| VID |
22145 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The /doc directory in the Web server is browsable.
The Debian GNU/Linux 2.1 apache package by default allows anyone to view /usr/doc via the web, remotely. This is because srm.conf is preconfigured with the line:
Alias /doc/ /usr/doc/
This could allow a remote attacker to view the documentation files on the system, which may reveal information about the versions of software packages installed on the computer.
* Platforms Affected:
Apache HTTP Server Any version
Debian Linux Any version
* References:
http://online.securityfocus.com/bid/318
http://www.iss.net/security_center/static/2084.php |
| Recommendation |
Restrict access to the /doc directory on the Web server by modifying the Apache configuration file (/etc/apache/access.conf):
<Directory /usr/doc>
AllowOverride None
order deny,allow
deny from all
allow from localhost
</Directory> |
| Related URL |
CVE-1999-0678 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
