You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Mathew Thomas <ma...@rmit.edu.au> on 2002/11/11 23:50:17 UTC

[users@httpd] Apache 2 .x Security problem

Dear all,

I have a strange problem with my apache server running Apache-2.0.39 running on  Ultra SPARC with Solaris 8. I configured it with basic configuration. I am also using php-4.2.2  with the apache and PHP uses MySQL. The problem is if someone type a URL like the following in their browser, it displays world readable systems files. For example

http://FQDN-of-the-machine/~non-existent-user/etc/passwd

The above will display password file on the user's browser. 
If the user exist,  http://FQDN-of-the-machine/~existent-user/etc/passwd

will display error message "Object Not Found".

http://FQDN-of-the-machine/~existent-user  is showing their home page without an problems.

How can I fix it. Thanks in advance for the help.

Regards
Mathew




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2 .x Security problem

Posted by Joshua Slive <jo...@slive.ca>.

On Tue, 12 Nov 2002, Mathew Thomas wrote:

> Dear all,
>
> I have a strange problem with my apache server running Apache-2.0.39 running on  Ultra SPARC with Solaris 8. I configured it with basic configuration. I am also using php-4.2.2  with the apache and PHP uses MySQL. The problem is if someone type a URL like the following in their browser, it displays world readable systems files. For example

This is an old version of Apache; you should upgrade.

>
> http://FQDN-of-the-machine/~non-existent-user/etc/passwd
>
> The above will display password file on the user's browser.
> If the user exist,  http://FQDN-of-the-machine/~existent-user/etc/passwd
>
> will display error message "Object Not Found".
>
> http://FQDN-of-the-machine/~existent-user  is showing their home page without an problems.
>
> How can I fix it. Thanks in advance for the help.

I have seen this reported a few times elsewhere.
See:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11386
(Don't reopen that bug unless you can recreate the problem in the latest
version of Apache.)

I would suspect some borked solaris libraries or something of the sort.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org