Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Apache vulnerabities |
|
Author |
|
sab
Joined: 03 Jun 2020 Posts: 6 Location: india
|
Posted: Wed 03 Jun '20 15:59 Post subject: Apache vulnerabities |
|
|
Hi All,
We have below vulnerabity
QID lists supported HTTP protocol (HTTP 1.x or HTTP 2) from remote web server.
how to fix this
Thanks
sab |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Wed 03 Jun '20 19:23 Post subject: |
|
|
Do not understand, 10 words not enough.
What do you mean by QID?
How is serving anything to anyone on http/1.x or 2 a problem?
Show an example from your access log of the problem.
Tell us what you expect, your expectation may or may not be correct.
If you have to, type it in your language and run it through https://translate.google.com/ to get it into English. |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
|
Back to top |
|
sab
Joined: 03 Jun 2020 Posts: 6 Location: india
|
Posted: Thu 04 Jun '20 16:06 Post subject: Apache vulnerabitiy |
|
|
@Bagu you are right i am talking about below
@glsmith - below is sample
Remote Web Server supports HTTP version 1.x on 80 port.GET / HTTP/1.1
This QID lists supported HTTP protocol (HTTP 1.x or HTTP 2) from remote web server.
Sample Result:
Remote Web Server supports HTTP version 1.x on 80 port.GET / HTTP/1.1 |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 04 Jun '20 22:02 Post subject: |
|
|
If what I'm seeing in the link Bagu posted is the server in question, then I'm only going to cover the Apache part as I don't know a lot about Linux.
Ubuntu 16.04.5
Apache 2.4.18
OpenSSL 1.0.2g
3 SSL/TLS Server supports TLSv1.0
Find in your SSL config SSLProtocol.
Change whatever is there to:
SSLProtocol -all +TLSv1.2
This will break old clients but many browsers (Chrome, Firefox, Edge) are dropping or have already dropped support for TLS 1.0 & 1.1.
3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
Find SSLCipherSuite & SSLProxyCipherSuite
Change whatever is there to:
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
2 HTTP Security Header Not Detected
Anywhere outside of a VirtualHost add:
Header always append X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
Somewhere inside your SSL VirtualHost container add:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Everything else is not a part of Apache. |
|
Back to top |
|
|
|
|
|
|