[10181] in bugtraq
Re: BOA was: An issue with Apache on Debian
daemon@ATHENA.MIT.EDU (Martin Stjernholm)
Mon Apr 12 16:26:28 1999
Date: Sun, 11 Apr 1999 21:10:15 +0200
Reply-To: Martin Stjernholm <mast@LYSATOR.LIU.SE>
From: Martin Stjernholm <mast@LYSATOR.LIU.SE>
To: BUGTRAQ@NETSPACE.ORG
Leszek Gerwatowski <bigl@CS.TG.COM.PL> wrote:
/.../
> > On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote:
> > > The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc
> > > directory available to anyone as http://some.host/doc/. The relevant
> > > line is in the srm.conf file:
> > >
> > > Alias /doc/ /usr/doc/
> > >
>
> When I notified maintainer of Debian Apache package about this issue he
> answered that this alias is required in every Debian packaged web server
> by Debian packaging policy and if I want to report it as a bug I should
> change first the policy. But I've chosen to comment one line in srm.conf ;-)
This has already been reported as a security issue in the Debian
policy almost ten months ago; see bug report #23661
(http://www.debian.org/Bugs/db/23/23661.html). The dhttpd package
exposes the same problem (naturally, as it's a good policy-following
Debian package) by making a symlink from /usr/doc to /var/www/doc.
That has been reported in #23659.
The response so far has been that eliminating this is merely "security
by obscurity", and that it therefore isn't a real security issue. I
disagree; it's more comparable to shadow passwords as a security
measure. It's in any case an obvious help for doing large scans for
vulnerabilities; among other things the risk of getting noticed in
logs is much smaller.
Being a "metabug", i.e. a bug in the policy, accentuates it even more
since packages _have_ to implement this weakness and activate it by
default.
