Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-19477

Service Fingerprint

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 14
    • Fix Version/s: None
    • Component/s: FreePBX Distro
    • Labels:
    • ToDo:
    • Asterisk Version:
      15.5.0
    • Distro Version:
      14.0.5.25
    • Distro:
      FreePBX Distro

      Description

      By default, Apache offers the following service fingerprint:

      Server: Apache/2.4.6 (Sangoma) OpenSSL/1.0.2k-fips PHP/5.6.40

      This is an open invitation to every potential attacker as it hands out version numbers of Apache, PHP and OpenSSL including even the minor version. Having that info, anyone can easily list the bugs contained in those versions. Because of the 'Sangoma' statement behind Apache's version number one can also guess the underlying OS and its version.

      Please consider changing that statement ServerTokens in Apache configuration from Full zu Prod. This would change the service fingerprint to:

      Server: Apache

      Nobody needs a wevserver to hand out more information about its own bugs.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                hr1232 HR
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.