| VID |
22019 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
Versions of Apache webserver shipping with Red Hat Linux 7.0 (and possibly other Apache distributions) install with a default misconfiguration which could allow remote users to determine whether a given username exists on the vulnerable system. For examples,
http://www.example.com/~<username>
When a remote user makes a request for a possible user's default home page, the server returns one of three responses:
1. In a case where <username> is a valid user account, and has been configured with a homepage, the server responds with the user's homepage.
2. When <username> exists on the system, but has not been assigned a homepage document, the server returns the message "You don't have permission to access /~username on this server".
3. If <username> does not exist as an account on the system, the Apache server's response includes the message "The requested URL /~username was not found on this server".
Because the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable host |
| Recommendation |
Workaround 1: Disable the default-enabled UserDir directive.
Workaround 2:
Substitute URL for pathname in httpd.conf:
% echo 'ErrorDocument 404 http://localhost/sample.html' >> /var/www/conf/httpd.conf
% echo 'ErrorDocument 403 http://localhost/sample.html' >> /var/www/conf/httpd.conf
% sudo apachectl restart |
| Related URL |
CVE-2001-1013 (CVE) |
| Related URL |
3335 (SecurityFocus) |
| Related URL |
7129 (ISS) |
|
