[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

about DSA-2452-1 apache2 -- insecure default configuration

There has been the following change in apache2:

apache2 (2.2.22-4) unstable; urgency=high

  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.

 -- Stefan Fritsch <sf@debian.org>  Sun, 15 Apr 2012 23:41:43 +0200

More information on:


However, what if some user has a symlink to /usr/share/doc in his
public_html? I haven't tried, but it seems that the bug would still
occur (otherwise the right solution wouldn't have been to remove
the alias, but to change how the scripting modules can affect some
paths). IMHO, the real bug is in mod_php or mod_rivet, that shouldn't
be active (at least concerning the scripting features) by default
unless this is explicitly told with some "Options" for the concerned

Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: