Re: products in Server header field

On 3/1/07, David Morris <> wrote:
> It is worth noting that it is sometimes not advisable to provide details
> in the Server: field. Crackers are known to use this information to
> identify vulnerabilities unique to the http server or host OS based
> on version information.

What we tend to see is that they just try all exploits irregardless of
what is reported by the server.  Now, someone who specifically wants
to target your box may use that info to get more information - but
there are generally easier ways to fingerprint OSes (via TCP/IP
sequence numbers, etc.) that you can't really control for either.
Just another lesson that security by obscurity is bad.  -- justin

Received on Tuesday, 6 March 2007 21:33:24 UTC