[ Aleph1, I don't remember this being posted on Bugtraq, but feel free to kill it, if it's yesterday's news. ] This pertains to the Apache configuration as shipped with Debian 2.1 (codename slink). The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc directory available to anyone as http://some.host/doc/. The relevant line is in the srm.conf file: Alias /doc/ /usr/doc/ That would allow any user from the net (malicious or not) to know the exact version of the software packages installed on a Debian box. It looks more of a privacy issue then a security one. However, if a security vulnerability affecting any of those packes is found, attackers may already know which targets to hit (and maybe the ones to be avoided). At first I thought that alias should be disabled, but upon further reading the lines below (`The above line is for Debian webstandard 3.0, which specifies that /doc refers to /usr/doc. Some packages may not work otherwise.') I'd say that access to that location should be only allowed from localhost (note that a web proxy on the same machine might render that limitation useless). The site administrator could easily change that if he/she so needs. Johnie Ingram (the Apache maintainer for Debian) has been notified, and replied that this was already formally reported on the Bug Tracking System by another Debian user (details available here: http://www.debian.org/Bugs/db/34/34099.html including this suggested fix: <Directory /usr/doc> AllowOverride None order deny,allow deny from all allow from localhost </Directory> ) Johnie said he intended to change the old default it in the following release. On March 26 he also stated that a new apache deb package was to be uploaded on the following day, so I suppose it has already made it's way to the Debian mirrors. <propaganda> This is not a serious bug, since the Debian is the safest Linux distribution. That's why I'm using it. </propaganda> I haven't bothered to check other distributions... Regards, --------------------------------------------------------------- Andrei D. Caraman phone: +40 (1) 2050 637 Network Engineer fax: +40 (1) 2050 655 Mediasat SA office hours: 10:00 - 18:00 GMT
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:32 PDT