Fix “Apache ETag Header Disclosure” vulnerability

Posted on Posted in Apache

A cache management feature for Apache makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, an ETag response header is returned containing various file attributes for caching purposes. ETag information allows subsequent file requests to contain specific information, such as the file's inode number.

A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Among the file attributes included in the header is the file inode number that is returned to a client

This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles.

In order to eliminate the Apache Web Server ETag Header Information Disclosure Weakness, you'll need to update the global configuration file with the following:

FileETag None

After this restart the apache daemon and check the responce headers. There should not be the ETag at all.

Leave a Reply

Your email address will not be published. Required fields are marked *