Project

General

Profile

Bug #1587

[security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

Added by Anonymous over 8 years ago. Updated over 8 years ago.

Status:
Fixed
Priority:
High
Assignee:
-
Category:
mod_userdir
Target version:
Start date:
Due date:
% Done:

0%

Missing in 1.5.x:

Description

I've just discovered that you could download my /etc/passwd file by simply pointing your browser to http://myserver/tld/~nobody/etc/passwd (thanks to Nessus).

After some research, I've found th culprit to be mod_userdir, which I had left there while I had removed all its configuration variables from my conf.

Loading this module with its default values should not compromise the server security.
IMHO, the default value for userdir.path should not be "." unless the webmaster sets so, but the standard "public_html".

-- julien.cayzac

Associated revisions

Revision ec5c74ad (diff)
Added by stbuehler over 8 years ago

workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2120 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 763f8840 (diff)
Added by stbuehler over 8 years ago

Update documentation for #1587

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2130 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1 Updated by Anonymous over 8 years ago

There a typo in the description:
http://myserver/tld/~nobody/etc/passwd
should be:
http://myserver.tld/~nobody/etc/passwd

-- julien.cayzac

#2 Updated by stbuehler over 8 years ago

I think the main problem here is that mod_userdir is alway enabled; you can disable it with


userdir.include-user = ( "" )

mod_userdir will still redirect "/~something" to "/~something/" (empty user is not allowed by mod_userdir in any case, so /~/ is not affected by the include-user "").

The next problem are users with "/" as homedir - i don't know why, but on a debian system there is no user with "/" as homedir; nobody has "/nonexistent".

Of course, your idea would fix most things, but i just search for a "cleaner" solution ;-)

#3 Updated by stbuehler over 8 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Fixed in r2120.

We require now userdir.path to be set to enable mod_userdir; you can have the old behaviour with


userdir.path = "" 

#4 Updated by Anonymous over 8 years ago

you should also edit userdir.txt to reflect that change, it still mentions "." as the default value for path.

-- rbu

#5 Updated by stbuehler over 8 years ago

Yes, sry forgot that; so the doc is missing in 1.4.19, but now in svn r2130.

Also available in: Atom