[10165] in bugtraq
Re: An issue with Apache on Debian
daemon@ATHENA.MIT.EDU (Karellen)
Fri Apr 9 20:07:55 1999
Date: Fri, 9 Apr 1999 00:48:14 +0300
Reply-To: Karellen <karellen@CRYOGEN.COM>
From: Karellen <karellen@CRYOGEN.COM>
To: BUGTRAQ@NETSPACE.ORG
On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote:
> That would allow any user from the net (malicious or not) to know the
> exact version of the software packages installed on a Debian box. It
That reminds me of something else. On Debian 2.0, after I read the Apache
manual I tried that neat example they suggest 'ln -s / ~/public_html'
lynx http://localhost/~username -- I actually got to see my root directory!
Any user with shell acess could do this and allow people browse through your
/etc, /home and what not. To fix this, add the following lines to the top of
your /etc/apache/apache.conf.
<Directory />
AllowOverride None
Options None
Order deny,allow
Deny from all
</Directory>
I had someone confirm this for me, and I got a positive answer.
The package maintainer has been notified. I am using v1.3.3-4.
