10-24-2009, 11:57 AM
Yet you, as well as millions of others 
, unknowingly use both Linux and Apache every day. How? Why? Well... because 99% of webservers are run using an Apache webserver on a Linux OS. Including Mock. So... enjoy it
How do you find out what webserver software and OS a site is running? It usually says if you generate an error page
For instance:
http://www.mockforums.com/fuckedup.html
Will dump you to an error page that shows the following as the footer:
Which tells you lots. Its using Apache webserver 2 version 2.2.11 (a little out of date... not very secure), running on UNIX (the OS Linux is a free clone of), with OpenSSL for https support, DAV/2 support, the module for passthrough authentication, the module to limit the bandwidth used by the site, frontpage extensions, and its running on port 80. This type of info is what lets hackers in Knowing you apache version lets them choose attacks that target any known security issues in that version, and having frontpage extensions opens up even MORE security vulnerabilities (its a Micro$uck product after all) for them to attack with.
So, Frank should really go in and disable FP extensions at the very least
Of course, he could also make it so it doesn't display such critical info, BUT its useful for troubleshooting, not just hackers. And since in general Apache is very fucking secure, I don't ever worry about showing it on my servers.
, unknowingly use both Linux and Apache every day. How? Why? Well... because 99% of webservers are run using an Apache webserver on a Linux OS. Including Mock. So... enjoy it How do you find out what webserver software and OS a site is running? It usually says if you generate an error page
For instance:
http://www.mockforums.com/fuckedup.html
Will dump you to an error page that shows the following as the footer:
Quote:Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.mockforums.com Port 80
Which tells you lots. Its using Apache webserver 2 version 2.2.11 (a little out of date... not very secure), running on UNIX (the OS Linux is a free clone of), with OpenSSL for https support, DAV/2 support, the module for passthrough authentication, the module to limit the bandwidth used by the site, frontpage extensions, and its running on port 80. This type of info is what lets hackers in
Knowing you apache version lets them choose attacks that target any known security issues in that version, and having frontpage extensions opens up even MORE security vulnerabilities (its a Micro$uck product after all) for them to attack with.So, Frank should really go in and disable FP extensions at the very least
Of course, he could also make it so it doesn't display such critical info, BUT its useful for troubleshooting, not just hackers. And since in general Apache is very fucking secure, I don't ever worry about showing it on my servers.