Re: An issue with Apache on Debian

From: Karellen (karellenat_private)
Date: Thu Apr 08 1999 - 14:48:14 PDT

Next message: Olaf Kirch: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"

Previous message: Rui Pedro Bernardino: "Re: Xylan OmniSwitch "features""
Maybe in reply to: Andrei D. Caraman: "An issue with Apache on Debian"
Next in thread: Mikael Willberg: "Re: An issue with Apache on Debian"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote:
> That would allow any user from the net (malicious or not) to know the
> exact version of the software packages installed on a Debian box.  It

That reminds me of something else. On Debian 2.0, after I read the Apache
manual I tried that neat example they suggest 'ln -s / ~/public_html'
lynx http://localhost/~username -- I actually got to see my root directory!
Any user with shell acess could do this and allow people browse through your
/etc, /home and what not. To fix this, add the following lines to the top of
your /etc/apache/apache.conf.

<Directory />
AllowOverride None
Options None
Order deny,allow
Deny from all
</Directory>

I had someone confirm this for me, and I got a positive answer.
The package maintainer has been notified. I am using v1.3.3-4.

Next message: Olaf Kirch: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Previous message: Rui Pedro Bernardino: "Re: Xylan OmniSwitch "features""
Maybe in reply to: Andrei D. Caraman: "An issue with Apache on Debian"
Next in thread: Mikael Willberg: "Re: An issue with Apache on Debian"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:58 PDT