httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Security tips and dictionary attacks with UserDir
Date Wed, 28 Jan 2004 14:54:29 GMT
On Wed, 24 Dec 2003, Paul D. Robertson wrote:

> Hi,
> 
> I can't reach the Documentation Project Tutorial site suggested as the best
> place to start, since it doesn't like the fact that my proxy strips
> user-agent headers- so I hope I'm not jumping out of line here...

No. Not at all. Thanks for the comments, and sorry that they seem to
have been ignored thus far. This is the right place for them.

> It's been known for quite some time that the default configuration with
> UserDir enabled lets people scan for user-ids because a valid ID returns a
> 403 if there's no public_html, while an invalid one returns a 404- it's been
> years since it was seriously discussed, however a new "script kiddie
> friendly" tool is out now which exploits that in conjunction with FTP and
> same ID/password combos to compromise servers.
> 
> IOW: a get for /~hidden will return a 403, where a get for /~nonexistent
> will return a 404- so an attacker can enumerate users on a server by running
> a dictionary word list through, and ignoring any hits that 404.
> 
> Given that, I'd like to see a section added to "Security Tips" about
> UserDir, along the lines of:
> 
> ========== begin ===========
> 
> If your server doesn't have users who need to have ~username directories
> accessible, you should substitute the default "UserDir public_html"
> statement in the httpd configuration file with UserDir disabled.
> 
> If you require UserDir to be enabled, then you might consider either using
> the ErrorDocument directive to make the 403 and 404 errors serve up the same
> custom response, or limiting which accounts can have UserDirs with something
> like:
> 
> UserDir disabled
> UserDir enabled probertson test foo
> UserDir public_html
> 
> This will stop Apache from disclosing which user-ids exist on a system,
> which attackers may use to figure out hidden, administrative or temporary
> ids which might be exploited by other non-Apache attack vectors, such as FTP
> or SSH.
> 
> =========end==========

Thanks. This is a good additional remark. Linking to this from the
security doc (or the other way around) might be good. I think the
security doc may already mention this.

> I can add a diff if someone can point me at an accessible document that
> tells me what original files need to be changed and in what format, or if
> someone who can easily submit the changes wants to do that, that'll work
> too.  If it's not an appropriate change, I'd appreciate some feedback on
> that too.

You can see the cvs tree at http://cvs.apache.org/viewcvs.cgi/ and
instructions for getting checkouts at
http://httpd.apache.org/dev/anoncvs.txt

On a related not, I'd like to discuss whether we want to have UserDir
disabled by default.
Pros) Improved default security
Cons) Increased tech support questions about enabling this feature

-- 
When we are young, wandering the face of the earth,
wondering what our dreams might be worth,
learning that we're only immortal for a limited time.



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message