|
|
|
|
| |
| An information leak can occur on Apache based web servers. The leak occurs whenever the UserDir module is enabled, and it would allow an external attacker to enumerate existing user accounts by trying to access their home directory and monitoring the response. Note that users do not have to have public_html directories for this attack to work. |
| |
Credit:
The information has been provided by Alexander A. Kelner, Josha Bronson, Tobias J. Kreidl, and Heikki Korpela.
|
| |
Example:
When someone from the Internet tries to see URL like
http://www.example.com/~anna
1. HTTP result code 200, and Anna's homepage, when user "anna" exists at your UNIX, and she has her homepage.
2. HTTP result code 403, and message from Apache: "You don't have permission to access /~anna on this server.", When user "anna" exists at your UNIX, and she has no homepage or access to her homepage is denied.
3. HTTP result code 404, and message from Apache: "The requested URL /~anna was not found on this server". When user anna doesn't exist at your UNIX.
Workaround:
1) Disable this feature by changing "UserDir public_html" (or whatever) to "UserDir disabled".
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
|
|
|
|
|
|
|
