Korean

<< Back VID 22147 Severity 30 Port 80, ... Protocol TCP Class WWW Detailed Description The Apache webserver has a directory listing vulnerability through WebDAV. WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP which allows users to create, edit and share documents using the HTTP protocol. A particular REQUEST METHOD, PROPFIND, allows users to retrieve resource properties such as displayname, date last modified, and others. Apache web server as installed by SuSE 6.4 has WebDAV enabled for the entire file structure of the server. By issueing a specific, properly structured request to the Apache web server, it is possible to obtain information which is equivalent to a directory listing. * Platforms Affected: Apache HTTP Server Any version SuSE Linux Any version * References: http://online.securityfocus.com/bid/1656 http://www.iss.net/security_center/static/5204.php Recommendation Disable the WebDAV module, to do this: 1. Add the following entries in httpd.conf for each directory you want open to WebDAV: <Directory /webdav/directory/goes/here> #add other directives as needed such as Order allow,deny <IfDefine DAV> DAV On </IfDefine> </Directory> Stop and restart Apache. 2. To completely disable WebDAV, find the following entries in httpd.conf: <IfDefine DAV> DAV On </IfDefine> and change "On" to "Off". By default there only "/usr/local/httpd/htdocs" is the only directory with the IfDefine DAV directive. Other directories with this directive will also need to be changed. Stop and restart Apache. 3. To start Apache without the WebDAV module, edit /etc/rc.d/rc3.d/S20apache and comment out ("#") the following line: test -e /usr/lib/apache/libdav.so && MODULES="-D DAV $MODULES" The next time Apache is started, this module will not be included. -- OR -- For SuSE Linux: Upgrade to the latest version of Apache, as listed in SuSE Security Announcement, http://online.securityfocus.com/advisories/2609 Related URL CVE-2000-0869 (CVE) Related URL (SecurityFocus) Related URL (ISS)