Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: your mail

From: spepper () WLU CA (Shelagh Pepper)
Date: Fri, 7 Jul 2000 12:11:37 -0400

You can compile Apache without UserDir, you can totally disable UserDir, or
you can enable UserDir only for specific users

e.g.
UserDir public_html
UserDir disabled
UserDir enable 11a

(see http://www.apache.org/docs/mod/mod_userdir.html for more information.)

Shelagh
At 04:46 PM 7/7/00 +0200, Bluefish wrote:

As you'll see in following example, if the webserver cannot access ~11a,
it will return 403. If it can access ~11a, then it will behave as you say.
On my setup this is not a big issue, but if someone runs a large site
which offers web, this should be kept in mind.

I wouldn't scream "it's a bug", but a webserver running apache must assume
their users to be known. To tell people who wants their directory o-rxw
that they cannot because of the security concern isn't really an option,
eh? ;-)

On the other hand, these 403 responses are helpfull to most users when
they setup their system. A possible solution for an administrator for a
site which really wants this to go away to make both 403 and 404 become a
302 (page moved) refering to your "hey this is 404"-file. This is done by
simply setting the errorpages to complete URLs (alas, specify path with
http://server/file, not /localpath/file)

Hope this clears up the issue!


[11a@blue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a'
ls: .html: No such file or directory
drwxr-xr-x  17 11a      515          2048 Jul  7 16:34 .
--16:35:04--  http://127.0.0.1:80/%7E11a
           => `-'
Connecting to 127.0.0.1:80... connected!
HTTP request sent, awaiting response... 404 Not Found
16:35:04 ERROR 404: Not Found.

[11a@blue allied]$ chmod 750 .
[11a@blue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a'
ls: .html: No such file or directory
drwxr-x---  17 11a      515          2048 Jul  7 16:34 .
--16:35:42--  http://127.0.0.1:80/%7E11a
           => `-'
Connecting to 127.0.0.1:80... connected!
HTTP request sent, awaiting response... 403 Forbidden
16:35:42 ERROR 403: Forbidden.


..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team


T> When we do www.redhatserver.com/~validlogin we get a 403, when we

try with

T> another login (which is not valid) we get a 404.

This  only  depends  on  existance  of public_html directory in user's
home.  If  user  has  no  public_html  you will also get 404. Using of
User's dir is configurable. By default
 UserDir public_html
is in srm.conf
Previous By Date Next
Previous By Thread Next

Current thread: