<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 9.00.8112.16437"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Since we're on the subject of security.</DIV>
<DIV>Consider changing the below Apache configurations:</DIV>
<DIV> </DIV>
<DIV>
<DIV>ServerSignature On to ServerSignature Off</DIV></DIV>
<DIV>ServerTokens OS to ServerTokens Prod ( or just remark it out to disable it).</DIV>
<DIV> </DIV>
<DIV>( Blatant web scape below).</DIV>
<DIV>The first line “ServerSignature Off” instructs Apache not to display a trailing footer line under server-generated <A style="POSITION: static; FONT-FAMILY: inherit !important; TEXT-DECORATION: underline !important" id=KonaLink6 class=kLink href="http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#"><FONT style="POSITION: static; FONT-FAMILY: inherit !important; COLOR: #1fa2e1 !important" color=#1fa2e1><SPAN style="BORDER-BOTTOM: rgb(31,162,225) 1px solid; POSITION: static; BACKGROUND-COLOR: transparent; FONT-FAMILY: inherit !important; COLOR: rgb(31,162,225) !important" class=kLink>documents</SPAN></FONT></A> (error messages, mod_proxy ftp directory listings, mod_info output, and etc) which displays server version number, ServerName of the serving <A style="POSITION: static; FONT-FAMILY: inherit !important; TEXT-DECORATION: underline !important" id=KonaLink7 class=kLink href="http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#"><FONT style="POSITION: static; FONT-FAMILY: inherit !important; COLOR: #1fa2e1 !important" color=#1fa2e1><SPAN style="BORDER-BOTTOM: rgb(31,162,225) 1px solid; POSITION: static; BACKGROUND-COLOR: transparent; FONT-FAMILY: inherit !important; COLOR: rgb(31,162,225) !important" class=kLink>virtual </SPAN><SPAN style="BORDER-BOTTOM: rgb(31,162,225) 1px solid; POSITION: static; BACKGROUND-COLOR: transparent; FONT-FAMILY: inherit !important; COLOR: rgb(31,162,225) !important" class=kLink>host</SPAN></FONT></A>, email setting, and creates a “mailto:” reference to the ServerAdmin of the referenced document.</DIV>
<DIV>
<P>The second line “ServerTokens Prod” configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.</P></DIV>
<DIV><BR>>>> On 12/9/2011 at 5:00 AM, Jules <Jules@zend.to> wrote:<BR></DIV>
<TABLE style="MARGIN: 0px 0px 0px 15px; FONT-SIZE: 1em" border=0 bgColor=#f3f3f3>
<TBODY>
<TR>
<TD>
<DIV style="BORDER-LEFT: #050505 1px solid; PADDING-LEFT: 7px"><BR><BR>On 09/12/2011 10:42, Joao Alexandre wrote:<BR>> Hi Jules,<BR>><BR>> All of our internet facing structure was evaluated/scanned for<BR>> security problems and regarding ZendTo they found two issues. They<BR>> don't seem to be related itself with ZendTo but maybe you can help us<BR>> resolve or lead us to the solution:<BR>><BR>> 1.<BR>> Vulnerability details -<BR>> Script ID 201167<BR>> Name Directory Browsing<BR>> Port 443/TCP - http<BR>> Risk factor Medium risk<BR>> CVSS Score 5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)<BR>> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)<BR>> Family http<BR>> Product HTTP<BR>> Description This service lists the contents of various directories.<BR>> Information Browsable directories:<BR>> Location<BR>> /js/<BR>> /images/<BR>> /icons/<BR>> /css/<BR>> Solution Disable directory browsing<BR>> History First seen : 2011-12-09 08:02 - New finding<BR>This one you can fix in your Apache configuration. Look for a line <BR>saying something like<BR> Options All Indexes FollowSymLinks MultiViews<BR>and remove the word "Indexes" from it. (Basically just search all the <BR>Apache configuration files you can find for the word "Indexes" and <BR>remove it!)<BR>Then restart Apache.<BR>I have just applied this fix to the VMs I distribute.<BR>><BR>> 2.<BR>> Script ID 236788<BR>> Name SSL/TLS Cipher Suite Detect MD5<BR>> Port 443/TCP - http<BR>> Risk factor Medium risk<BR>> CVSS Score 5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)<BR>> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)<BR>> Family ssl<BR>> Product SSL<BR>> Description The MD5 Message-Digest Algorithm is not collision<BR>> resistant, which makes it easier for context-<BR>> dependent attackers to conduct spoofing attacks, as demonstrated by<BR>> attacks on the use of MD5 in the<BR>> signature algorithm of an X.509 certificate.<BR>> Information SSLv3 Cipher Suite OpenSSL Cipher<BR>> Name<BR>> Algorithm Bits Bits Used Cipher Strength<BR>> RSA_WITH_RC4_1<BR>> 28_MD5<BR>> RC4-MD5 128 128 medium<BR>> TLSv1 Cipher Suite OpenSSL Cipher<BR>> Name<BR>> Algorithm Bits Bits Used Cipher Strength<BR>> RSA_WITH_RC4_1<BR>> 28_MD5<BR>> RC4-MD5 128 128 medium<BR>> Solution Reconfigure the service to disallow the listed cipher suites<BR>> Reference url - <A href="http://www.kb.cert.org/vuls/id/836068CVE">http://www.kb.cert.org/vuls/id/836068CVE</A> CVE-2004-2761<BR>> History First seen : 2011-12-09 08:02 - New finding<BR>This is related to your https SSL certificate, and the encryption method <BR>it uses. Most certificate providers are switching away from MD5 to SHA-1 <BR>so hopefully the next time you renew your certificate this problem <BR>should disappear.<BR><BR>Jules<BR><BR>-- <BR>Julian Field MEng CITP CEng<BR>www.Zend.To<BR><BR>Follow me at twitter.com/JulesFM<BR>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<BR><BR>'It's okay to live without all the answers' - Charlie Eppes, 2011<BR>'All programs have a desire to be useful' - Tron, 1982<BR>'That is the land of lost content,<BR> I see it shining plain,<BR> The happy highways where I went,<BR> And cannot come again.' - A.E. Houseman<BR><BR>_______________________________________________<BR>ZendTo mailing list<BR>ZendTo@zend.to<BR><A href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</A><BR></DIV></TD></TR></TBODY></TABLE></BODY></HTML>