OpenVAS can not detect Apache 2.x Server ETag Header.
Is it because inode is 64 bit?
I want to be able to detect it.
OID: 1.3.6.1.4.1.25623.1.0.103122
Apache Server ETag Header Information Disclosure
The mentioned VT is only reporting if the web server is returning an ETag in the form of:
ETag: inode-size-mtime
in its header which discloses the inode of a requested file. You could verify this against your server with a call similar to:
curl --silent -I https://example.com 2>&1 | grep -i etag
to see if it actually returns such an inode or not.
As the related vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2003-1418
is quite old and already fixed since longer time (either directly in the OpenBSD source code or in default Apache configurations: https://httpd.apache.org/docs/current/mod/core.html#fileetag) you probably won’t see any reports of this VT these days.
Thank you for your reply.
I have confirmed that there is an ETag in the response header of the target server.
The format is also as follows, but it is not detected.
ETag: inode-size-mtime
I checked nasl.
OpenVAS seems to confirm Etag by converting it from hexadecimal to decimal.
ETag inodes may be 64 bits.
ETag: xxxxxxxxxxxxx-size-mtime
In this case, I think that what converted the last five digits to decimal number becomes inode.
It is not detected because there is no such processing.
Unfortunately this is not the case. The VT is doing a simple regex on the returned HTTP headers like:
etag = eregmatch(pattern:'ETag: "([^"]+)"', string:banner);
if(isnull(etag[1]))exit(0);
which is used to confirm in addition to the follwoing:
etag = split(etag[1], sep:"-",keep:FALSE);
if((max_index(etag)<3))exit(0);
if the affected system is vulnerable.
Keep in mind that this VT is only checking for a possible vulnerability on Apache servers and will exit / won’t report a vulnerability against all other Web-Servers like e.g. Nginx or if the Server: Apache header is hidden.
Thank you for your reply.
It means that it has nothing to do with detection.
inode = (hex2dec (xvalue: inode));
size = (hex2dec (xvalue: size));
I understand that it is only for Apache.
I have also confirmed the response header.
Why is it not detected?
Server: Apache
I have confirmed that it is detected on other Apache servers.
I don’t think it’s a configuration issue.
All other Apache servers were displaying Apache version information.
If Apache version information is not displayed, will it not be detected?
Server: Apache / 1.3.37 (Unix)
Server: Apache / 2.2.31
Hi,
Exactly. Both variables are only used for the reporting after the initial detection:
report = string("Information that was gathered:\nInode: ", inode,"\nSize: ", size,"\n");
Nice, this was the missing hint here. It seems its not related to the current discussed VT but to a previously dependency (gb_get_http_banner.nasl) which had used the following:
set_mandatory_key( key:"apache", regex:"Server: Apache/", banner:banner );
which means a detection could happen only if the version was exposed (only in this case the “/” was appended).
This will be fixed in one of the next feed updates, thanks again for providing this info to understand where the issue is coming from.
Thanks to your support I was able to do what I was looking for detect.
Thanks !
1 Like