On Wed, 24 Dec 2003, Paul D. Robertson wrote: > Hi, > > I can't reach the Documentation Project Tutorial site suggested as the best > place to start, since it doesn't like the fact that my proxy strips > user-agent headers- so I hope I'm not jumping out of line here...
No. Not at all. Thanks for the comments, and sorry that they seem to have been ignored thus far. > It's been known for quite some time that the default configuration with > UserDir enabled lets people scan for user-ids because a valid ID returns a > 403 if there's no public_html, while an invalid one returns a 404- it's been > years since it was seriously discussed, however a new "script kiddie > friendly" tool is out now which exploits that in conjunction with FTP and > same ID/password combos to compromise servers. > > IOW: a get for /~hidden will return a 403, where a get for /~nonexistent > will return a 404- so an attacker can enumerate users on a server by running > a dictionary word list through, and ignoring any hits that 404. > > Given that, I'd like to see a section added to "Security Tips" about > UserDir, along the lines of: > > ========== begin =========== > > If your server doesn't have users who need to have ~username directories > accessible, you should substitute the default "UserDir public_html" > statement in the httpd configuration file with UserDir disabled. > > If you require UserDir to be enabled, then you might consider either using > the ErrorDocument directive to make the 403 and 404 errors serve up the same > custom response, or limiting which accounts can have UserDirs with something > like: > > UserDir disabled > UserDir enabled probertson test foo > UserDir public_html > > This will stop Apache from disclosing which user-ids exist on a system, > which attackers may use to figure out hidden, administrative or temporary > ids which might be exploited by other non-Apache attack vectors, such as FTP > or SSH. > > =========end========== Thanks. This is a good additional remark. Linking to this from the security doc (or the other way around) might be good. I think the security doc may already mention this. > I can add a diff if someone can point me at an accessible document that > tells me what original files need to be changed and in what format, or if > someone who can easily submit the changes wants to do that, that'll work > too. If it's not an appropriate change, I'd appreciate some feedback on > that too. You can see the cvs tree at http://cvs.apache.org/viewcvs.cgi/ and instructions for getting checkouts at http://httpd.apache.org/dev/anoncvs.txt On a related not, I'd like to discuss whether we want to have UserDir disabled by default. Pros) Improved default security Cons) Increased tech support questions about enabling this feature -- When we are young, wandering the face of the earth, wondering what our dreams might be worth, learning that we're only immortal for a limited time. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
