Report

Kaushik kaushik at keemail.me
Tue May 8 09:12:24 EDT 2018


Hi,     This is Kaushik Sardar, from Kolkata, West Bengal, India.      I have found a Security Vulnerability in your website. Vulnerability description is given                below:-Vulnerability Description:• I have found a little information disclosure on your system.• With regards to the version of server you are using, the exact Apache version was disclosed.• I know this is a low severity issue but I thought to get you in notice will be best. The site https://developer.pidgin.im <https://signup.com/> discloses the Apache server version.• Server: Apache/2.2.22 (Debian)
Reference: • https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004) <https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004)>• https://www.owasp.org/index.php/Information_Leak_(information_disclosure) <https://www.owasp.org/index.php/Information_Leak_(information_disclosure)>
• https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002) <https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)>

Impact: • The information is can be used by attacker for further finding of exploits and information gathering.
Fix: • Limiting information provided by Apache You can limit the information that Apache presents by creating / editing the following directives in httpd.conf
• ServerTokens Prod This will configure Apache to not send any version numbers in the HTTP header, so that the server line will be: Server: Apache • ServerSignature OffThis will ensure that Apache does not display the server version in the footer of server generated pages. The above solution would still not allow you to hide the fact that you are using Apache, since the Server HTTP header will still say Apache.

• Please see this image to understand it clearly.• I am sending a image as proof of concept (PoC). • Please find attachment (PFA).
Waiting for your positive response.----Regards,Kaushik Sardar
Contact: +917059765687----
Securely Mail. Claim your decrypted mailbox today!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20180508/2e406f7d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin_poc.JPG
Type: image/jpeg
Size: 112431 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20180508/2e406f7d/attachment-0001.jpe>


More information about the security mailing list