The other day I was browsing the web looking for some specific information on php security. I came across a great site (which I cannot name for the reasons below), containing just the information I was looking for. I was about to leave the office for the day and wanted to download the PDF version of the document to my phone to read on the way home — yes, I know that’s sad! I clicked on the PDF link. You know what happened next? To my surprise, I saw the following:
Putting user friendliness to one side, the site revealed vital information about key components on the web server. It amused me that a website focussing on security would have a security vulnerability, and an easy one at that to resolve. A hacker coming across the site could look up the documented vulnerabilities in these components and launch an attack. I have tried emailing the website owners alerting them to my discovery, but all my emails are bouncing. I’m assuming that this is not an elaborate scam – I guess I’ll know soon if I have been fooled!
Back to Apache. If your server is reporting its version number, then you can resolve the problem very easily by adding the following to your httpd.conf file:
After you save the changes, restart your Apache server and wave goodbye to this vulnerability.
Hornbill’s cloud instances are secured and do not experience the vulnerability described above.