1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Changing Apache FileETag for PCI Compliance

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by DickenW, Nov 9, 2011.

  1. DickenW

    DickenW New Pleskian

    20
     
    Joined:
    Dec 20, 2009
    Messages:
    21
    Likes Received:
    0
    My Plesk server is currently failing PCI scans:

    "Description: Apache ETag header discloses inode numbers Severity: Potential Problem CVE: CVE-2003-1418 Impact: A remote attacker could determine inode numbers on the server."

    I have added the following line to '/etc/httpd/conf/httpd.conf':

    FileETag MTime Size

    I have added it twice - in the main body of the file, and also inside the primary <Directory> directive, as I was not sure where to place it.

    But, Apache is still failing the PCI scans for disclosing inode numbers.

    And yes, I restarted apache ;)

    Any ideas what else I have to change to get this to work?
    (Plesk 10.3.1 CentOs)
     
  2. paulieG

    paulieG Regular Pleskian

    25
     
    Joined:
    Mar 5, 2009
    Messages:
    164
    Likes Received:
    0
    Location:
    Lancaster
    Add this to a file within /etc/httpd/conf.d/ (assuming you're on Centos) :

    Header unset ETag
    FileETag MTime Size

    Then restart Apache (and make sure you're not declaring something different in your .htaccess files!)
     
  3. DickenW

    DickenW New Pleskian

    20
     
    Joined:
    Dec 20, 2009
    Messages:
    21
    Likes Received:
    0
    Excellent, That has done the trick.

    Thank you Paul
     
Loading...