Bug#23661: Security issue when accessing documentation through an http server
Package: debian-policy
Version: 2.4.1.1
Severity: important
Section 4.4 item 2 in the Debian Policy Manual implies that /usr/doc
should be made accessible by a web server. It's not mentioned there
that it would introduce a security weakness if access to those files
isn't restricted to localhost. Almost every package puts files under
/usr/doc, which, if access is unrestricted, makes it possible for
anyone on the network to do a very detailed scan of the installed
software on the computer, including version information in most cases.
This sort of info is a great help for an attacker to choose an
appropriate method to get into the system.
An example is the dhttpd web server package, which has this problem
(see #23659). I haven't checked the other web server packages.
I suggest the manual be more clear on this, and that it states clearly
that a web server package shouldn't provide access through
http://localhost/doc/ if it can't do it securely.
Moreover, I'm sceptic to the whole concept of providing documentation
access on the standard http port; it's a service much like anonymous
ftp, and as such the user should have complete and explicit control
over the information it provides (well, a harmless example homepage
could be excused). Even though a web server properly restricts access,
it's still a limitation of the namespace available to the user; (s)he
can't use /doc/... in any URL without having to break Debian policy
(at least for local users). I can see two solutions:
1. Use "file://localhost/usr/doc/" instead. I don't know whether this
is a strictly valid URL or if it's supported by all browsers, but
otherwise I believe it's the best solution, since it's both faster
and works when a web server isn't installed.
2. Use another port, e.g. "http://localhost:666/usr/doc/". Access
must be restricted to localhost and the port should be below 1024
to ensure that no untrusted user on the system can start a web
server on that port if the admin hasn't done so.
/Martin
--
To UNSUBSCRIBE, email to debian-qa-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: