Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 nikita sinha (nikitas1350)
ericsson

ericsson
IN
nikitas1350 Member since 2017 7 posts
ericsson
Posted: Aug 8, 2018
Last activity: Aug 9, 2018
Posted: 8 Aug 2018 3:02 EDT
Last activity: 9 Aug 2018 9:18 EDT
Closed

Web Server Discloses Software Type And Version

Hi Team,

Can you please review the below recommendation and suggest a way to implement.

Web Server Discloses Software Type And Version

Specific Detail

The Team observed that software type and version details were disclosed within the HTTP ‘Server’ header

Field.

Impact

Knowing the server type and version allows an attacker to focus on the vulnerabilities of that specific version, whereas someone without this knowledge would have to try different vulnerabilities by brute- force. In addition, some servers disclose the operating system version within HTTP response headers. For example, Apache often discloses UNIX or Windows whilst Microsoft-IIS only runs on Windows, and each version of IIS only runs on a single version of Windows.

Recommendation

Cisco recommends that the web server is reconfigured to display the minimal amount of information, or to display false information where possible.

In IIS it is possible to remove the web server banner in two ways:

Show More

Hi Team,

Can you please review the below recommendation and suggest a way to implement.

Web Server Discloses Software Type And Version

Specific Detail

The Team observed that software type and version details were disclosed within the HTTP ‘Server’ header

Field.

Impact

Knowing the server type and version allows an attacker to focus on the vulnerabilities of that specific version, whereas someone without this knowledge would have to try different vulnerabilities by brute- force. In addition, some servers disclose the operating system version within HTTP response headers. For example, Apache often discloses UNIX or Windows whilst Microsoft-IIS only runs on Windows, and each version of IIS only runs on a single version of Windows.

Recommendation

Cisco recommends that the web server is reconfigured to display the minimal amount of information, or to display false information where possible.

In IIS it is possible to remove the web server banner in two ways:

  • Creating a custom ‘ISAPI’ filter to hide the banner in the response headers.
  • Downloading the ‘URLScan’ tool, part of the IIS Lockdown Tool, from the Microsoft website and changing the value of the ‘RemoveServerHeader’ setting.

***Moderator Edit-Vidyaranjan: Updated Platform Capability***


Show Less
To see attachments, please log in.
Security

Posted: 6 years ago
Posted: 8 Aug 2018 5:06 EDT
Xavier Merlin (MERLX)
PEGA
Principal Software Solutions Engineer
PEG
GB

This could well be configuration in the application server rather than in the Pega application.

For instance, if you access a web page available on this server which is not the Pega application, do you still see the header?

I suggest looking at the application server documentation.

Could you tell which application server is used? Maybe someone will know the answer for this particular application server.

Do you happen to know the header seen?

 

 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice