On Wed, 28 Jan 2004, Paul D. Robertson wrote: > >> UserDir disabled > >> UserDir enabled probertson test foo > >> UserDir public_html > >> > >> This will stop Apache from disclosing which user-ids exist on a system, > >> which attackers may use to figure out hidden, administrative or temporary > >> ids which might be exploited by other non-Apache attack vectors, such as > >> FTP > >> or SSH. > >> > >> =========end========== > > > > Thanks. This is a good additional remark. Linking to this from the > > security doc (or the other way around) might be good. I think the > > security doc may already mention this. > > > > I didn't see a mention (unless there's a different document than > security_tips that I missed?) so I'd be happy if it got added to the > security doc. I wrote it up internally due to the release of a tool which > takes advantage of this being in the wild, but the less compromised machines > there are out there, the better.
Oops. No. It's the public_html document that has this mentioned. > Should diffs come to this list, or elsewhere? Difs to the list is fine. > > On a related not, I'd like to discuss whether we want to have UserDir > > disabled by default. > > Pros) Improved default security > > Cons) Increased tech support questions about enabling this feature > > Given Apache's penetration into the corporate server space, I'd bet that > less than 5% of servers rely on userdir (ISPs and geek colo boxes mostly)- > so I'd bet that the fall-out wouldn't be huge (mostly folks who know how to > turn it back on.) But 5% of the Apache install base is a big number- if the > original statements were commented out in the default config, the hurdle > wouldn't be that high for the semi-clued. I expect that the statistics are rather less skewed than this, but I have no actual statistical support for this belief. -- When we are young, wandering the face of the earth, wondering what our dreams might be worth, learning that we're only immortal for a limited time. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
