[16048] in bugtraq
Re: Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG
daemon@ATHENA.MIT.EDU (Daniel Garcia)
Wed Aug 2 02:38:41 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Message-ID: <Pine.LNX.4.10.10008011628050.12806-100000@www.hollyfeld.org>
Date: Tue, 1 Aug 2000 16:29:52 -0400
Reply-To: Daniel Garcia <dgarcia@HOLLYFELD.ORG>
From: Daniel Garcia <dgarcia@HOLLYFELD.ORG>
X-To: "Kasatenko Ivan Alex." <skywriter@rnc.ru>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <7617850978.20000731024312@rnc.ru>
Content-Transfer-Encoding: 8bit
On Mon, 31 Jul 2000, Kasatenko Ivan Alex. wrote:
> Lately my users helped me (in a way the call this ``hacking'' :) to
> discover one unpleasant feature: a home catalog of ``nobody'' user is
> "/" on most Mandrake's and RedHat's (any others?) I've seen, and with
> such a setting in the httpd.conf (I assume this is typical?)...
> > # UserDir: The name of the directory which is appended onto a user's home
> > # directory if a ~user request is recieved.
> >
> > UserDir ./
> .. any user may go to, for example,
> http://www.malconfigured-host.com/~nobody/etc/ and get a list of files
> in the /etc catalog. I assume this a hole.
UserDir is actually typically set to public_html - or some such. I have
never seen a site setup with UserDir set to './' - but needless to say,
that's a Very Bad[tm] way to set things up.
I'm fairly certain that default installs of apache (and the distros that install
apache by default) have this set to public_html.
Cheers,
--Dg
Wir müssen wissen; wir werden wissen
| http://hollyfeld.org | http://silentnoise.org | http://aumlaut.net |
w | email/dgarcia@silentnoise.org | mp3/www.mp3.com/sol3 | g
Listen to Silent Screams: http://silentnoise.org/screams
np on Silent Screams: Aumlaut 4.1 by Aumlaut
