[16912] in bugtraq

home help back first fref pref prev next nref lref last post

Re: httpd.conf in Suse 6.4

daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Tue Sep 26 02:15:13 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Message-Id:  <Pine.LNX.4.21.0009252000580.19458-100000@dent.suse.de>
Date:         Mon, 25 Sep 2000 20:32:04 +0200
Reply-To: Roman Drahtmueller <draht@SUSE.DE>
From: Roman Drahtmueller <draht@SUSE.DE>
X-To:         zab0ra aka t0maszek <zabora@SZERMIERZ.UNI.WROC.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.SGI.4.10.10009211056140.16043-100000@szermierz.uni.wroc.pl>

> From: zab0ra aka t0maszek <zabora@SZERMIERZ.UNI.WROC.PL>
[...]
> in SuSe 6.4 (maybe another) any user from any host can get info about
> packages installed on SuSe systems.
> httpd.conf file have entry "Alias /doc/  /usr/doc/" (and others)
>
> in www browser you cat set http://hosts.any/doc/packages/ and you get list
> of installed packages

This is correct. Thank god you didn't contact security@suse.de - we would
have had to discuss that.

Being aware of the problems in the setup as it used to be (and still is),
we agree that the webserver packages in the SuSE distribution are subject
to some changes wrt the default (access) configuration in future releases.

> Solusion:
> in httpd.conf
>
> <Directory /usr/doc/packages>
> order deny,allow
> allow from your.ip.or.domain
> deny from all
> </Directory>

The configuration file for apache (/etc/httpd/httpd.conf), line 801,
reads:

############################################################
<Directory /usr/doc>
    Options FollowSymLinks Indexes +Includes
    AllowOverride None
</Directory>
############################################################

Rewrite this to:

############################################################
<Directory /usr/doc>
  order deny,allow
  deny from all
  allow from localhost
  Options Indexes FollowSymLinks +Includes
  AllowOverride None
</Directory>
############################################################

Thanks to Martin S. Hasemann for his reply.


> zab0ra aka t0maszek

Roman Drahtm|ller.
--
 -                                                                      -
| Roman Drahtm|ller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| N|rnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
home help back first fref pref prev next nref lref last post