On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote: > That would allow any user from the net (malicious or not) to know the > exact version of the software packages installed on a Debian box. It That reminds me of something else. On Debian 2.0, after I read the Apache manual I tried that neat example they suggest 'ln -s / ~/public_html' lynx http://localhost/~username -- I actually got to see my root directory! Any user with shell acess could do this and allow people browse through your /etc, /home and what not. To fix this, add the following lines to the top of your /etc/apache/apache.conf. <Directory /> AllowOverride None Options None Order deny,allow Deny from all </Directory> I had someone confirm this for me, and I got a positive answer. The package maintainer has been notified. I am using v1.3.3-4.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:58 PDT