IBM Support

PK63197: SERVERTOKEN DIRECTIVE DOES NOT SUFFICIENTLY OBSCURE IDENTIFICATION OF THE SERVER

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The ServerToken directive does not suppress all sensitive fields
in the HTTP Header.
Currently it suppresses only the comment part of the 'Via:'
header, but leaves available the 'received-by' field which
contains the hostname from the httpd.conf file.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All customers who use HTTP Server 5.3 for    *
*                 z/OS with ServerToken off.                   *
****************************************************************
* PROBLEM DESCRIPTION: The ServerToken directive does not      *
*                      sufficiently obscure identification     *
*                      of the server in the Via header.        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
With ServerToken on, the Via header returned to the client on
a proxied request looks similar to this:
  Via: HTTP/1.1 www.company.com (IBM HTTP Server)
With ServerToken off, it looks like this:
  Via: HTTP/1.1 www.company.com
Some administrators may be concerned that this does not
sufficiently obscure identification of the server.

    



Problem conclusion


    

  • If the administrator would like to hide the identity of the
server on the Via header, PK63197 allows coding a second
option on the ServerToken directive. The server will substitute
this value for the hostname or 'received-by' portion of the
Via header which it sends to the client, regardless of the
value of the first option on the ServerToken directive.
For example, consider this directive:
  ServerToken off www.whatever.com
This will change the Via header to this, even though the actual
hostname is not www.whatever.com:
  Via: HTTP/1.1 www.whatever.com
This option has no effect on the Server header.
The HTTP protocol requires that this new value must be
resolvable by DNS resolution. The HTTP Server configuration
processing does not validate this.

The following COMPID's are affected by these changes:

5697D4300 LDGW for z/OS Version 5

PTF08E
The code changes are stored in CMVC under defect PK63197.

PK63197 enhances the HTTP Server for z/OS to allow a second
optional argument on the ServerToken directive.

In the Planning, Installing, and Using manual, in Appendix B,
Configuration directives, in sectionBasic directives, under
ServerToken, replace this text:
  - The comment portion of the Via header. Proxies use the Via
    header.
With this text:
  - The received-by portion and/or the comment portion of
    the Via header. Proxies use the Via header.

Replace this text:
The format of the directive follows:
  ServerToken On|Off
    On - Send the Web server type and version.
    Off - Do not send the Web server type and version.
With this text:
  ServerToken On|Off  pseudonym
    On - Send the Web server type and version.
    Off - Do not send the Web server type and version. Do
        not send the comment portion of the Via header.
    pseudonym - The server will substitute this value for the
        received-by portion of the Via header that the server
        returns to the client, regardless of the value of the
        first option on the ServerToken directive. The HTTP
        protocol requires that this value should be a name
        that is resolvable by DNS resolution. The HTTP Server
        configuration processing does not validate that it is
        resolvable.in order for it to take effect.

Replace this text:
  Example
    ServerToken Off
With this text:
  Examples
    ServerToken Off
    ServerToken Off www.mycompany.com

* Cross Reference between External and Internal Names

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK63197
    • 

  • Reported component name
    DGW/WAS OS/390
    • 

  • Reported component ID
    5697D4300
    • 

  • Reported release
    530
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2008-03-24
    • 

  • Closed date
    2008-03-31
    • 

  • Last modified date
    2008-05-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • IMWSCACP IMWSCONF IMWSDMDR

    



Fix information


    

  • Fixed component name
    DGW/WAS OS/390
    • 

  • Fixed component ID
    5697D4300
    • 



Applicable component levels


    

  • R530  PSY  UK35083
       UP08/04/03  P  F804
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"530","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"530","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 May 2008
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback