[10099] in bugtraq
An issue with Apache on Debian
daemon@ATHENA.MIT.EDU (Andrei D. Caraman)
Mon Apr 5 15:28:47 1999
Date: Mon, 5 Apr 1999 19:53:35 +0300
Reply-To: "Andrei D. Caraman" <adc@KILI.MEDIASAT.RO>
From: "Andrei D. Caraman" <adc@KILI.MEDIASAT.RO>
To: BUGTRAQ@NETSPACE.ORG
[ Aleph1,
I don't remember this being posted on Bugtraq, but feel free to
kill it, if it's yesterday's news. ]
This pertains to the Apache configuration as shipped with Debian 2.1
(codename slink).
The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc
directory available to anyone as http://some.host/doc/. The relevant
line is in the srm.conf file:
Alias /doc/ /usr/doc/
That would allow any user from the net (malicious or not) to know the
exact version of the software packages installed on a Debian box. It
looks more of a privacy issue then a security one. However, if a
security vulnerability affecting any of those packes is found, attackers
may already know which targets to hit (and maybe the ones to be avoided).
At first I thought that alias should be disabled, but upon further
reading the lines below (`The above line is for Debian webstandard 3.0,
which specifies that /doc refers to /usr/doc. Some packages may not
work otherwise.') I'd say that access to that location should be only
allowed from localhost (note that a web proxy on the same machine might
render that limitation useless). The site administrator could easily
change that if he/she so needs.
Johnie Ingram (the Apache maintainer for Debian) has been notified, and
replied that this was already formally reported on the Bug Tracking System
by another Debian user (details available here:
http://www.debian.org/Bugs/db/34/34099.html
including this suggested fix:
<Directory /usr/doc>
AllowOverride None
order deny,allow
deny from all
allow from localhost
</Directory>
)
Johnie said he intended to change the old default it in the following
release.
On March 26 he also stated that a new apache deb package was to be
uploaded on the following day, so I suppose it has already made it's
way to the Debian mirrors.
<propaganda>
This is not a serious bug, since the Debian is the safest Linux
distribution. That's why I'm using it.
</propaganda>
I haven't bothered to check other distributions...
Regards,
---------------------------------------------------------------
Andrei D. Caraman phone: +40 (1) 2050 637
Network Engineer fax: +40 (1) 2050 655
Mediasat SA office hours: 10:00 - 18:00 GMT
