logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache vulnerabities
Author
sab



Joined: 03 Jun 2020
Posts: 6
Location: india

PostPosted: Wed 03 Jun '20 15:59    Post subject: Apache vulnerabities Reply with quote

Hi All,

We have below vulnerabity

QID lists supported HTTP protocol (HTTP 1.x or HTTP 2) from remote web server.

how to fix this

Thanks
sab
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 03 Jun '20 19:23    Post subject: Reply with quote

Do not understand, 10 words not enough.

What do you mean by QID?

How is serving anything to anyone on http/1.x or 2 a problem?

Show an example from your access log of the problem.

Tell us what you expect, your expectation may or may not be correct.

If you have to, type it in your language and run it through https://translate.google.com/ to get it into English.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Thu 04 Jun '20 13:40    Post subject: Reply with quote

I think he talk about this : https://cdn2.hubspot.net/hubfs/2353984/KnowledgeBase%20Attachments/Area9%20Vulnerability%20Report_Anon.pdf

But, on this doc, there is this :

Quote:
SOLUTION:N/A
COMPLIANCE:Not Applicable
EXPLOITABILITY:There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:There is no malware information for this vulnerability


If it's not this problem, provide more informations, please.
Back to top
sab



Joined: 03 Jun 2020
Posts: 6
Location: india

PostPosted: Thu 04 Jun '20 16:06    Post subject: Apache vulnerabitiy Reply with quote

@Bagu you are right i am talking about below

@glsmith - below is sample

Remote Web Server supports HTTP version 1.x on 80 port.GET / HTTP/1.1


This QID lists supported HTTP protocol (HTTP 1.x or HTTP 2) from remote web server.

Sample Result:

Remote Web Server supports HTTP version 1.x on 80 port.GET / HTTP/1.1
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 04 Jun '20 22:02    Post subject: Reply with quote

If what I'm seeing in the link Bagu posted is the server in question, then I'm only going to cover the Apache part as I don't know a lot about Linux.

Ubuntu 16.04.5
Apache 2.4.18
OpenSSL 1.0.2g

3 SSL/TLS Server supports TLSv1.0

Find in your SSL config SSLProtocol.

Change whatever is there to:
SSLProtocol -all +TLSv1.2

This will break old clients but many browsers (Chrome, Firefox, Edge) are dropping or have already dropped support for TLS 1.0 & 1.1.

3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

Find SSLCipherSuite & SSLProxyCipherSuite

Change whatever is there to:
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

2 HTTP Security Header Not Detected

Anywhere outside of a VirtualHost add:

Header always append X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

Somewhere inside your SSL VirtualHost container add:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Everything else is not a part of Apache.
Back to top


Reply to topic   Topic: Apache vulnerabities View previous topic :: View next topic
Post new topic   Forum Index -> Apache