Vulnerability Development mailing list archives

Re: your mail

From: 11a () GMX NET (Bluefish)
Date: Fri, 7 Jul 2000 16:46:00 +0200


As you'll see in following example, if the webserver cannot access ~11a,
it will return 403. If it can access ~11a, then it will behave as you say.
On my setup this is not a big issue, but if someone runs a large site
which offers web, this should be kept in mind.

I wouldn't scream "it's a bug", but a webserver running apache must assume
their users to be known. To tell people who wants their directory o-rxw
that they cannot because of the security concern isn't really an option,
eh? ;-)

On the other hand, these 403 responses are helpfull to most users when
they setup their system. A possible solution for an administrator for a
site which really wants this to go away to make both 403 and 404 become a
302 (page moved) refering to your "hey this is 404"-file. This is done by
simply setting the errorpages to complete URLs (alas, specify path with
http://server/file, not /localpath/file)

Hope this clears up the issue!

[11a@blue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a&apos;
ls: .html: No such file or directory
drwxr-xr-x  17 11a      515          2048 Jul  7 16:34 .
--16:35:04--  http://127.0.0.1:80/%7E11a
           => `-'
Connecting to 127.0.0.1:80... connected!
HTTP request sent, awaiting response... 404 Not Found
16:35:04 ERROR 404: Not Found.

[11a@blue allied]$ chmod 750 .
[11a@blue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a&apos;
ls: .html: No such file or directory
drwxr-x---  17 11a      515          2048 Jul  7 16:34 .
--16:35:42--  http://127.0.0.1:80/%7E11a
           => `-'
Connecting to 127.0.0.1:80... connected!
HTTP request sent, awaiting response... 403 Forbidden
16:35:42 ERROR 403: Forbidden.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

T> When we do www.redhatserver.com/~validlogin we get a 403, when we try with
T> another login (which is not valid) we get a 404.

This  only  depends  on  existance  of public_html directory in user's
home.  If  user  has  no  public_html  you will also get 404. Using of
User's dir is configurable. By default
 UserDir public_html
is in srm.conf

Current thread:

(no subject), (continued)
- - - (no subject) Chris A. Mattingly (Jul 05)
    - (no subject) 3APA3A (Jul 06)
    - (no subject) Slawek (Jul 07)
    - Re: apache and 404/404 status codes Shelagh Pepper (Jul 07)
    - Re: apache and 404/404 status codes Mikael Olsson (Jul 07)
    - Re: apache and 404/404 status codes tgs (Jul 07)
    - 3-Com LanPlex 6000 Password Removal Ben Kruger (Jul 07)
    - Re: apache and 404/404 status codes Bluefish (Jul 08)
    - Re: apache and 404/404 status codes Slawek (Jul 08)
    - Re: apache and 404/404 status codes Vincent Zweije (Jul 08)
    - Re: your mail Bluefish (Jul 07)
    - Finding default passwords (fascinating, simple and fun!) Eric Knight (Jul 04)
    - Default passwords using Cisco ConfigMaker Runar Jensen (Jul 05)
    - Re: Default passwords using Cisco ConfigMaker Aidan O'Kelly (Jul 05)
    - Re: Default passwords using Cisco ConfigMaker Runar Jensen (Jul 05)
    - Re: Default passwords using Cisco ConfigMaker Aidan O'Kelly (Jul 05)
    - Re: Default passwords using Cisco ConfigMaker Damir Rajnovic (Jul 05)
    - Re: Default passwords using Cisco ConfigMaker Runar Jensen (Jul 06)
    - Re: Default passwords using Cisco ConfigMaker Damir Rajnovic (Jul 06)
    - Secure IRC Fabio Pietrosanti (Jul 06)
    - Re: Default passwords using Cisco ConfigMaker Gerardo Richarte (Jul 10)

(Thread continues...)