Bugtraq mailing list archives
Re: httpd.conf in Suse 6.4
From: Roman Drahtmueller <draht () SUSE DE>
Date: Mon, 25 Sep 2000 20:32:04 +0200
From: zab0ra aka t0maszek <zabora () SZERMIERZ UNI WROC PL>
[...]
in SuSe 6.4 (maybe another) any user from any host can get info about packages installed on SuSe systems. httpd.conf file have entry "Alias /doc/ /usr/doc/" (and others) in www browser you cat set http://hosts.any/doc/packages/ and you get list of installed packages
This is correct. Thank god you didn't contact security () suse de - we would have had to discuss that. Being aware of the problems in the setup as it used to be (and still is), we agree that the webserver packages in the SuSE distribution are subject to some changes wrt the default (access) configuration in future releases.
Solusion: in httpd.conf <Directory /usr/doc/packages> order deny,allow allow from your.ip.or.domain deny from all </Directory>
The configuration file for apache (/etc/httpd/httpd.conf), line 801, reads: ############################################################ <Directory /usr/doc> Options FollowSymLinks Indexes +Includes AllowOverride None </Directory> ############################################################ Rewrite this to: ############################################################ <Directory /usr/doc> order deny,allow deny from all allow from localhost Options Indexes FollowSymLinks +Includes AllowOverride None </Directory> ############################################################ Thanks to Martin S. Hasemann for his reply.
zab0ra aka t0maszek
Roman Drahtmüller. -- - - | Roman Drahtmüller <draht () suse de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Current thread:
- httpd.conf in Suse 6.4 zab0ra aka t0maszek (Sep 22)
- Re: httpd.conf in Suse 6.4 Martin S. Hasemann (Sep 25)
- Re: httpd.conf in Suse 6.4 Roman Drahtmueller (Sep 25)