<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Thanks for those, I'll add them to the VM distributions. I'm also
going to put the WebDAV lines in the httpd.conf, commented out, so
that you just need to uncomment them and run htpasswd to add the
username and password for it.<br>
<br>
There's one minor UI change to go in this weekend before I do a
release, as in the New Drop-off form currently there isn't room
between the browse button and the library drop-down to fit in the
file size, so it splits it over 2 lines which looks messy. So the
drop-down and the description need moving to the right about an
inch.<br>
<br>
Once that's done, I see no reason not to do a stable release of it,
as it otherwise appears to all work okay.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
On 09/12/2011 17:47, Brad Beckenhauer wrote:
<blockquote cite="mid:4EE1F55202000068000A4737@smtp.aafp.org"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 9.00.8112.16437">
<div>Since we're on the subject of security.</div>
<div>Consider changing the below Apache configurations:</div>
<div> </div>
<div>
<div>ServerSignature On to ServerSignature Off</div>
</div>
<div>ServerTokens OS to ServerTokens Prod ( or just remark
it out to disable it).</div>
<div> </div>
<div>( Blatant web scape below).</div>
<div>The first line “ServerSignature Off” instructs Apache not to
display a trailing footer line under server-generated <a
moz-do-not-send="true" style="POSITION: static; FONT-FAMILY:
inherit !important; TEXT-DECORATION: underline !important"
id="KonaLink6" class="kLink"
href="http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#"><font
style="POSITION: static; FONT-FAMILY: inherit !important;
COLOR: #1fa2e1 !important" color="#1fa2e1"><span
style="BORDER-BOTTOM: rgb(31,162,225) 1px solid; POSITION:
static; BACKGROUND-COLOR: transparent; FONT-FAMILY:
inherit !important; COLOR: rgb(31,162,225) !important"
class="kLink">documents</span></font></a> (error messages,
mod_proxy ftp directory listings, mod_info output, and etc)
which displays server version number, ServerName of the serving
<a moz-do-not-send="true" style="POSITION: static; FONT-FAMILY:
inherit !important; TEXT-DECORATION: underline !important"
id="KonaLink7" class="kLink"
href="http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#"><font
style="POSITION: static; FONT-FAMILY: inherit !important;
COLOR: #1fa2e1 !important" color="#1fa2e1"><span
style="BORDER-BOTTOM: rgb(31,162,225) 1px solid; POSITION:
static; BACKGROUND-COLOR: transparent; FONT-FAMILY:
inherit !important; COLOR: rgb(31,162,225) !important"
class="kLink">virtual </span><span style="BORDER-BOTTOM:
rgb(31,162,225) 1px solid; POSITION: static;
BACKGROUND-COLOR: transparent; FONT-FAMILY: inherit
!important; COLOR: rgb(31,162,225) !important"
class="kLink">host</span></font></a>, email setting, and
creates a “<a class="moz-txt-link-freetext" href="mailto:”">mailto:”</a> reference to the ServerAdmin of the
referenced document.</div>
<div>
<p>The second line “ServerTokens Prod” configures Apache to
return only Apache as product in the server response header on
very page request, suppressing OS, major and minor version
info.</p>
</div>
<div><br>
>>> On 12/9/2011 at 5:00 AM, Jules
<a class="moz-txt-link-rfc2396E" href="mailto:Jules@zend.to"><Jules@zend.to></a> wrote:<br>
</div>
<table style="MARGIN: 0px 0px 0px 15px; FONT-SIZE: 1em"
bgcolor="#f3f3f3" border="0">
<tbody>
<tr>
<td>
<div style="BORDER-LEFT: #050505 1px solid; PADDING-LEFT:
7px"><br>
<br>
On 09/12/2011 10:42, Joao Alexandre wrote:<br>
> Hi Jules,<br>
><br>
> All of our internet facing structure was
evaluated/scanned for<br>
> security problems and regarding ZendTo they found
two issues. They<br>
> don't seem to be related itself with ZendTo but
maybe you can help us<br>
> resolve or lead us to the solution:<br>
><br>
> 1.<br>
> Vulnerability details -<br>
> Script ID 201167<br>
> Name Directory Browsing<br>
> Port 443/TCP - http<br>
> Risk factor Medium risk<br>
> CVSS Score 5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)<br>
> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)<br>
> Family http<br>
> Product HTTP<br>
> Description This service lists the contents of
various directories.<br>
> Information Browsable directories:<br>
> Location<br>
> /js/<br>
> /images/<br>
> /icons/<br>
> /css/<br>
> Solution Disable directory browsing<br>
> History First seen : 2011-12-09 08:02 - New
finding<br>
This one you can fix in your Apache configuration. Look
for a line <br>
saying something like<br>
Options All Indexes FollowSymLinks MultiViews<br>
and remove the word "Indexes" from it. (Basically just
search all the <br>
Apache configuration files you can find for the word
"Indexes" and <br>
remove it!)<br>
Then restart Apache.<br>
I have just applied this fix to the VMs I distribute.<br>
><br>
> 2.<br>
> Script ID 236788<br>
> Name SSL/TLS Cipher Suite Detect MD5<br>
> Port 443/TCP - http<br>
> Risk factor Medium risk<br>
> CVSS Score 5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)<br>
> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)<br>
> Family ssl<br>
> Product SSL<br>
> Description The MD5 Message-Digest Algorithm is
not collision<br>
> resistant, which makes it easier for context-<br>
> dependent attackers to conduct spoofing attacks, as
demonstrated by<br>
> attacks on the use of MD5 in the<br>
> signature algorithm of an X.509 certificate.<br>
> Information SSLv3 Cipher Suite OpenSSL Cipher<br>
> Name<br>
> Algorithm Bits Bits Used Cipher Strength<br>
> RSA_WITH_RC4_1<br>
> 28_MD5<br>
> RC4-MD5 128 128 medium<br>
> TLSv1 Cipher Suite OpenSSL Cipher<br>
> Name<br>
> Algorithm Bits Bits Used Cipher Strength<br>
> RSA_WITH_RC4_1<br>
> 28_MD5<br>
> RC4-MD5 128 128 medium<br>
> Solution Reconfigure the service to disallow the
listed cipher suites<br>
> Reference url - <a moz-do-not-send="true"
href="http://www.kb.cert.org/vuls/id/836068CVE">http://www.kb.cert.org/vuls/id/836068CVE</a>
CVE-2004-2761<br>
> History First seen : 2011-12-09 08:02 - New
finding<br>
This is related to your https SSL certificate, and the
encryption method <br>
it uses. Most certificate providers are switching away
from MD5 to SHA-1 <br>
so hopefully the next time you renew your certificate
this problem <br>
should disappear.<br>
<br>
Jules<br>
<br>
-- <br>
Julian Field MEng CITP CEng<br>
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a><br>
<br>
Follow me at twitter.com/JulesFM<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947
1415 B654<br>
<br>
'It's okay to live without all the answers' - Charlie
Eppes, 2011<br>
'All programs have a desire to be useful' - Tron, 1982<br>
'That is the land of lost content,<br>
I see it shining plain,<br>
The happy highways where I went,<br>
And cannot come again.' - A.E. Houseman<br>
<br>
_______________________________________________<br>
ZendTo mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a moz-do-not-send="true"
href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
</div>
</td>
</tr>
</tbody>
</table>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>