For the past few weeks, I've been trying to make my server PCI compliant. I need to remove the INode from an Apache ETag header. So I made this change:
Allow from all
FileETag MTime Size
But now I'm getting this error when doing a PCI compliance test:
Apache ETag header discloses inode numbers Severity: Potential Problem CVE: CVE-2003-1418 Impact: A remote attacker could determine inode numbers on the server. Resolution Use the http://httpd.apache.org/docs/2.2/mod/core.html#FileETag FileETag directive to remove the INode component from the calculation of the ETag. For example, place the following line in the Apache configuration file to calculate the ETag based only on the file's modification time and size: FileETag MTime Size Vulnerability Details: Service: 8000:TCP
Free Guide: Managing storage for virtual environments
Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!