| Author |
|
fmaznicki
Joined: 12 Apr 2011
Posts: 6
|
 Posted: Tue 30 Oct '12 17:23 Post subject: PCI Compliance woes with Etags |
 |
|
- Apache version: 2.2.23
- operating system: windows server2k3r2
My issue is that i'm trying to get PCI compliant but I keep failing due to "Apache Web Server ETag Header Information Disclosure Weakness"
According to Qualys they say
In order to fix this vulnerability globally, for the Web server, use the option "FileETag None". Use the option "FileETag MTime Size" if you just want to remove the Inode information.
I've added "FileETag None" to my httpd.conf but it still keeps failing due to this vulnerability i'm at a loss here, has anyone else on the forums had experience with etags, any input would be greatly appreciated  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7355
Location: Germany, Next to Hamburg
|
| Posted: Tue 30 Oct '12 18:11 Post subject: |
|
|
Since ETag can be set in server config, virtual host, directory and .htaccess you should search the whole config with all includes and .htaccess files.
Don't forget to restart apache (happens sometimes  ). |
|
| Back to top |
|
fmaznicki
Joined: 12 Apr 2011
Posts: 6
|
| Posted: Tue 30 Oct '12 20:06 Post subject: |
|
|
I've looked everywhere can't seem to find anything that would override this setting. Of course I did restart Apache  i'm using the firefly plugin to view the headers and it's still showing an etag.
This is so simple it's stupid i'm banging my head on the wall.
thanks James Blond for your input, let me know if you think of anything else  |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3091
Location: Hilversum, NL, EU
|
|
| Back to top |
|
fmaznicki
Joined: 12 Apr 2011
Posts: 6
|
| Posted: Tue 30 Oct '12 21:17 Post subject: |
|
|
Here is my output: http://i.imgur.com/Ztent.png
I've tried applying the config to another one of my apache servers running 2.2.22 and Etags were successfully disabled as you can see from the image below on the right (www10). I'm starting to think it's a bug with apache 2.2.23 which is on the left(www9).
I'm adding this config to httpd.conf
Header unset ETag
FileETag None
http://i.imgur.com/0al4s.jpg |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3091
Location: Hilversum, NL, EU
|
| Posted: Tue 30 Oct '12 22:02 Post subject: |
|
|
| In your png from sniffer I see no Etag, so looks ok. |
|
| Back to top |
|
fmaznicki
Joined: 12 Apr 2011
Posts: 6
|
| Posted: Tue 30 Oct '12 22:05 Post subject: |
|
|
| If you were to view the header for an image you would see the Etag. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3091
Location: Hilversum, NL, EU
|
| Posted: Tue 30 Oct '12 22:13 Post subject: |
|
|
For me it looks fine when sniffer shows no etag when hitting your site. Can that the image is already cached somewhere.
Try to show your headers localhost (127.0.0.1) and clear the browsers cache first, or use curl |
|
| Back to top |
|
fmaznicki
Joined: 12 Apr 2011
Posts: 6
|
| Posted: Fri 02 Nov '12 17:41 Post subject: |
|
|
I'M PCI COMPLIANT NOW! I ended up having to downgrade apache from 2.2.23 to 2.2.22 and the FileETag None configuration works, it's almost as if 2.2.23 ignores that command. Maybe it's a bug... maybe not... but i'm good for now. thank you all for your input  |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 02 Nov '12 22:16 Post subject: |
|
|
I think it was a cached response as Steffen does since websniffer did not see it nor is 2.2.23 broken. See an ETag here?
http://www.apachehaus.net:85/ |
|
| Back to top |
|
