Test ID:	1.3.6.1.4.1.25623.1.0.10766
Category:	Web Servers
Title:	Apache HTTP Server UserDir Sensitive Information Disclosure
Summary:	An information leak occurs on Apache HTTP Server based; web servers whenever the UserDir module is enabled. The vulnerability allows an external; attacker to enumerate existing accounts by requesting access to their home directory; and monitoring the response.
Description:	Summary: An information leak occurs on Apache HTTP Server based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response. Solution: 1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'. Or 2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~ (.*)$ http://example.com/$1 Or 3) Add into httpd.conf: ErrorDocument 404 http://example.com/sample.html ErrorDocument 403 http://example.com/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2001-1013 BugTraq ID: 3335 http://www.securityfocus.com/bid/3335 Bugtraq: 20010912 Is there user Anna at your host ? (Google Search) http://www.securityfocus.com/archive/1/213667 http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0083.html http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0087.html http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html XForce ISS Database: linux-apache-username-exists(7129) https://exchange.xforce.ibmcloud.com/vulnerabilities/7129
Copyright	Copyright (C) 2001 SecuriTeam

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.