Skip to main content

How to fix “Apache Web Server ETag Header Information Disclosure Weakness” ?

Apache File ETag header Bug Fix

What is "Apache Web Server ETag Header Information Disclosure Weakness" and how to fix it?

The Apache HTTP Web Server is one of the popular, open-source HTTP server for multiple platforms, including Windows, Unix, and Linux. Recently a weakness has been discovered in Apache web servers that are configured to use the Entity tag (Etag or FileETag ) directive. Vulnerability has been found in the generation of ETag headers under certain configurations. FileETag headers are used by the cache management feature for Apache for proper caching and page version checking. Entity tags (ETags) are a mechanism to check for a newer version of a cached file.

When a file is requested an ETag response header is returned containing various file attributes for caching purposes. Among the file attributes included in the header is the file inode number that is returned to a client.

The Vulnerability allow remote attackers to obtain sensitive information like inode number and child process though ETag header. This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. Exploitation of this issue may provide an attacker with information that may be used to launch further attacks against a target network. By default, all Versions of Apache are vulnerable.

In Apache, ETags are made out of three components: the INode, MTime, and Size.

FileETag INode-MTime-Size
Ex. ETag: "10690a1-4f2-40d45ae1"

A sample Etag Information looks like:

GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2014 03:07:56 GMT
Server: Apache
Last-Modified: Fri, 10 Oct 2013 00:14:56 GMT
ETag: "23e0cd2x-1449-9edb26df89021"
Accept-Ranges: bytes
Content-Length: 9352
X-Powered-By: PleskLin
Connection: close
Content-Type: text/html

Etag Info 23e0cd2x-1449-9edb26df89021

In Apache Versions 1.3.22 and earlier, it's not possible to disable inodes in ETag headers to solve this vulnerability, so Apache Version 1.3.22
and earlier are vulnerable at all times. There are workarounds for Apache Versiond 1.3.23 and later . In Apache Version 1.3.23 and later, it's possible to configure the FileETag directive to generate ETag headers without inode information, which tackles this vulnerability. Customers running versions of Apache <= 1.3.22 will need to upgrade to a later version.

To fix this bug,

  • Go to $Web_Server/conf directory (usually in /etc/httpd/conf)
  • Edit the httpd.conf with the following
  • Header unset Etag
    FileETag none
  • Restart Apache

To see what change had happened after the change, try the following,
  • Open the browser and access your application
  • Check HTTP response headers and you should not see ETag at all.

If you want to remove the complete Etag info then use FileETag None
Or if you want to hide only Inode info then use FileETag -INode

By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header. A good example for this can be found at Speed Up Your Website using Caching and .htaccess GitHub
. The example shows the use of two apache modules mod_expires and mod_headers. Please refer to the Apache documentation on how to enable these modules.

OpenBSD has addressed this issue and has released a patch that tackles vulnerability. Check OpenBSD Patch for fixing Apache Web Server ETag Header Information Disclosure Weakness  for more details. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.

Bugzilla: 733043: CVE-2003-1418 httpd information disclosure in FileEtag

The MITRE CVE dictionary describes this issue as:
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).
Red Hat does not consider this to be a security issue. The information returned poses no threat to the target machine running httpd. Redhat uses a process called backporting to fool attackers to the versions of software that is actually installed. Documentation of this is given in Red Hat Bugzilla can be found at Red Hat Bugzilla – Bug 733043 CVE-2003-1418 httpd information disclosure in FileEtag . In that link there is another link referenced on why RedHat has chosen not to patch this and why the do not consider this vulnerability to be a security risk:

Popular posts from this blog

Payback Points - How to redeem - How to merge multiple payback accounts - Block Payback card - Payback customer care

Your SBI Debit card ending with XX0000 is deactivated only for Internet txn.

SBI account holders may have received an SMS with following message, supposed to be from State Bank of India (SBI).

Your SBI Debit card ending with XX0000  is deactivated only for Internet txn. To activate send SMS "SWON ECOM 0000" to 09223966666. No change for ATM/POS usage
** Replace the four Zeros with last 4 digits of your debit card number

Recently many of the SBI account holder has losed their money due to a hi-tech ATM robbery which happened in Thiruvananthapuram, capital city of Kerala.

Joomla and Forum Integration - Integrating Forums to Joomla

Joomla is one of the most popular CMS opensource packages. It is very easier to develop website's using Joomla. You just need to download Joomla package from Joomla's Official website  and install it on your domain and later adding customizations to templates and feature and Your website is ready :). Now a days most websites provides a forum section for it users for discussing various article topics, gathering opinions etc.

Following are some best know forum opensource packages which can be integrated with Joomla and create a new forum experience for users

Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to   Read more »
Search This Blog