Way of getting server software versions?

[youradds]

Hi,

I'm in the process of setting up a "trust" site. Basically, people put a bit of HTML onto the page - and assuming their server has the latest software/a valid SSL certificate, it will show a "good" image, otherwise it'll show a "sofware not up to date" image.

Now, I've tried doing:

#!/usr/bin/perl -w

print qq|Content-Type: text/html \n\n|;
map { print qq|$_ => $ENV{$_} <br />|; } keys %ENV;

However, although this gives me quite a bit of info - most of that is related to the script/their IP.

Is there a way to get the values etc from them? I don't want it to be complicated - as they are gonna have to set this script up themselves. I know I can do stuff like:

domain@east ~ $ php --version
PHP 5.2.6 (cgi-fcgi) (built: May  2 2008 11:38:58)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Zend Optimizer v3.3.0, Copyright (c) 1998-2007, by Zend Technologies
domain@east ~ $

..and:

domain@east ~ $ perl --version

This is perl, v5.8.4 built for x86_64-linux

However, I'm not sure this will work on 100% of the servers (as a) it requires them to have command line access from perl script, and b) it assumes the commands run work on their server)

Is there maybe something that can be run from our end, to determine their software versions or something?

I'm at a bit of a dead end here (and googling comes up with bugger all too )

TIA for any suggestions.

Andy

 

[Kirsle]

Why wouldn't they have command line access from a Perl script? Actually afaik I don't think it's possible to give Perl access but not allow Perl to execute system commands (but its possible to not allow the user to have shell access on the server system i.e. through SSH).

So it would be more reliable to have the CGI script run system commands to get version information than to do it any other way. If it's any Unix-like server system, they're almost definitely going to have Perl installed (well, obviously, as this script is a Perl script right?)

To get version information from the outside is not reliable though. In most Apache server setups I've seen, the "SERVER_SIGNATURE" will simply say something like "Apache/2.2.3 (Unix) running on

http://www.server.name

port 80". Some server setups will have the signature spit out much more info, like the version of PHP installed and what modules are enabled in Apache and their versions too. My web server on the other hand says simply "Apache Server" without even giving its own version number out.

Letting servers give out version information is generally considered a security risk, because an attacker who knows that a particular vulnerability exists on Apache 2.2.3 will automatically know that your server is vulnerable to this exploit because your server openly tells them that it's running version 2.2.3. So sane sysadmins configure servers to not give out any information like this, and these things vary from server to server so it's unreliable to try to use them for your purposes.

Just stick with the system commands.

my $perl = `perl --version`;
if ($?) { die "perl doesn't exist?"; }
my $php = `php --version`
if ($?) { die "php doesn't exist?"; }

-------------
Cuvou.com | My personal homepage

perl -e '$|=$i=1;print" oo\n<|>\n_|_";x:sleep$|;print"\b",$i++%2?"/":"_";goto x;'

 

[Xaqte]

From inside a script, you could:

my $perlversion = $];

 

[youradds]

Thanks - think I'm gonna use the $] as per the example, and then do a test.php script which just prints out phpversion(). As far as I can see, thats gonna be the safest way of doing it (cos these scripts are gonna be used on a LOT of servers =))

Thanks for the replies guys

Andy