The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI compliance and FileETags

Discussion in 'Security' started by thobarn, Jul 26, 2010.

  1. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    I have been told that CPanel® recommends Apache FileETags directive is set to None for PCI compliance. Can you please tell me the reasoning behind this interpretation of the standard.
     
  2. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Pci Companies

    Some pci companies want the FileETags set to none. This is more security through obscurity than actual protecting the server in my mind but it is generally easier to just disable it then argue with the pci company every time. While not every pci company looks for this, none of them are going to complain if it is set to none.
     
  3. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    This is not even security through obscurity. What exactly is is disclosed by setting
    Code:
    FileETag MTime Size
    The last modification date and the size. Totally absurd as those are two fields sent by server anyway as response headers Last-Modified and Content-Length.

    Even when INode is used to generate the tag, a sweeping fail is a fundamental misunderstanding of an old and no longer relevant issue [1, 2, 3].
    I am with you there. Still, someone should point out their incompetence if they don't even understand what they are certifying. Monkey see, monkey do.

    [1] Apache HTTP Server MIME message boundaries information disclosure
    [2] Apache Web Server ETag Header Information Disclosure Weakness
    [3] Apache ETag Inode Information Leakage
     
Loading...

Share This Page