Forum Moderators: phranque
Mcafee says:
The remote Apache server can be used to guess the presence of a given user name on the remote host.
An information leak occurs, due to a configuration error, on Apache based web servers whenever the UserDir module is enabled. Requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. Installations with this default misconfiguration allow remote users to determine whether a give username exists on the remote system.
The following example is proof of concept:
http://www.example.com/~foo
1. If user 'foo' exists, the HTTP result code will be 200, and foo's homepage will load in the browser.
2. If user 'foo' exists, but access is restricted, the HTTP result code will be 403, with the following message from Apache: "You don't have permission to access /~foo on this server."
3. If 'foo' does not exist, the HTTP result code will be 404, with the following message from Apache: "The requested URL /~foo was not found on this server".
Properly exploited, this information could be used to initiate specific attacks against a given system.
1) Disable this feature by changing 'UserDir public_html' to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ [my-target-webserver.somewhere.org...]
Or
3) Add into httpd.conf:
ErrorDocument 404 [servername.com...]
ErrorDocument 403 [servername.com...]
NOTE: You need to use a FQDN inside the URL for it to work properly.
My concern is that I won't be able to setup temporary sites. For example, I setup a temporary site at #*$!.#*$!.#*$!.xx/~username so I can work on a new version of a client's site before I point the nameservers to the correct ip address. Reading the userdir docs sounds like if I disable userdir, then you can not access temporary sites. Is that true or am I misreading it? If it is true, how can I comply with PCI and still access temporary sites?
thanks
with this default misconfiguration
UserDirs are not enabled by default.
but if I disable that, how do I access temporary websites then?
If I can't point the nameservers to my temporary site yet, then I can only access by ipaddress/~user. Or are you saying I can access by ipaddress/subdomain? This is a shared ip address so I am confused at how that works.
example.com is a live site on another server
xx.xx.xx.xx/~user is a temporary site I have setup to develop a new site. When I go live, I will point the nameservers here.
Does disabling userdir affect my access to the tempoary site? If so, then if I understand you correctly, I can setup a subdomain on the temporary site and build a site there. But before I go live, I have to transfer all code to the main site. But there would be no way to test the transfer out before I point the nameservers there right?
where do i find out if userdir is disabled?
If you use the distribution from httpd.apache.org the line
Include .....extra/httpd-userdir.confwhich includes the config file to activate the userdir is commented out.
If I can't point the nameservers to my temporary site yet, then I can only access by ipaddress/~user.
Or you take example from example.com literally and register a domain name for your testing purpose.
But there would be no way to test the transfer out before I point the nameservers there right?
