Bug#1057064: apache2: link in default index.html should be HTTPS

[Manfred Hampl]

Minor correction to the original text of the bug report:
Please read "Debian" instead of "Ubuntu": e.g.  "By default, Debian does not 
allow access through the web browser ..."

The issue was identified on Ubuntu, and further research showed that Debian 
exhibits completely the same.
This bug report for Debian was based on the text for a bug report in Ubuntu and 
has not correctly been updated before issuing it.

Bug#1057064: apache2: link in default index.html should be HTTPS

[Chris Murray]

Package: apache2
Version: 2.4.57-2
Severity: minor
X-Debbugs-Cc: chris.f.mur...@hotmail.co.uk

Dear Maintainer,

When running the Hardenize (https://www.hardenize.com) tool against my web 
server, it picked up that on the default Apache2 web page (located at 
/var/www/html/index.html) has an insecure link. Upon further investigation, 
it's the "Document Roots" section, where it says "By default, Ubuntu does not 
allow access through the web browser to any file outside of those located in 
/var/www, public_html directories (when enabled) and /usr/share (for web 
applications)."; public_html is a link to the apache docs page for mod_userdir 
(https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd 
as a http:// link. IMO this should be updated to be https.

To reproduce

* Start with a base install of ubuntu server
* run the following commands:
sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2
* optionally set up SSL
* browse to http(s):///index.html
* hover over the link on public_html & observe it begins with http://

All the best,

Chris 8-)

-- Package-specific info:

-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-13-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin2.4.57-2
ii  apache2-data   2.4.57-2
ii  apache2-utils  2.4.57-2
ii  init-system-helpers1.65.2
ii  media-types10.0.0
ii  perl   5.36.0-7
ii  procps 2:4.0.2-3
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.2

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  w3m [www-browser]0.5.3+git20230121-2

Versions of packages apache2-bin depends on:
ii  libapr1  1.7.2-3
ii  libaprutil1  1.6.3-1
ii  libaprutil1-dbd-sqlite3  1.6.3-1
ii  libaprutil1-ldap 1.6.3-1
ii  libbrotli1   1.0.9-2+b6
ii  libc62.36-9+deb12u3
ii  libcrypt11:4.4.33-2
ii  libcurl4 7.88.1-10+deb12u4
ii  libjansson4  2.14-2
ii  libldap-2.5-02.5.13+dfsg-5
ii  liblua5.3-0  5.3.6-2
ii  libnghttp2-141.52.0-1
ii  libpcre2-8-0 10.42-1
ii  libssl3  3.0.11-1~deb12u2
ii  libxml2  2.9.14+dfsg-1.3~deb12u1
ii  perl 5.36.0-7
ii  zlib1g   1:1.2.13.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  w3m [www-browser]0.5.3+git20230121-2

Versions of packages apache2 is related to:
ii  apache2  2.4.57-2
ii  apache2-bin  2.4.57-2

-- Configuration Files:
/etc/apache2/conf-available/security.conf changed
/etc/apache2/mods-available/dir.conf changed
/etc/apache2/sites-available/000-default.conf changed
/etc/apache2/sites-available/000-default-ssl.conf changed

-- no debconf information

-- 
This email has been checked for viruses by AVG antivirus software.
www.avg.com