DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11386>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11386 UserDir maps to root directory for nonexistant users Summary: UserDir maps to root directory for nonexistant users Product: Apache httpd-2.0 Version: 2.0.39 Platform: Sun OS/Version: Solaris Status: NEW Severity: Normal Priority: Other Component: mod_userdir AssignedTo: bugs@httpd.apache.org ReportedBy: [EMAIL PROTECTED] - Assume UserDir is enabled and configured to point into users' "public_html" directories. - Browser requests URL "http://server.domain.com/~user" where user does not exist on the system. Rather than returning an error, the server attempts to provide an index for the system's root directory. Worse, if the URL is: http://server.domain.com/~user/etc/passwd then the server attempts to deliver that page. > [Thu Aug 01 14:47:07 2002] [error] [client xxx.xxx.xx.xx] client denied by > server configuration: / > [Thu Aug 01 14:55:54 2002] [error] [client xxx.xxx.xx.xx] client denied by > server configuration: /etc/passwd I don't think this is a security issue since properly configuring the Directory settings will prevent the server distributing the files. However, this doesn't seem to be the proper behaviour. I have not verified this behaviour on systems other than Solaris 2.7. -Shea --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]