Apache configuration settings for specific port (PCI Compliance)
I am trying to make my server PCI Compliant. One of the last issues that I need to fix is to remove the INode from Apache ETag header. So I defined in httpd.conf this line: "FileETag MTime Size" to only return MTime and Size.
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
FileETag MTime Size
</Directory>
This fix solved issue for standard port 80.
Now, I also have hosting control panel (ISPConfig3) running on port 8000. After running PCI compliance test I got this error:
Apache ETag header discloses inode numbers Severity: Potential Problem CVE: CVE-2003-1418 Impact: A remote attacker could determine inode numbers on the server. Resolution Use the http://httpd.apache.org/docs/2.2/mod/core.html#FileETag FileETag directive to remove the INode component from the calculation of the ETag. For example, place the following line in the Apache configuration file to calculate the ETag based only on the file's modification time and size: FileETag MTime Size Vulnerability Details: Service: 8000:TCP
I assume I have to add something in httpd.conf to also apply FileETag to all applications running on port 8000.
Please advice what should be done.
Thank you! Kelvin
Answer
It sounds like your PCI Compliance test is out of date. Have you read CVE-2003-1418?
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).
[My Ital] This isn't an issue for Apache 2.2 which uses a different Etag algo. And if you are still running Apache 1.3 then you've got bigger problems since it is no longer supported.
You are trying to solve a non-problem. Get yourself a current PCI Compliance test suite.