An issue with Apache on Debian

From: Andrei D. Caraman (adcat_private)
Date: Mon Apr 05 1999 - 09:53:35 PDT

Next message: Jeff Murphy: "Re: Xylan OmniSwitch "features""

Previous message: Harhalakis Stefanos: "Digital Unix 4.0E /var permission"
Next in thread: Karellen: "Re: An issue with Apache on Debian"
Reply: Karellen: "Re: An issue with Apache on Debian"
Reply: Mikael Willberg: "Re: An issue with Apache on Debian"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ Aleph1,

I don't remember this being posted on Bugtraq, but feel free to
kill it, if it's yesterday's news. ]


This pertains to the Apache configuration as shipped with Debian 2.1
(codename slink).

The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc
directory available to anyone as http://some.host/doc/.  The relevant
line is in the srm.conf file:

	Alias /doc/ /usr/doc/

That would allow any user from the net (malicious or not) to know the
exact version of the software packages installed on a Debian box.  It
looks  more of a privacy issue then a security one.  However, if a
security vulnerability affecting any of those packes is found, attackers
may already know which targets to hit (and maybe the ones to be avoided).

At first I thought that alias should be disabled, but upon further
reading the lines below (`The above line is for Debian webstandard 3.0,
which specifies that /doc refers to /usr/doc. Some packages may not
work otherwise.') I'd say that access to that location should be only
allowed from localhost (note that a web proxy on the same machine might
render that limitation useless).  The site administrator could easily
change that if he/she so needs.


Johnie Ingram (the Apache maintainer for Debian) has been notified, and
replied that this was already formally reported on the Bug Tracking System
by another Debian user (details available here:

	http://www.debian.org/Bugs/db/34/34099.html

including this suggested fix:

	<Directory /usr/doc>
	AllowOverride None
	order deny,allow
	deny from all
	allow from localhost
	</Directory>
)

Johnie said he intended to change the old default it in the following
release.

On March 26 he also stated that a new apache deb package was to be
uploaded on the following day, so I suppose it has already made it's
way to the Debian mirrors.

<propaganda>

This is not a serious bug, since the Debian is the safest Linux
distribution.  That's why I'm using it.

</propaganda>

I haven't bothered to check other distributions...



Regards,
---------------------------------------------------------------
Andrei D. Caraman			phone: +40 (1) 2050 637
Network Engineer			  fax: +40 (1) 2050 655
Mediasat SA			 office hours: 10:00 - 18:00 GMT

Next message: Jeff Murphy: "Re: Xylan OmniSwitch "features""
Previous message: Harhalakis Stefanos: "Digital Unix 4.0E /var permission"
Next in thread: Karellen: "Re: An issue with Apache on Debian"
Reply: Karellen: "Re: An issue with Apache on Debian"
Reply: Mikael Willberg: "Re: An issue with Apache on Debian"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:32 PDT