April 16, 2009

Patch for Yaws 1.81 -- Hide your webserver identity

This is a patch for making attackers think you are running Windows and IIS/7.0, when in fact you are running *nix and Yaws. It also includes some mime types for XML/XSLT and .crt files.


diff -ur ./src/mime.types ../yaws-1.81/src/mime.types
--- ./src/mime.types 2009-04-16 12:02:43.000000000 -0700
+++ ../yaws-1.81/src/mime.types 2009-04-16 12:23:35.000000000 -0700
@@ -203,7 +203,7 @@
application/vnd.motorola.flexsuite.kmr
application/vnd.motorola.flexsuite.ttc
application/vnd.motorola.flexsuite.wem
-application/vnd.mozilla.xul+xml
+application/vnd.mozilla.xul+xml xul
application/vnd.ms-artgalry
application/vnd.ms-asf
application/vnd.ms-excel xls
@@ -331,9 +331,10 @@
application/x-ustar ustar
application/x-wais-source src
application/x400-bp
-application/xml
+application/xml xml xsl
application/xml-dtd
application/xml-external-parsed-entity
+application/xslt+xml xslt
application/zip zip
audio/32kadpcm
audio/basic au snd
@@ -465,7 +466,7 @@
text/vnd.wap.wml wml
text/vnd.wap.wmlscript wmls
text/x-setext etx
-text/xml xml xsl
+text/xml
text/xml-external-parsed-entity
video/mp4v-es
video/mpeg mpeg mpg mpe
@@ -490,3 +491,4 @@
application/xhtml+xml xhtml
image/svg+xml svg
application/ogg ogg
+application/x-x509-ca-cert crt pem
diff -ur ./src/yaws.erl ../yaws-1.81/src/yaws.erl
--- ./src/yaws.erl 2009-04-16 12:02:43.000000000 -0700
+++ ../yaws-1.81/src/yaws.erl 2009-04-16 12:47:42.000000000 -0700
@@ -577,13 +577,7 @@
end).


-address() ->
- ?F("
~s Server at ~s
",
- [
- (get(gc))#gconf.yaws,
- (get(sc))#sconf.servername]).
-
-
+address() -> "".

is_space($\s) ->
true;
@@ -699,7 +693,7 @@


printversion() ->
- io:format("Yaws ~s~n", [yaws_generated:version()]),
+ io:format("Microsoft-IIS/7.0~n"),
init:stop().

%% our default arg rewriteer does's of cource nothing
@@ -1284,13 +1278,7 @@
"\r\n"]
end.
make_server_header() ->
- HasDav = ?sc_has_dav(get(sc)),
- ["Server: Yaws/", yaws_generated:version(), " Yet Another Web Server\r\n" |
- if HasDav == true ->
- ["DAV: 1\r\n"];
- true ->
- []
- end].
+ ["Server: Microsoft-IIS/", "7.0", "\r\n"].

make_last_modified_header(FI) ->
N = element(2, now()),

No comments: