By looking at the response headers from Webaccess (and tlwebadm), a person can get information about ThinLinc version and Python version serving the request: $ curl -I https://x.x.x.x HTTP/1.0 404 File not found Server: ThinLinc/4.16.0-3491 BaseHTTP/0.6 Python/3.6.8 Date: Thu, 07 Mar 2024 08:23:48 GMT Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 452 $ curl -I https://x.x.x.x:1010 HTTP/1.0 401 Unauthorized Server: ThinLinc/4.16.0-3491 BaseHTTP/0.6 Python/3.6.8 Date: Thu, 07 Mar 2024 08:23:53 GMT WWW-Authenticate: Basic realm="tlwebadm" Content-Length: 0 This information can be used by vulnerability scanners to make conclusions on wether or not this Python version is supported or not, and give false-positives that it is unsupported and considered insecure, which sometimes generates support tickets. The disclosed header information can also be used to gather intel on a remote system by shady individuals. It would be a nice feature if this header could be configured in some way to not disclose this information. For example, popular web servers such as Apache and Nginx have the configuration file option to hide this information: > expose_php = Off (php) > server_tokens = Off (Nginx) > ServerSignature = Off (Apache)
Well, Apache, Nginx, and PHP do not hide *our Server header*, but theirs :)
