Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG

["Kasatenko Ivan Alex." <skywriter () RNC RU>]

Lately my users helped me (in a way the call this ``hacking'' :) to
discover one unpleasant feature: a home catalog of ``nobody'' user is
"/" on most Mandrake's and RedHat's (any others?) I've seen, and with
such a setting in the httpd.conf (I assume this is typical?)...
> # UserDir: The name of the directory which is appended onto a user's home
> # directory if a ~user request is recieved.
>
> UserDir ./
.. any user may go to, for example,
http://www.malconfigured-host.com/~nobody/etc/ and get a list of files
in the /etc catalog. I assume this a hole.

Sincerely,
            Ivan