Bugtraq mailing list archives
Re: An issue with Apache on Debian
From: karellen () CRYOGEN COM (Karellen)
Date: Fri, 9 Apr 1999 00:48:14 +0300
On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote:
That would allow any user from the net (malicious or not) to know the exact version of the software packages installed on a Debian box. It
That reminds me of something else. On Debian 2.0, after I read the Apache manual I tried that neat example they suggest 'ln -s / ~/public_html' lynx http://localhost/~username -- I actually got to see my root directory! Any user with shell acess could do this and allow people browse through your /etc, /home and what not. To fix this, add the following lines to the top of your /etc/apache/apache.conf. <Directory /> AllowOverride None Options None Order deny,allow Deny from all </Directory> I had someone confirm this for me, and I got a positive answer. The package maintainer has been notified. I am using v1.3.3-4.
Current thread:
- An issue with Apache on Debian Andrei D. Caraman (Apr 05)
- BOA was: An issue with Apache on Debian Stephen Gregory (Apr 05)
- Re: BOA was: An issue with Apache on Debian Leszek Gerwatowski (Apr 08)
- Netscape 4.5 vulnerability Alexey Pavlov (Apr 08)
- <Possible follow-ups>
- Re: An issue with Apache on Debian Karellen (Apr 08)
- Re: An issue with Apache on Debian Mikael Willberg (Apr 16)
- BOA was: An issue with Apache on Debian Stephen Gregory (Apr 05)