Bug#23661: Security issue when accessing documentation through an http server

To: submit@bugs.debian.org
Subject: Bug#23661: Security issue when accessing documentation through an http server
From: Martin Stjernholm <mast@lysator.liu.se>
Date: 18 Jun 1998 01:22:45 +0200
Message-id: <[🔎] 7mvhpzr4u2.fsf@starbug.rydnet.lysator.liu.se>
Reply-to: Martin Stjernholm <mast@lysator.liu.se>, 23661@bugs.debian.org

Package: debian-policy
Version: 2.4.1.1
Severity: important

Section 4.4 item 2 in the Debian Policy Manual implies that /usr/doc
should be made accessible by a web server. It's not mentioned there
that it would introduce a security weakness if access to those files
isn't restricted to localhost. Almost every package puts files under
/usr/doc, which, if access is unrestricted, makes it possible for
anyone on the network to do a very detailed scan of the installed
software on the computer, including version information in most cases.
This sort of info is a great help for an attacker to choose an
appropriate method to get into the system.

An example is the dhttpd web server package, which has this problem
(see #23659). I haven't checked the other web server packages.

I suggest the manual be more clear on this, and that it states clearly
that a web server package shouldn't provide access through
http://localhost/doc/ if it can't do it securely.

Moreover, I'm sceptic to the whole concept of providing documentation
access on the standard http port; it's a service much like anonymous
ftp, and as such the user should have complete and explicit control
over the information it provides (well, a harmless example homepage
could be excused). Even though a web server properly restricts access,
it's still a limitation of the namespace available to the user; (s)he
can't use /doc/... in any URL without having to break Debian policy
(at least for local users). I can see two solutions:

1.  Use "file://localhost/usr/doc/" instead. I don't know whether this
    is a strictly valid URL or if it's supported by all browsers, but
    otherwise I believe it's the best solution, since it's both faster
    and works when a web server isn't installed.

2.  Use another port, e.g. "http://localhost:666/usr/doc/";. Access
    must be restricted to localhost and the port should be below 1024
    to ensure that no untrusted user on the system can start a web
    server on that port if the admin hasn't done so.

/Martin


--  
To UNSUBSCRIBE, email to debian-qa-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Bug#23661: Security issue when accessing documentation through an http server
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: Bug#23623: byacc: byacc release in hamm doesn't compile on alpha, release in slink does
Next by Date: Bug#23661: Security issue when accessing documentation through an http server
Previous by thread: Bug#23623: byacc: byacc release in hamm doesn't compile on alpha, release in slink does
Next by thread: Bug#23661: Security issue when accessing documentation through an http server
Index(es):
- Date
- Thread