Apache File ETag header Bug Fix
What is "Apache Web Server ETag Header Information Disclosure Weakness" and how to fix it?The Apache HTTP Web Server is one of the popular, open-source HTTP server for multiple platforms, including Windows, Unix, and Linux. Recently a weakness has been discovered in Apache web servers that are configured to use the Entity tag (Etag or FileETag ) directive. Vulnerability has been found in the generation of ETag headers under certain configurations. FileETag headers are used by the cache management feature for Apache for proper caching and page version checking. Entity tags (ETags) are a mechanism to check for a newer version of a cached file.
When a file is requested an ETag response header is returned containing various file attributes for caching purposes. Among the file attributes included in the header is the file inode number that is returned to a client.
The Vulnerability allow remote attackers to obtain sensitive information like inode number and child process though ETag header. This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. Exploitation of this issue may provide an attacker with information that may be used to launch further attacks against a target network. By default, all Versions of Apache are vulnerable.
In Apache, ETags are made out of three components: the INode, MTime, and Size.
FileETag INode-MTime-Size
Ex. ETag: "10690a1-4f2-40d45ae1"
A sample Etag Information looks like:
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2014 03:07:56 GMT
Server: Apache
Last-Modified: Fri, 10 Oct 2013 00:14:56 GMT
ETag: "23e0cd2x-1449-9edb26df89021"
Accept-Ranges: bytes
Content-Length: 9352
X-Powered-By: PleskLin
Connection: close
Content-Type: text/html
Etag Info 23e0cd2x-1449-9edb26df89021
In Apache Versions 1.3.22 and earlier, it's not possible to disable inodes in ETag headers to solve this vulnerability, so Apache Version 1.3.22
and earlier are vulnerable at all times. There are workarounds for Apache Versiond 1.3.23 and later . In Apache Version 1.3.23 and later, it's possible to configure the FileETag directive to generate ETag headers without inode information, which tackles this vulnerability. Customers running versions of Apache <= 1.3.22 will need to upgrade to a later version.
To fix this bug,
- Go to $Web_Server/conf directory (usually in /etc/httpd/conf)
- Edit the httpd.conf with the following
- Header unset Etag
FileETag none - Restart Apache
To see what change had happened after the change, try the following,
- Open the browser and access your application
- Check HTTP response headers and you should not see ETag at all.
If you want to remove the complete Etag info then use FileETag None
Or if you want to hide only Inode info then use FileETag -INode
By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header. A good example for this can be found at Speed Up Your Website using Caching and .htaccess GitHub
. The example shows the use of two apache modules mod_expires and mod_headers. Please refer to the Apache documentation on how to enable these modules.
OpenBSD has addressed this issue and has released a patch that tackles vulnerability. Check OpenBSD Patch for fixing Apache Web Server ETag Header Information Disclosure Weakness for more details. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.
CVE-2003-1418
Bugzilla: 733043: CVE-2003-1418 httpd information disclosure in FileEtag
The MITRE CVE dictionary describes this issue as:
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).
Red Hat does not consider this to be a security issue. The information returned poses no threat to the target machine running httpd. Redhat uses a process called backporting to fool attackers to the versions of software that is actually installed. Documentation of this is given in Red Hat Bugzilla can be found at Red Hat Bugzilla – Bug 733043 CVE-2003-1418 httpd information disclosure in FileEtag . In that link there is another link referenced on why RedHat has chosen not to patch this and why the do not consider this vulnerability to be a security risk: https://bugzilla.redhat.com/show_bug.cgi?id=733043
