[16879] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

httpd.conf in Suse 6.4

daemon@ATHENA.MIT.EDU (zab0ra aka t0maszek)
Fri Sep 22 13:45:27 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.SGI.4.10.10009211056140.16043-100000@szermierz.uni.wroc.pl>
Date:         Thu, 21 Sep 2000 11:24:43 +0200
Reply-To: zab0ra aka t0maszek <zabora@SZERMIERZ.UNI.WROC.PL>
From: zab0ra aka t0maszek <zabora@SZERMIERZ.UNI.WROC.PL>
To: BUGTRAQ@SECURITYFOCUS.COM

hy...

in SuSe 6.4 (maybe another) any user from any host can get info about
packages installed on SuSe systems.
httpd.conf file have entry "Alias /doc/  /usr/doc/" (and others)

in www browser you cat set http://hosts.any/doc/packages/ and you get list
of installed packages

Solusion:
in httpd.conf

<Directory /usr/doc/packages>
order deny,allow
allow from your.ip.or.domain
deny from all
</Directory>


zab0ra aka t0maszek
-------------------

home	help	back	first	fref	pref	prev	next	nref	lref	last	post