You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/08/02 00:02:02 UTC
DO NOT REPLY [Bug 11386] New: -
UserDir maps to root directory for nonexistant users
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11386>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11386
UserDir maps to root directory for nonexistant users
Summary: UserDir maps to root directory for nonexistant users
Product: Apache httpd-2.0
Version: 2.0.39
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: Normal
Priority: Other
Component: mod_userdir
AssignedTo: bugs@httpd.apache.org
ReportedBy: lovan@lifesci.ucsb.edu
- Assume UserDir is enabled and configured to point into users' "public_html"
directories.
- Browser requests URL "http://server.domain.com/~user" where user does not
exist on the system. Rather than returning an error, the server attempts to
provide an index for the system's root directory. Worse, if the URL is:
http://server.domain.com/~user/etc/passwd
then the server attempts to deliver that page.
> [Thu Aug 01 14:47:07 2002] [error] [client xxx.xxx.xx.xx] client denied by
> server configuration: /
> [Thu Aug 01 14:55:54 2002] [error] [client xxx.xxx.xx.xx] client denied by
> server configuration: /etc/passwd
I don't think this is a security issue since properly configuring the Directory
settings will prevent the server distributing the files. However, this doesn't
seem to be the proper behaviour. I have not verified this behaviour on systems
other than Solaris 2.7.
-Shea
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org