Leszek Gerwatowski <biglat_private> wrote: /.../ > > On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote: > > > The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc > > > directory available to anyone as http://some.host/doc/. The relevant > > > line is in the srm.conf file: > > > > > > Alias /doc/ /usr/doc/ > > > > > When I notified maintainer of Debian Apache package about this issue he > answered that this alias is required in every Debian packaged web server > by Debian packaging policy and if I want to report it as a bug I should > change first the policy. But I've chosen to comment one line in srm.conf ;-) This has already been reported as a security issue in the Debian policy almost ten months ago; see bug report #23661 (http://www.debian.org/Bugs/db/23/23661.html). The dhttpd package exposes the same problem (naturally, as it's a good policy-following Debian package) by making a symlink from /usr/doc to /var/www/doc. That has been reported in #23659. The response so far has been that eliminating this is merely "security by obscurity", and that it therefore isn't a real security issue. I disagree; it's more comparable to shadow passwords as a security measure. It's in any case an obvious help for doing large scans for vulnerabilities; among other things the risk of getting noticed in logs is much smaller. Being a "metabug", i.e. a bug in the policy, accentuates it even more since packages _have_ to implement this weakness and activate it by default.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:05 PDT