2

I recently started using Netsparker to run a security check on my site. It gave me 4 areas where I am "leaking" information from the http header. The file that is leaking is my *.css file. Supposedly I am revealing 1. Apache Module, 2. PHP version, 3. Frontpage Version, and 4. again an apache version.

The header on my css is "@charset "utf-8";"

btw is is saying the leaked information is php version is 4.4.9 which is NOT correct. also I am not using frontpage, and I'm not sure about the apache.

Is this anything to be concerned about at all? What type of header would I need in a css file to prevent anyinfo from going out?

Thank You,

alee
  • 53
  • 2
  • 5
    Never heard of it. I wouldn't pay any attention to it. – 000 Jun 15 '13 at 00:54
  • I imagine that since tools like http://builtwith.com exist, it's not that important. – 000 Jun 15 '13 at 00:55
  • 1
    Don't worry about it. Some things which probes list as exposing potentially sensitive server configs (which could theoretically be used to target your server, knowing a little about what it runs) can be obscured by server-side configuration. Really this is not a big deal - before worrying about these things, make sure your _code_ is secure and free from injection vulns, etc. – Michael Berkowski Jun 15 '13 at 00:56
  • 1
    I think it's giving you incorrect information. There couldn't be anything in your CSS file to give away that sort of info. If you want to disable the Apache server signature, try: http://www.unixmen.com/how-to-disable-server-signature-using-htaccess-or-by-editing-apache/ –  Jun 15 '13 at 00:57

2 Answers2

1

Sounds like the message is talking about the HTTP headers that your web server is sending. Many of these headers (such as Server and X-Powered-By) can be automatically added by your web server to requests.

You can use http://redbot.org/ to inspect the headers for any public URL, then edit your Apache web server configuration files (or php.ini, in the case of PHP) to suppress the headers in question. For these two headers in specific, see Necessary to set ServerSignature and ServerTokens apache config options with Rails apps? and Hiding PHP's X-Powered-By header

Community
  • 1
  • 1
quietmint
  • 13,885
  • 6
  • 48
  • 73
0

If the PHP version (and frontpage info) is incorrect, the first I would do is inspect the http headers myself to confirm that your css file is indeed sending that information. If you use the developer-tools for any of the major web-browsers you should be able to confirm that those incorrect headers are getting passed.

If they ARE, then you'll want to tweak your apache/php.ini settings.

Start with the "expose_php" setting in your php.ini file.

Although, it's a little strange that a static css file would have anything to do with php, I'm assuming that your css file is being dynamically generated server-side (and that's where the php comes in).

Malcolm Diggs
  • 455
  • 2
  • 7