Bug#23661: Security issue when accessing documentation through an http server

[Joey Hess <joey@kitenet.net>]

Martin Stjernholm wrote:
> Section 4.4 item 2 in the Debian Policy Manual implies that /usr/doc
> should be made accessible by a web server. It's not mentioned there
> that it would introduce a security weakness if access to those files
> isn't restricted to localhost. Almost every package puts files under
> /usr/doc, which, if access is unrestricted, makes it possible for
> anyone on the network to do a very detailed scan of the installed
> software on the computer, including version information in most cases.
> This sort of info is a great help for an attacker to choose an
> appropriate method to get into the system.

Interestingly, I brought this up when we formulated the policy, and was
informed that I was just worrying about "security through obscurity" and it
wouldn't do any good.

-- 
see shy jo


--  
To UNSUBSCRIBE, email to debian-qa-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org