[Proposal] Security related comments for ws.apache.org(resend)

[Toshiyuki Kimura <to...@apache.org>]

Dear root, and pmc@ws:

  If an apache id has 'public_html' directory under his home,
all of the Internet users can have an access to web contents
which are stored in the sub-folder by just typing -
"http://ws.apache.org/~$username".
  In addition, if the sub-folder doesn't have 'index.html',
the existing files are listed for the web client. (i.e. Our
web server allows the directory browsing in the default.)
I know that the directory browsing is useful for providing
a distribution site.  However, just sometimes, it sets up
various security problems.

  I've tested our site with the attached perl script.
The following users don't have 'index.html', moreover, they
stores some executable files in their own 'public_html'.
So, in fact, everyone can view their scripts or programs
via http access.

NOTE: The result of scripts (not verified manually).

  DANGER:  *** [ask         ] has executable contents... ***
  DANGER:  *** [brianp      ] has executable contents... ***
  DANGER:  *** [dirkx       ] has executable contents... ***
  DANGER:  *** [jwoolley    ] has executable contents... ***
  DANGER:  *** [leosimons   ] has executable contents... ***
  DANGER:  *** [martin      ] has executable contents... ***
  DANGER:  *** [nd          ] has executable contents... ***
  DANGER:  *** [proyal      ] has executable contents... ***
  DANGER:  *** [rubys       ] has executable contents... ***
  DANGER:  *** [stas        ] has executable contents... ***
  DANGER:  *** [trawick     ] has executable contents... ***
  DANGER:  *** [wrowe       ] has executable contents... ***

  I'd like to recommend that you announce regarding the above
issues as a reminder, once again.

Regards,

  Toshi <to...@apache.org>