OpenVAS not detecting Apache2.x Server ETag Header


OpenVAS can not detect Apache 2.x Server ETag Header.
Is it because inode is 64 bit?
I want to be able to detect it.

Apache Server ETag Header Information Disclosure


The mentioned VT is only reporting if the web server is returning an ETag in the form of:

ETag: inode-size-mtime

in its header which discloses the inode of a requested file. You could verify this against your server with a call similar to:

curl --silent -I 2>&1 | grep -i etag

to see if it actually returns such an inode or not.

As the related vulnerability:

is quite old and already fixed since longer time (either directly in the OpenBSD source code or in default Apache configurations: you probably won’t see any reports of this VT these days.


Thank you for your reply.

I have confirmed that there is an ETag in the response header of the target server.
The format is also as follows, but it is not detected.

ETag: inode-size-mtime

I checked nasl.
OpenVAS seems to confirm Etag by converting it from hexadecimal to decimal.
ETag inodes may be 64 bits.

ETag: xxxxxxxxxxxxx-size-mtime

In this case, I think that what converted the last five digits to decimal number becomes inode.
It is not detected because there is no such processing.


Unfortunately this is not the case. The VT is doing a simple regex on the returned HTTP headers like:

etag = eregmatch(pattern:'ETag: "([^"]+)"', string:banner);

which is used to confirm in addition to the follwoing:

etag = split(etag[1], sep:"-",keep:FALSE);

if the affected system is vulnerable.

Keep in mind that this VT is only checking for a possible vulnerability on Apache servers and will exit / won’t report a vulnerability against all other Web-Servers like e.g. Nginx or if the Server: Apache header is hidden.


Thank you for your reply.

It means that it has nothing to do with detection.

inode = (hex2dec (xvalue: inode));
size = (hex2dec (xvalue: size)); 

I understand that it is only for Apache.
I have also confirmed the response header.
Why is it not detected?

Server: Apache

I have confirmed that it is detected on other Apache servers.
I don’t think it’s a configuration issue.
All other Apache servers were displaying Apache version information.
If Apache version information is not displayed, will it not be detected?

Server: Apache / 1.3.37 (Unix)
Server: Apache / 2.2.31



Exactly. Both variables are only used for the reporting after the initial detection:

report = string("Information that was gathered:\nInode: ", inode,"\nSize: ", size,"\n");

Nice, this was the missing hint here. It seems its not related to the current discussed VT but to a previously dependency (gb_get_http_banner.nasl) which had used the following:

set_mandatory_key( key:"apache", regex:"Server: Apache/", banner:banner );

which means a detection could happen only if the version was exposed (only in this case the “/” was appended).

This will be fixed in one of the next feed updates, thanks again for providing this info to understand where the issue is coming from.