Ticket #1587 (closed defect: fixed)

Opened 2 months ago

Last modified 2 months ago

[security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

Reported by: julien.cayzac@gmail.com Assigned to: jan
Priority: high Milestone: 1.5.0
Component: mod_userdir Version: 1.4.18
Severity: critical Keywords:
Cc: Blocking:
Need Feedback: 0

Description

I've just discovered that you could download my /etc/passwd file by simply pointing your browser to http://myserver/tld/~nobody/etc/passwd (thanks to Nessus).

After some research, I've found th culprit to be mod_userdir, which I had left there while I had removed all its configuration variables from my conf.

Loading this module with its default values should not compromise the server security. IMHO, the default value for userdir.path should not be "." unless the webmaster sets so, but the standard "public_html".

Attachments

Change History

03/10/2008 10:40:34 AM changed by julien.cayzac@gmail.com

There a typo in the description: http://myserver/tld/~nobody/etc/passwd should be: http://myserver.tld/~nobody/etc/passwd

03/10/2008 11:16:02 AM changed by stbuehler

I think the main problem here is that mod_userdir is alway enabled; you can disable it with 

userdir.include-user = ( "" )

mod_userdir will still redirect "/~something" to "/~something/" (empty user is not allowed by mod_userdir in any case, so /~/ is not affected by the include-user "").

The next problem are users with "/" as homedir - i don't know why, but on a debian system there is no user with "/" as homedir; nobody has "/nonexistent".

Of course, your idea would fix most things, but i just search for a "cleaner" solution ;-)

03/10/2008 11:48:33 AM changed by stbuehler

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in [2120].

We require now userdir.path to be set to enable mod_userdir; you can have the old behaviour with 

userdir.path = ""

03/10/2008 02:27:53 PM changed by rbu

you should also edit userdir.txt to reflect that change, it still mentions "." as the default value for path.

03/13/2008 03:38:34 PM changed by stbuehler

Yes, sry forgot that; so the doc is missing in 1.4.19, but now in svn [2130].

Add/Change #1587 ([security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable)




Change Properties
Action