3

I am trying to make my server PCI Compliant. One of the last issues that I need to fix is to remove the INode from Apache ETag header. So I defined in httpd.conf this line: "FileETag MTime Size" to only return MTime and Size.

<Directory "/var/www/html">
    Options FollowSymLinks

    AllowOverride None

    Order allow,deny
    Allow from all

    FileETag MTime Size
</Directory>

This fix solved issue for standard port 80.

Now, I also have hosting control panel (ISPConfig3) running on port 8000. After running PCI compliance test I got this error:

Apache ETag header discloses inode numbers Severity: Potential Problem CVE: CVE-2003-1418 Impact: A remote attacker could determine inode numbers on the server. Resolution Use the http://httpd.apache.org/docs/2.2/mod/core.html#FileETag FileETag directive to remove the INode component from the calculation of the ETag. For example, place the following line in the Apache configuration file to calculate the ETag based only on the file's modification time and size: FileETag MTime Size Vulnerability Details: Service: 8000:TCP

I assume I have to add something in httpd.conf to also apply FileETag to all applications running on port 8000.

Please advice what should be done.

Thank you! Kelvin

Kelvin
  • 8,813
  • 11
  • 38
  • 36

3 Answers3

3

It sounds like your PCI Compliance test is out of date. Have you read CVE-2003-1418?

Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).

[My Ital] This isn't an issue for Apache 2.2 which uses a different Etag algo. And if you are still running Apache 1.3 then you've got bigger problems since it is no longer supported.

You are trying to solve a non-problem. Get yourself a current PCI Compliance test suite.

TerryE
  • 10,724
  • 5
  • 26
  • 48
1

Add this to the beginning of your /etc/apache2/http.conf:

#PCI Compliance fix for "Apache ETag header discloses inode numbers"
Header unset ETag
FileETag MTime Size

This worked for my PCI compliance scan and I don't see why it wouldn't work on all ports that apache listens on.

Jake Jackson
  • 23
  • 6
0

Per Apache 2.4 FileETag directive documentation the default used for calculating the ETag is MTime Size.

For Apache versions 2.3.14 and earlier the default was set to INode MTime Size.

ETag settings for all ports and checking Apache ETag output

You can check for yourself by using curl and comparing the ETag value returned in the headers versus the inode value returned by ls.

For example:

 curl -I https://example.com/file

where file is a file that is on your filesystem served by your Apache web server.

With ETag set to MTime Size you might see something like this:

ETag: "3-24f10051b181e"

You can change the values returned by ETag by using the FileETag directive. Add to the bottom of your Apache server conf (e.g. /etc/httpd/conf/httpd.conf) file the following:

FileETag INode

Reload or restart Apache and then repeat the curl test.

In my tests, inclusion of FileETag INode in the server config file affected output on ALL ports being served by my Apache web server: 80 and 443.

With ETag set to INode you should receive a single hex number, something like this:

ETag: "200f8fa"

Convert the numbers returned by ETag from hex to decimal and compare to the inode number.

If you run ls -i /path/to/webroot/example.com/file the inode returned should be the decimal equivalent of the hex number returned via ETag (in this example 33618170).

If you added FileETag Inode don't forget to remove it and restart/reload Apache.

ETag settings for a specific port

The contexts where you can use FileETag are:

  • server config
  • virtual host
  • directory
  • .htaccess

If FileETag is present in the server config with the component keywords you desire and you are still seeing incorrect ETag output for a specific port that Apache is serving, you should search vhost config files and web root directories for FileETag - as any settings there will override the server config.

If you actually want to have a specific ETag output on a specific port, you should add FileETag to the appropriate VirtualHost block for the port you want to affect. If you are serving more than one site on this port, you'll need to add FileETag to each VirtualHost block that specifies that port.

user12345
  • 2,876
  • 2
  • 24
  • 25