Why we must keep the all components up-to-date and confidential to have good security?

All components must be up-to-date for your safety. Because, if you are using an older version of any component, your hacking possibility of are very high. New versions of component aren’t upgraded only for bugs or new features. The security vulnerabilities found are also fixing with new update.

Everything about the web page we request comes to us as a response from the server. Texts, pictures, media files etc… The browser takes all content from response message and parsing this message with own engine and show to user as web page. Server gives to us some hints about to components with the HTTP Headers. Let’s look at how we can prevent version disclosure vulnerabilities.

Server / Platform  Version Disclosure.

HTTP/1.1 200 OK
Server: Apache/2.2.24 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Content-Length: 144
Content-Type: text/html
Date: Fri, 22 Jun 2018 22:50:33 GMT

We can get detailed information about to server through this response which returns together with the ‘Server’ Header. We understand that the version of Apache is 2.2.24 with the returned response of server. If we do a vulnerability research on version 2.2.24, we can understand that this version is affected by CVE-2013-1862 (Code Execution) vulnerability. Briefly, with this vulnerability you can execute arbitrary commands on Apache’s mod_rewrite module with HTTP request.We also see that PHP version on response messages. If we research about this version , It has Buffer Overflow vulnerability by  CVE-2017-11147.

If disclosed version contains a serious vulnerability, the damage of attack will be greater.  Now let’s look at how we can prevent version disclosure. If the ServerTokens value is full on Apache servers, we can see details about the components with Server header. If we want to prevent this, we must write ProductOnly instead of Full value. Full is default value. If you want to change it, add the following to the httpd.conf file.

ServerTokens ProductOnly
ServerSignature Off

“X-Powered-By” is a non-standard HTTP response header like most headers prefixed with ‘X’. I don’t recommend removing this header. Because it specifically allows us to mislead the attackers. For ex: you can define the latest version of PHP in this header.

Header (‘X-Powered-By  PHP/7.2.7);

The response will be as follow after you have done the little touches.

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/7.2.7
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Content-Length: 144
Content-Type: text/html
Date: Fri, 22 Jun 2018 22:57:41 GMT

Javascript Frameworks
All interactive websites uses javascript technology. Ready templates usually have bootstrap, jQuery frameworks. These frameworks can danger on your website. Because the attacker can easily learn the versions of these frameworks.  Version information of js framewok is stored generally in comment lines. It doesn’t matter whether you’re taking your file locally or from a CDN network. Because attacker can to obtain this URLs from the src tag.

Example : JQuery version 1.11.4 has a Cross-site Scripting (XSS) vulnerability numbered CVE-2016-7103. This vulnerability might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function. Also I want to say something related to CDN usage. We assume that use a JavaScript library over the CDN network. It doesn’t matter it’s up to date. What if that CDN server is hacked? What if the attacker changed the contents of the js file from the CDN server? If we use of SRI (Subresource Integrity) will be beneficial In such cases.Maybe I ‘ll explain this subject practically and talk about SRI (Subresource Integrity).

Open Source Applications
I actually think about writing a separate blog post about this part as well. Because it’s very wide topic. There are a lot of open source application (WordPress, joomla etc…)  I am installing a mission on this subject myself now 🙂 I’ll explain separately the version disclosure of each application. I’m also going to say something about a fingerprint technique. I recommend keeping your current open source CMS up-to-date. ( or now 🙂 )