[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#341022: default apache2.conf file should deny access to /

Package: apache2
Version: 2.0.54-5
Severity: important
Tags: patch

The default configuration file, apache2.conf, of apache2 should have the
following directory denying directive in apache2.conf instead of the
000-default VirtualHost because if a VirtualHost is added and under that
VirtualHost's DocumentRoot the user makes a symlink to "/", he can
access the whole filesystem.

Config lines to be added to /etc/apache2/apache2.conf:

<Directory />
        Order Deny,Allow
	Deny from all

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-custom-skas3-v8.2
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.0.54-5   high speed threaded model for Apac

apache2 recommends no packages.

-- no debconf information

Reply to: