httpd.conf or adminserv.conf - depending on which version of NW is being used).
More information may be found at: http://www.securityfocus.com/bid/6939/solution/http://www.securityfocus.com/bid/6939/solution/ and http://httpd.apache.org/docs/mod/core.html#fileetag.
note
Note: This issue was resolved in apache code for versions 1.3.27. Security alerts on the apache website may mention that the fix was for openbsd, the fix will be the same for the same version number on ALL platforms running apache.
document
| Document Title: | Potential Apache Security Vulnerability discloses iNode information with the FileETag method. |
| Document ID: | 10090670 |
| Solution ID: | NOVL95177 |
| Creation Date: | 27Jan2004 |
| Modified Date: | 12Nov2004 |
| Novell Product Class: | Web Services |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.