httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul D. Robertson" <>
Subject Security tips and dictionary attacks with UserDir
Date Wed, 24 Dec 2003 16:26:32 GMT

I can't reach the Documentation Project Tutorial site suggested as the best
place to start, since it doesn't like the fact that my proxy strips
user-agent headers- so I hope I'm not jumping out of line here...

It's been known for quite some time that the default configuration with
UserDir enabled lets people scan for user-ids because a valid ID returns a
403 if there's no public_html, while an invalid one returns a 404- it's been
years since it was seriously discussed, however a new "script kiddie
friendly" tool is out now which exploits that in conjunction with FTP and
same ID/password combos to compromise servers.

IOW: a get for /~hidden will return a 403, where a get for /~nonexistent
will return a 404- so an attacker can enumerate users on a server by running
a dictionary word list through, and ignoring any hits that 404.

Given that, I'd like to see a section added to "Security Tips" about
UserDir, along the lines of:

========== begin ===========

If your server doesn't have users who need to have ~username directories
accessible, you should substitute the default "UserDir public_html"
statement in the httpd configuration file with UserDir disabled.

If you require UserDir to be enabled, then you might consider either using
the ErrorDocument directive to make the 403 and 404 errors serve up the same
custom response, or limiting which accounts can have UserDirs with something

UserDir disabled
UserDir enabled probertson test foo
UserDir public_html

This will stop Apache from disclosing which user-ids exist on a system,
which attackers may use to figure out hidden, administrative or temporary
ids which might be exploited by other non-Apache attack vectors, such as FTP
or SSH.


I can add a diff if someone can point me at an accessible document that
tells me what original files need to be changed and in what format, or if
someone who can easily submit the changes wants to do that, that'll work
too.  If it's not an appropriate change, I'd appreciate some feedback on
that too.

This information is applicable to both the 1.3 and 2.x trees.


Paul D. Robertson Director of Risk Assessment, TruSecure Corporation
Moderator, Firewall-Wizards

This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message