Server Banners Reveal Service Details

[Ratul Bhattacharya]

Hi,

We use RabbitMQ in our application, and its management console runs on Mochiweb server version 1.0

The issue is, below command is revealing server details (name and version) which may lead to "banner grabbing" kind of server attacks. Is there a way to hide/mask server details?

$ curl -v localhost:15672

> GET / HTTP/1.1

> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

> Host: localhost:15672

> Accept: */*

>

< HTTP/1.1 200 OK

< Content-Length: 1419

< Content-Type: text/html

< Date: Wed, 15 May 2019 14:02:46 GMT

< last-modified: Fri, 12 Apr 2019 09:22:08 GMT

< Server: MochiWeb/1.0 (Any of you quaids got a smint?)

[Bob Ippolito]

mochiweb is essentially a library for building web servers. It is not configurable independently from the application that uses it, so to change this header you’d need to change the way that rabbitmq initializes mochiweb.

The only information this really reveals is that mochiweb is used, the version number and text in this default header is never updated in practice.

--
You received this message because you are subscribed to the Google Groups "MochiWeb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mochiweb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mochiweb/1a2bdb4d-a9c5-441e-acf8-2f5a803379e1%40googlegroups.com.