Bugtraq mailing list archives

Re: Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG

From: Daniel Garcia <dgarcia () HOLLYFELD ORG>
Date: Tue, 1 Aug 2000 16:29:52 -0400

On Mon, 31 Jul 2000, Kasatenko Ivan Alex. wrote:

Lately my users helped me (in a way the call this ``hacking'' :) to
discover one unpleasant feature: a home catalog of ``nobody'' user is
"/" on most Mandrake's and RedHat's (any others?) I've seen, and with
such a setting in the httpd.conf (I assume this is typical?)...

# UserDir: The name of the directory which is appended onto a user's home
# directory if a ~user request is recieved.

UserDir ./

.. any user may go to, for example,
http://www.malconfigured-host.com/~nobody/etc/ and get a list of files
in the /etc catalog. I assume this a hole.


UserDir is actually typically set to public_html - or some such.  I have
never seen a site setup with UserDir set to './' - but needless to say,
that's a Very Bad[tm] way to set things up.

I'm fairly certain that default installs of apache (and the distros that install
apache by default) have this set to public_html.

Cheers,

--Dg


                      Wir m?ssen wissen; wir werden wissen
     | http://hollyfeld.org | http://silentnoise.org | http://aumlaut.net |
          w | email/dgarcia () silentnoise org | mp3/www.mp3.com/sol3 | g
            Listen to Silent Screams: http://silentnoise.org/screams
                  np on Silent Screams: Aumlaut 4.1 by Aumlaut

Current thread:

Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG Kasatenko Ivan Alex. (Aug 01)
- Re: Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG Daniel Garcia (Aug 01)