Is it necessarily considered poor web server configuration to be able to telnet into a webserver and pull off the server info? For example, if you telnet to this site (and many others I've tested too):
www.missouriwestern.edu (port 80)
--then do a "get /"
you will get the server info and the html from the website. So is that good, bad, neither, unavoidable?
Greg Lawson Rolling Hills Consolidated Library 1912 N. Belt Highway St. Joseph, MO 64506
On Thu, Jun 12, 2008 at 5:05 PM, Greg Lawson [email protected] wrote:
Is it necessarily considered poor web server configuration to be able to telnet into a webserver and pull off the server info? For example, if you telnet to this site (and many others I've tested too):
www.missouriwestern.edu (port 80)
--then do a "get /"
you will get the server info and the html from the website. So is that good, bad, neither, unavoidable?
Neither, Webserver (is a server), you are connecting with telnet (client). So if you know the right sequence you can "get" the HTML page just like your Browser. Its a typical client/server setup. You can do mail this way too (but isn't recommended).
$ telnet www.missouriwestern.edu 80 Trying 150.200.1.30... Connected to www.missouriwestern.edu. Escape character is '^]'. GET / HTTP/1.1 <-----------------I typed this, then two <CR> in a row
HTTP/1.1 200 OK Date: Thu, 12 Jun 2008 22:17:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 15388 Content-Type: text/html Cache-control: private Set-Cookie: ASPSESSIONIDCQADCCQT=JPNLMKEAJHKFIOAHOIIBHLDE; path=/ Connection: Keep-Alive
<html> <head> <title>Missouri Western State University (MWSU)</title> <meta name="keywords" content="Missouri Western State University,colleges,missouri colleges,colleges in missouri,saint joseph,undergraduate degrees,missouri education,MWSU,midwest colleges,liberal arts,technology,missouri universities,undergraduate programs,continuing education,distance education, graduate studies,masters" /> <meta name="description" content="Missouri Western State University (MWSU) is a four-year, state-supported institution providing a blend of traditional liberal arts and career-oriented degree programs. The college offers one-year certificates, two-year associate, four-year baccalaureate and master of applied science degrees." /> <meta name="verify-v1" content="AUqLBGmV+/qdmo2pkW37Ulxtn3lCMC3rYvjQIaQ3lUI=" /> <link href="http://www.missouriwestern.edu/CSS/mwscStyle.css" rel="stylesheet" type="text/css"> <link rel="SHORTCUT ICON" href="http://www.missouriwestern.edu/favicon.ico"> <script language="JavaScript" src="http://www.missouriwestern.edu/mainmenu.js"></script> <script language="JavaScript" src="http://www.missouriwestern.edu/mm_menu.js"></script> </head>
Is it necessarily considered poor web server configuration to be able to telnet into a webserver and pull off the server info?
It is considered a security vunerability. By revealing OS/webserver version, you advertise potential attack vectors.
Thanks,
Ron Geoffrion 913.488.7664
Yeah, but it's a really minor one. There are tools out there that will give you detailed information on systems by analyzing packets and support for certain things. Yo recuerdo Queso!
Security by obscurity helps, but not much. Patching, firewalling, and restricting services/access are orders of magnitude more important. :)
Jeffrey.
On Thu, Jun 12, 2008 at 6:07 PM, Geoffrion, Ron P [IT] [email protected] wrote:
Is it necessarily considered poor web server configuration to be able to telnet into a webserver and pull off the server info?
It is considered a security vunerability. By revealing OS/webserver version, you advertise potential attack vectors.
\
On Thu, Jun 12, 2008 at 6:07 PM, Geoffrion, Ron P [IT] [email protected] wrote:
Is it necessarily considered poor web server configuration to be able to telnet into a webserver and pull off the server info?
It is considered a security vunerability. By revealing OS/webserver version, you advertise potential attack vectors.
You are correct. It's an information leak, but I wouldn't necessarily characterize it as a vulnerability. Some sites do alter the Server header information in the response just to throw people off. It's security through obscurity, but there's no harm in that so long as that's not your only security control.
Here's one I like:
telnet isc.sans.org 80 GET / HTTP/1.1
HTTP/1.1 200 OK Date: Fri, 13 Jun 2008 13:12:13 GMT Server: nc -l -p 80
Note the server response. It's netcat. Good stuff.
-
Dave Hull -
djgoku -
Geoffrion, Ron P [IT] -
Greg Lawson -
Jeffrey Watts -
Luke -Jr