Bugtraq mailing list archives
Re: BOA was: An issue with Apache on Debian
From: mast () LYSATOR LIU SE (Martin Stjernholm)
Date: Sun, 11 Apr 1999 21:10:15 +0200
Leszek Gerwatowski <bigl () CS TG COM PL> wrote: /.../
On Mon, Apr 05, 1999 at 07:53:35PM +0300, Andrei D. Caraman wrote:The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc directory available to anyone as http://some.host/doc/. The relevant line is in the srm.conf file: Alias /doc/ /usr/doc/When I notified maintainer of Debian Apache package about this issue he answered that this alias is required in every Debian packaged web server by Debian packaging policy and if I want to report it as a bug I should change first the policy. But I've chosen to comment one line in srm.conf ;-)
This has already been reported as a security issue in the Debian policy almost ten months ago; see bug report #23661 (http://www.debian.org/Bugs/db/23/23661.html). The dhttpd package exposes the same problem (naturally, as it's a good policy-following Debian package) by making a symlink from /usr/doc to /var/www/doc. That has been reported in #23659. The response so far has been that eliminating this is merely "security by obscurity", and that it therefore isn't a real security issue. I disagree; it's more comparable to shadow passwords as a security measure. It's in any case an obvious help for doing large scans for vulnerabilities; among other things the risk of getting noticed in logs is much smaller. Being a "metabug", i.e. a bug in the policy, accentuates it even more since packages _have_ to implement this weakness and activate it by default.
Current thread:
- Re: BOA was: An issue with Apache on Debian Martin Stjernholm (Apr 11)
- <Possible follow-ups>
- Re: BOA was: An issue with Apache on Debian boa () CRYNWR COM (Apr 13)