httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Security tips and dictionary attacks with UserDir
Date Wed, 28 Jan 2004 13:30:49 GMT
On Wed, 24 Dec 2003, Paul D. Robertson wrote:

> Hi,
> 
> I can't reach the Documentation Project Tutorial site suggested as the best
> place to start, since it doesn't like the fact that my proxy strips
> user-agent headers- so I hope I'm not jumping out of line here...

No. Not at all. Thanks for the comments, and sorry that they seem to
have been ignored thus far.

> It's been known for quite some time that the default configuration with
> UserDir enabled lets people scan for user-ids because a valid ID returns a
> 403 if there's no public_html, while an invalid one returns a 404- it's been
> years since it was seriously discussed, however a new "script kiddie
> friendly" tool is out now which exploits that in conjunction with FTP and
> same ID/password combos to compromise servers.
> 
> IOW: a get for /~hidden will return a 403, where a get for /~nonexistent
> will return a 404- so an attacker can enumerate users on a server by running
> a dictionary word list through, and ignoring any hits that 404.
> 
> Given that, I'd like to see a section added to "Security Tips" about
> UserDir, along the lines of:
> 
> ========== begin ===========
> 
> If your server doesn't have users who need to have ~username directories
> accessible, you should substitute the default "UserDir public_html"
> statement in the httpd configuration file with UserDir disabled.
> 
> If you require UserDir to be enabled, then you might consider either using
> the ErrorDocument directive to make the 403 and 404 errors serve up the same
> custom response, or limiting which accounts can have UserDirs with something
> like:
> 
> UserDir disabled
> UserDir enabled probertson test foo
> UserDir public_html
> 
> This will stop Apache from disclosing which user-ids exist on a system,
> which attackers may use to figure out hidden, administrative or temporary
> ids which might be exploited by other non-Apache attack vectors, such as FTP
> or SSH.
> 
> =========end==========

Thanks. This is a good additional remark. Linking to this from the
security doc (or the other way around) might be good. I think the
security doc may already mention this.

> I can add a diff if someone can point me at an accessible document that
> tells me what original files need to be changed and in what format, or if
> someone who can easily submit the changes wants to do that, that'll work
> too.  If it's not an appropriate change, I'd appreciate some feedback on
> that too.

You can see the cvs tree at http://cvs.apache.org/viewcvs.cgi/ and
instructions for getting checkouts at
http://httpd.apache.org/dev/anoncvs.txt

On a related not, I'd like to discuss whether we want to have UserDir
disabled by default.
Pros) Improved default security
Cons) Increased tech support questions about enabling this feature

-- 
When we are young, wandering the face of the earth,
wondering what our dreams might be worth,
learning that we're only immortal for a limited time.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message