Package: apache2
Version: 2.4.57-2
Severity: minor
X-Debbugs-Cc: chris.f.mur...@hotmail.co.uk
Dear Maintainer,
When running the Hardenize (https://www.hardenize.com) tool against my web
server, it picked up that on the default Apache2 web page (located at
/var/www/html/index.html) has an insecure link. Upon further investigation,
it's the "Document Roots" section, where it says "By default, Ubuntu does not
allow access through the web browser to any file outside of those located in
/var/www, public_html directories (when enabled) and /usr/share (for web
applications)."; public_html is a link to the apache docs page for mod_userdir
(https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd
as a http:// link. IMO this should be updated to be https.
To reproduce
* Start with a base install of ubuntu server
* run the following commands:
sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2
* optionally set up SSL
* browse to http(s):///index.html
* hover over the link on public_html & observe it begins with http://
All the best,
Chris 8-)
-- Package-specific info:
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin2.4.57-2
ii apache2-data 2.4.57-2
ii apache2-utils 2.4.57-2
ii init-system-helpers1.65.2
ii media-types10.0.0
ii perl 5.36.0-7
ii procps 2:4.0.2-3
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages apache2 recommends:
ii ssl-cert 1.1.2
Versions of packages apache2 suggests:
pn apache2-doc
pn apache2-suexec-pristine | apache2-suexec-custom
ii w3m [www-browser]0.5.3+git20230121-2
Versions of packages apache2-bin depends on:
ii libapr1 1.7.2-3
ii libaprutil1 1.6.3-1
ii libaprutil1-dbd-sqlite3 1.6.3-1
ii libaprutil1-ldap 1.6.3-1
ii libbrotli1 1.0.9-2+b6
ii libc62.36-9+deb12u3
ii libcrypt11:4.4.33-2
ii libcurl4 7.88.1-10+deb12u4
ii libjansson4 2.14-2
ii libldap-2.5-02.5.13+dfsg-5
ii liblua5.3-0 5.3.6-2
ii libnghttp2-141.52.0-1
ii libpcre2-8-0 10.42-1
ii libssl3 3.0.11-1~deb12u2
ii libxml2 2.9.14+dfsg-1.3~deb12u1
ii perl 5.36.0-7
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc
pn apache2-suexec-pristine | apache2-suexec-custom
ii w3m [www-browser]0.5.3+git20230121-2
Versions of packages apache2 is related to:
ii apache2 2.4.57-2
ii apache2-bin 2.4.57-2
-- Configuration Files:
/etc/apache2/conf-available/security.conf changed
/etc/apache2/mods-available/dir.conf changed
/etc/apache2/sites-available/000-default.conf changed
/etc/apache2/sites-available/000-default-ssl.conf changed
-- no debconf information
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com