发布时间 :2004-09-28 00:00:00
修订时间 :2016-10-17 22:29:33

[原文]ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Status Message, or (3) Allow HTTP responses, which could tell remote attackers that the web server is an IIS server.

[CNNVD]ServerMask Improper弱头匿名漏洞(CNNVD-200409-084)

        ServerMask 2.2及其早期版本不能迷惑(1)ETag,(2)HTTP Status Message或者(3)允许HTTP响应。远程攻击者可以利用该漏洞得知该web服务器是IIS服务器。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040810 Corsaire Security Advisory - Port80 Software ServerMask inconsistencies
(VENDOR_ADVISORY)  XF  servermask-header-obtain-info(16947)

- 漏洞信息

ServerMask Improper弱头匿名漏洞
中危 设计错误
2004-09-28 00:00:00 2005-10-20 00:00:00
        ServerMask 2.2及其早期版本不能迷惑(1)ETag,(2)HTTP Status Message或者(3)允许HTTP响应。远程攻击者可以利用该漏洞得知该web服务器是IIS服务器。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: .

- 漏洞信息 (F34005)

Corsaire Security Advisory 2003-02-24.1 (PacketStormID:F34005)
2004-08-10 00:00:00

Corsaire Security Advisory - The ServerMask 2.0 product from Port80 fails to full obfuscate header fields as promoted in their functionality. Detailed exploitation given.

-- Corsaire Security Advisory --

Title: Port80 Software ServerMask inconsistencies
Date: 24.02.03
Application: Port80 Software ServerMask 2.2 and prior
Environment: IIS 4 / IIS 5 / IIS 5.1
Author: Martin O'Neal []
Audience: General distribution
Reference: c030224-001

-- Scope --

The aim of this document is to clearly define some issues related to the 
ServerMask product, as supplied by Port80 Software [1] 

-- History --

Discovered: 20.02.03 (Martin O'Neal)
Vendor notified: 24.02.03
Document released: 10.08.04

The release process on this advisory has been drawn-out due to repeated 
requests from Port80, on the basis that a revised product which resolved 
the issues would be available shortly. However, after eighteen months of 
waiting (during which time Port80 has continued to actively sell the 
product) it has become clear that no such fix is imminent.

This advisory has been publicly released without a vendor fix being 
immediately available because the issues identified are not critical, 
and do not allow the host to be remotely compromised.

-- Overview --

The ServerMask product is marketed as a solution for improving the 
security of Microsoft IIS servers by obfuscating header fields within 
HTTP responses: 

"ServerMask 2.0 removes or modifies unnecessary response data. The 
software provides control over what Server header data, if any, is 
visible in HTTP responses." [2]

In practise, ServerMask changes only a subset of the HTTP header fields, 
leaving a number of responses unmodified.  These remaining headers still 
provide reliable clues to the server being Microsoft IIS.

The stated goal of the product, anonymisation, is therefore not fully 
achieved as only a subset of identifying traits are obfuscated.

-- Analysis --

The ServerMask product is provided as an ISAPI filter for Microsoft IIS, 
and works by intercepting requests to the server and rewriting the HTTP 
header fields in responses.

The product rewrites some server headers, removes some unnecessary ones, 
and reorders the remaining headers. 
However, it leaves several obvious header fields unchanged that can be 
used to identify the server as Microsoft IIS, including:

     - ETag:
     - HTTP Status Message
     - Allow: header in response to OPTIONS request

As it stands, the ServerMask product provides at best only an incomplete 
solution to anonymising the server, whilst adding an additional product 
into the equation that must itself be maintained (and could potentially 
contain exploitable flaws).

-- Proof of concept --

To reproduce these issues, all that is required is access to a telnet 
client (or similar client providing equivalent functionality) and a 
suitable web server using the ServerMask product. For the purposes of 
this example Port80 Software's home site ( is 

Issue#1 - Standard IIS format ETag header

>From a command prompt or shell, telnet, netcat or other similar client 
should be used to connect to the web server on TCP port 80, e.g.

     telnet 80

The following extract should then be pasted into the session:

     GET /images/H_horline.gif HTTP/1.1
     Accept: */*
     Connection: Keep-Alive

The response received back should include:

     HTTP/1.1 200 OK
     Date: Mon, 24 Feb 2003 12:37:38 GMT
     Server: Yes - We Use ServerMask
     Last-Modified: Thu, 26 Sep 2002 00:07:29 GMT
     ETag: "8e9dc0b3f064c21:9b0"
     Accept-Ranges: bytes
     Content-Length: 59
     Content-Type: image/gif

The ETag header is the standard format returned by Microsoft IIS, and 
can be considered unique to that product.

Issue#2 - 404 Status Message Format

A session should again be initiated to the web port on the target, e.g.

     telnet 80

The following request should then be used to attempt to retrieve a non-
existent file from the server:

     GET /not.there HTTP/1.1
     Accept: */*
     Connection: Keep-Alive

The response should include headers similar to the following:

     HTTP/1.1 404 Object Not Found
     Date: Mon, 24 Feb 2003 12:49:54 GMT
     Server: Yes - We Use ServerMask
     Content-Length: 15383
     Connection: close
     Content-Type: text/html

The HTTP status message on the first line ("404 Object Not Found") is 
the standard format returned by Microsoft IIS, and differs from most 
other vendors.

Issue#3 - Standard IIS Format Allow header

A new session should be initiated to the web-server:

     telnet 80

An OPTIONS request should then be sent to solicit a server response:

     OPTIONS /images/H_horline.gif HTTP/1.1
     Accept: */*
     Connection: Keep-Alive

The headers should include the Allow response to the OPTIONS request:

     HTTP/1.1 200 OK
     Date: Mon, 24 Feb 2003 13:05:07 GMT
     Server: Yes - We Use ServerMask
     Content-Length: 0
The Allow header is the standard format, content and order returned by 

-- Recommendations --

The ServerMask product should be revised and improved to provide full 
control over modifying the values of all header fields, to prevent such 
analysis revealing the nature of the underlying web-server.

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0105 to this issue. This is a candidate for
inclusion in the CVE list (, which standardizes
names for security problems.

-- References --


-- Revision --

a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Minor revisions.

-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.

-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997 
and based in Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 

Copyright 2003 Corsaire Limited. All rights reserved. 


- 漏洞信息

ServerMask Server Version Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Port 80 ServerMask contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker connects to the server via telnet and issues specially crafted commands, which will disclose the server version information resulting in a loss of confidentiality.

- 时间线

2004-08-10 Unknow
2004-08-10 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

ServerMask Improper Header Anonymization Weakness
Design Error 10905
Yes No
2004-08-10 12:00:00 2009-07-12 06:16:00
Martin O'Neal from Corsaire is credited for discovery of this weakness.

- 受影响的程序版本

Port80 ServerMask 2.2
Port80 ServerMask 2.1
Port80 ServerMask 2.0
Port80 ServerMask 1.2
Port80 ServerMask 1.1.1
Port80 ServerMask 1.1 .0
Port80 ServerMask 1.0

- 漏洞讨论

It is reported that ServerMask contains a weakness that allows servers to be identified as IIS, even when the product is functioning as advertised.

Unique traits of IIS servers are not properly filtered or altered in any way. This allows an attacker to remotely discern the type of web server, even in the presence of the ServerMask software.

ServerMask versions 2.2 and prior are reported to contain this weakness.

- 漏洞利用

No exploit is required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考