Vulnerability Development mailing list archives
Re: your mail
From: 11a () GMX NET (Bluefish)
Date: Fri, 7 Jul 2000 16:46:00 +0200
As you'll see in following example, if the webserver cannot access ~11a, it will return 403. If it can access ~11a, then it will behave as you say. On my setup this is not a big issue, but if someone runs a large site which offers web, this should be kept in mind. I wouldn't scream "it's a bug", but a webserver running apache must assume their users to be known. To tell people who wants their directory o-rxw that they cannot because of the security concern isn't really an option, eh? ;-) On the other hand, these 403 responses are helpfull to most users when they setup their system. A possible solution for an administrator for a site which really wants this to go away to make both 403 and 404 become a 302 (page moved) refering to your "hey this is 404"-file. This is done by simply setting the errorpages to complete URLs (alas, specify path with http://server/file, not /localpath/file) Hope this clears up the issue! [11a@blue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a' ls: .html: No such file or directory drwxr-xr-x 17 11a 515 2048 Jul 7 16:34 . --16:35:04-- http://127.0.0.1:80/%7E11a => `-' Connecting to 127.0.0.1:80... connected! HTTP request sent, awaiting response... 404 Not Found 16:35:04 ERROR 404: Not Found. [11a@blue allied]$ chmod 750 . [11a@blue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a' ls: .html: No such file or directory drwxr-x--- 17 11a 515 2048 Jul 7 16:34 . --16:35:42-- http://127.0.0.1:80/%7E11a => `-' Connecting to 127.0.0.1:80... connected! HTTP request sent, awaiting response... 403 Forbidden 16:35:42 ERROR 403: Forbidden. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
T> When we do www.redhatserver.com/~validlogin we get a 403, when we try with T> another login (which is not valid) we get a 404. This only depends on existance of public_html directory in user's home. If user has no public_html you will also get 404. Using of User's dir is configurable. By default UserDir public_html is in srm.conf
Current thread:
- (no subject), (continued)
- (no subject) Chris A. Mattingly (Jul 05)
- (no subject) 3APA3A (Jul 06)
- (no subject) Slawek (Jul 07)
- Re: apache and 404/404 status codes Shelagh Pepper (Jul 07)
- Re: apache and 404/404 status codes Mikael Olsson (Jul 07)
- Re: apache and 404/404 status codes tgs (Jul 07)
- 3-Com LanPlex 6000 Password Removal Ben Kruger (Jul 07)
- Re: apache and 404/404 status codes Bluefish (Jul 08)
- Re: apache and 404/404 status codes Slawek (Jul 08)
- Re: apache and 404/404 status codes Vincent Zweije (Jul 08)
- Re: your mail Bluefish (Jul 07)
- Finding default passwords (fascinating, simple and fun!) Eric Knight (Jul 04)
- Default passwords using Cisco ConfigMaker Runar Jensen (Jul 05)
- Re: Default passwords using Cisco ConfigMaker Aidan O'Kelly (Jul 05)
- Re: Default passwords using Cisco ConfigMaker Runar Jensen (Jul 05)
- Re: Default passwords using Cisco ConfigMaker Aidan O'Kelly (Jul 05)
- Re: Default passwords using Cisco ConfigMaker Damir Rajnovic (Jul 05)
- Re: Default passwords using Cisco ConfigMaker Runar Jensen (Jul 06)
- Re: Default passwords using Cisco ConfigMaker Damir Rajnovic (Jul 06)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: Default passwords using Cisco ConfigMaker Gerardo Richarte (Jul 10)