A PCI compliance scan, on a CentOS LAMP server fails with this message. The server
header and ServerSignature
don't expose the Apache version.
Apache httpOnly Cookie Information Disclosure CVE-2012-0053
Can this be resolved by simply specifying a custom ErrorDocument
for the 400 Bad Request response? How is the scanner determining this vulnerability, is it invoking a bad request then looking to see if it's the default Apache 400 response?
Best Answer
This page suggests that it is mitigated by supplying a custom ErrorDocument and that it is resolved in Apache 2.2.22.
Your best bet for verifying this is to make your own ErrorDocument or upgrade Apache and run the scan again.