>Number: 637
>Category: config
>Synopsis: ~user requests are served regardless of server access config
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri May 30 12:20:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2b10
>Environment:
SunOS 4.1.3_U1; gcc 2.6.0; EXTRA_LIBS=lresolv
>Description:
When mod_userdir is enabled, requests for ~user will be served even if the
entire filesystem is set deny from all (as per security example). My current
config as reported by server-info:
Module Name: mod_access.c
Current Configuration:
access.conf
<Directory />
order deny,allow
deny from all
</Directory>
<Location /server-info>
<Limit GET>
order deny,allow
deny from all
allow from .jax.org
</Limit>
</Location>
Module Name: mod_userdir.c
Current Configuration:
srm.conf
UserDir htdocs
Module Name: http_core.c
access.conf
<Location /server-info>
AuthName
AuthType Basic
<Location /server-info>
<Limit GET>
require group cs
</Limit>
</Location>
With this config I am able to retrieve ~user pages.
>How-To-Repeat:
Should be straight-forward, I can provide URLs for sample user and server-info
if not repeatable locally.
>Fix:
>Audit-Trail:
>Unformatted:
