Package: apache2 Version: 2.4.57-2 Severity: minor X-Debbugs-Cc: chris.f.mur...@hotmail.co.uk
Dear Maintainer, When running the Hardenize (https://www.hardenize.com) tool against my web server, it picked up that on the default Apache2 web page (located at /var/www/html/index.html) has an insecure link. Upon further investigation, it's the "Document Roots" section, where it says "By default, Ubuntu does not allow access through the web browser to any file outside of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications)."; public_html is a link to the apache docs page for mod_userdir (https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd as a http:// link. IMO this should be updated to be https. To reproduce * Start with a base install of ubuntu server * run the following commands: sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2 * optionally set up SSL * browse to http(s)://<your server IP or hostname>/index.html * hover over the link on public_html & observe it begins with http:// All the best, Chris 8-) -- Package-specific info: -- System Information: Debian Release: 12.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-13-amd64 (SMP w/1 CPU thread; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apache2 depends on: ii apache2-bin 2.4.57-2 ii apache2-data 2.4.57-2 ii apache2-utils 2.4.57-2 ii init-system-helpers 1.65.2 ii media-types 10.0.0 ii perl 5.36.0-7 ii procps 2:4.0.2-3 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages apache2 recommends: ii ssl-cert 1.1.2 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3+git20230121-2 Versions of packages apache2-bin depends on: ii libapr1 1.7.2-3 ii libaprutil1 1.6.3-1 ii libaprutil1-dbd-sqlite3 1.6.3-1 ii libaprutil1-ldap 1.6.3-1 ii libbrotli1 1.0.9-2+b6 ii libc6 2.36-9+deb12u3 ii libcrypt1 1:4.4.33-2 ii libcurl4 7.88.1-10+deb12u4 ii libjansson4 2.14-2 ii libldap-2.5-0 2.5.13+dfsg-5 ii liblua5.3-0 5.3.6-2 ii libnghttp2-14 1.52.0-1 ii libpcre2-8-0 10.42-1 ii libssl3 3.0.11-1~deb12u2 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii perl 5.36.0-7 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3+git20230121-2 Versions of packages apache2 is related to: ii apache2 2.4.57-2 ii apache2-bin 2.4.57-2 -- Configuration Files: /etc/apache2/conf-available/security.conf changed /etc/apache2/mods-available/dir.conf changed /etc/apache2/sites-available/000-default.conf changed /etc/apache2/sites-available/000-default-ssl.conf changed -- no debconf information -- This email has been checked for viruses by AVG antivirus software. www.avg.com
