>Number: 3071 >Category: other >Synopsis: Default 404 Errors give COMPLETE Unix pathnames of where the >root HTTPD directory is located. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Sep 24 21:10:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.2 >Environment: Slackware Linux Kernel 2.0.35 compiler egcs >Description: If you go to any Apache site running 1.3.2 whose administrator hasn't changed the default 404 reply, you will get the full pathname of where Apache is installed. This could be a security hazard.
For example, here's a sample 404 reply of trying to go to the below URL which has a random directory name appended on to it. Not Found File does not exist: /usr/local/apache/htdocs/fodkfokdf >How-To-Repeat: http://dsm.surf-ici.com/fodkfokdf http://dsm.surf-ici.com/s89349.html http://dsm.surf-ici.com/(any random old non-existant thing) >Fix: Just go back to the way it used to be so the user would only see the not-found directory in relation to the htdocs directory, not in relation to the whole unix filesystem. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
