Bugtraq mailing list archives

An issue with Apache on Debian

From: adc () KILI MEDIASAT RO (Andrei D. Caraman)
Date: Mon, 5 Apr 1999 19:53:35 +0300


[ Aleph1,

I don't remember this being posted on Bugtraq, but feel free to
kill it, if it's yesterday's news. ]


This pertains to the Apache configuration as shipped with Debian 2.1
(codename slink).

The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc
directory available to anyone as http://some.host/doc/.  The relevant
line is in the srm.conf file:

        Alias /doc/ /usr/doc/

That would allow any user from the net (malicious or not) to know the
exact version of the software packages installed on a Debian box.  It
looks  more of a privacy issue then a security one.  However, if a
security vulnerability affecting any of those packes is found, attackers
may already know which targets to hit (and maybe the ones to be avoided).

At first I thought that alias should be disabled, but upon further
reading the lines below (`The above line is for Debian webstandard 3.0,
which specifies that /doc refers to /usr/doc. Some packages may not
work otherwise.') I'd say that access to that location should be only
allowed from localhost (note that a web proxy on the same machine might
render that limitation useless).  The site administrator could easily
change that if he/she so needs.


Johnie Ingram (the Apache maintainer for Debian) has been notified, and
replied that this was already formally reported on the Bug Tracking System
by another Debian user (details available here:

        http://www.debian.org/Bugs/db/34/34099.html

including this suggested fix:

        <Directory /usr/doc>
        AllowOverride None
        order deny,allow
        deny from all
        allow from localhost
        </Directory>
)

Johnie said he intended to change the old default it in the following
release.

On March 26 he also stated that a new apache deb package was to be
uploaded on the following day, so I suppose it has already made it's
way to the Debian mirrors.

<propaganda>

This is not a serious bug, since the Debian is the safest Linux
distribution.  That's why I'm using it.

</propaganda>

I haven't bothered to check other distributions...



Regards,
---------------------------------------------------------------
Andrei D. Caraman                       phone: +40 (1) 2050 637
Network Engineer                          fax: +40 (1) 2050 655
Mediasat SA                      office hours: 10:00 - 18:00 GMT

Current thread:

An issue with Apache on Debian Andrei D. Caraman (Apr 05)
- BOA was: An issue with Apache on Debian Stephen Gregory (Apr 05)
  - Re: BOA was: An issue with Apache on Debian Leszek Gerwatowski (Apr 08)
  - Netscape 4.5 vulnerability Alexey Pavlov (Apr 08)
- <Possible follow-ups>
- Re: An issue with Apache on Debian Karellen (Apr 08)
  - Re: An issue with Apache on Debian Mikael Willberg (Apr 16)