Bug#341022: default apache2.conf file should deny access to /
Package: apache2
Version: 2.0.54-5
Severity: important
Tags: patch
The default configuration file, apache2.conf, of apache2 should have the
following directory denying directive in apache2.conf instead of the
000-default VirtualHost because if a VirtualHost is added and under that
VirtualHost's DocumentRoot the user makes a symlink to "/", he can
access the whole filesystem.
Config lines to be added to /etc/apache2/apache2.conf:
<Directory />
Order Deny,Allow
Deny from all
</Directory>
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-custom-skas3-v8.2
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages apache2 depends on:
ii apache2-mpm-worker 2.0.54-5 high speed threaded model for Apac
apache2 recommends no packages.
-- no debconf information
Reply to: