[UNIX] Apache UserDir Information Disclosure (User Anna)
From: support@securiteam.comDate: 09/16/01
- Previous message: support@securiteam.com: "[NEWS] Security Patch Released for RSA BSAFE SSL-J 3.x"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Apache UserDir Information Disclosure (User Anna) Message-Id: <20010915224852.897C6138BF@mail.der-keiler.de> Date: Sun, 16 Sep 2001 00:48:52 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Apache UserDir Information Disclosure (User Anna)
------------------------------------------------------------------------
SUMMARY
An information leak can occur on Apache based web servers. The leak occurs
whenever the UserDir module is enabled, and it would allow an external
attacker to enumerate existing user accounts by trying to access their
home directory and monitoring the response. Note that users do not have to
have public_html directories for this attack to work.
DETAILS
Example:
When someone from the Internet tries to see URL like
http://www.example.com/~anna
1. HTTP result code 200, and Anna's homepage, when user "anna" exists at
your UNIX, and she has her homepage.
2. HTTP result code 403, and message from Apache: "You don't have
permission to access /~anna on this server.", When user "anna" exists at
your UNIX, and she has no homepage or access to her homepage is denied.
3. HTTP result code 404, and message from Apache: "The requested URL
/~anna was not found on this server". When user anna doesn't exist at your
UNIX.
Workaround:
1) Disable this feature by changing "UserDir public_html" (or whatever) to
"UserDir disabled".
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if
there is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
ADDITIONAL INFORMATION
The information has been provided by <mailto:akson@tts.debryansk.ru>
Alexander A. Kelner, <mailto:dmuz@slartibartfast.angrypacket.com> Josha
Bronson, <mailto:Tobias.Kreidl@NAU.EDU> Tobias J. Kreidl, and
<mailto:heko@iki.fi> Heikki Korpela.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Security Patch Released for RSA BSAFE SSL-J 3.x"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
