Web Servers : Apache HTTP Server UserDir Sensitive Information Disclosure

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.10766

Kategorie: Web Servers

Titel: Apache HTTP Server UserDir Sensitive Information Disclosure

Zusammenfassung: An information leak occurs on Apache HTTP Server based; web servers whenever the UserDir module is enabled. The vulnerability allows an external; attacker to enumerate existing accounts by requesting access to their home directory; and monitoring the response.

Beschreibung: Summary:
An information leak occurs on Apache HTTP Server based
web servers whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home directory
and monitoring the response.

Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.

Or

2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~
(.*)$ http://example.com/$1

Or

3) Add into httpd.conf:

ErrorDocument 404 http://example.com/sample.html

ErrorDocument 403 http://example.com/sample.html

(NOTE: You need to use a FQDN inside the URL for it to work properly).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2001-1013
BugTraq ID: 3335
http://www.securityfocus.com/bid/3335
Bugtraq: 20010912 Is there user Anna at your host ? (Google Search)
http://www.securityfocus.com/archive/1/213667
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0083.html
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0087.html
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html
XForce ISS Database: linux-apache-username-exists(7129)
https://exchange.xforce.ibmcloud.com/vulnerabilities/7129

Copyright Copyright (C) 2001 SecuriTeam

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.10766
Kategorie:	Web Servers
Titel:	Apache HTTP Server UserDir Sensitive Information Disclosure
Zusammenfassung:	An information leak occurs on Apache HTTP Server based; web servers whenever the UserDir module is enabled. The vulnerability allows an external; attacker to enumerate existing accounts by requesting access to their home directory; and monitoring the response.
Beschreibung:	Summary: An information leak occurs on Apache HTTP Server based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response. Solution: 1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'. Or 2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~ (.*)$ http://example.com/$1 Or 3) Add into httpd.conf: ErrorDocument 404 http://example.com/sample.html ErrorDocument 403 http://example.com/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2001-1013 BugTraq ID: 3335 http://www.securityfocus.com/bid/3335 Bugtraq: 20010912 Is there user Anna at your host ? (Google Search) http://www.securityfocus.com/archive/1/213667 http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0083.html http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0087.html http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html XForce ISS Database: linux-apache-username-exists(7129) https://exchange.xforce.ibmcloud.com/vulnerabilities/7129
Copyright	Copyright (C) 2001 SecuriTeam