https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412008-03-10T10:40:34Zlighty labsLighttpd - Bug #1587: [security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readablehttps://redmine.lighttpd.net/issues/1587?journal_id=39042008-03-10T10:40:34ZAnonymous
<ul></ul><p>There a typo in the description:<br /><a class="external" href="http://myserver/tld/~nobody/etc/passwd">http://myserver/tld/~nobody/etc/passwd</a><br />should be:<br /><a class="external" href="http://myserver.tld/~nobody/etc/passwd">http://myserver.tld/~nobody/etc/passwd</a></p>
<p>-- julien.cayzac</p> Lighttpd - Bug #1587: [security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readablehttps://redmine.lighttpd.net/issues/1587?journal_id=39052008-03-10T11:16:02Zstbuehler
<ul></ul><p>I think the main problem here is that mod_userdir is alway enabled; you can disable it with</p>
<pre>
userdir.include-user = ( "" )
</pre>
<p>mod_userdir will still redirect "/~something" to "/~something/" (empty user is not allowed by mod_userdir in any case, so /~/ is not affected by the include-user "").</p>
<p>The next problem are users with "/" as homedir - i don't know why, but on a debian system there is no user with "/" as homedir; nobody has "/nonexistent".</p>
<p>Of course, your idea would fix most things, but i just search for a "cleaner" solution ;-)</p> Lighttpd - Bug #1587: [security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readablehttps://redmine.lighttpd.net/issues/1587?journal_id=39062008-03-10T11:48:33Zstbuehler
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Fixed</i></li><li><strong>Resolution</strong> set to <i>fixed</i></li></ul><p>Fixed in r2120.</p>
<p>We require now userdir.path to be set to enable mod_userdir; you can have the old behaviour with</p>
<pre>
userdir.path = ""
</pre> Lighttpd - Bug #1587: [security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readablehttps://redmine.lighttpd.net/issues/1587?journal_id=39072008-03-10T14:27:53ZAnonymous
<ul></ul><p>you should also edit userdir.txt to reflect that change, it still mentions "." as the default value for path.</p>
<p>-- rbu</p> Lighttpd - Bug #1587: [security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readablehttps://redmine.lighttpd.net/issues/1587?journal_id=39082008-03-13T15:38:34Zstbuehler
<ul></ul><p>Yes, sry forgot that; so the doc is missing in 1.4.19, but now in svn r2130.</p>