Public bug reported: Binary package hint: lighttpd
Ubuntu release: hardy (8.04) Version: 1.4.19-0ubuntu3.1 The normal Ubuntu lighttpd configuration file exposes /usr/share/doc to everyone who can talk to your web server, as the /doc/ URL, not just people on the same machine The lighttpd configuration file claims: #### handle Debian Policy Manual, Section 11.5. urls #### and by default allow them only from localhost and then sets up aliases for /usr/share/doc and /usr/share/images. However, contrary to the comment in the file, it does not restrict them to requests from localhost, as you can easily verify, because it puts the 'alias.url +=' directive inside a 'global' section. Removing the 'global { ... }' around the alias directive fixes the problem; /doc/ and /images/ remain accessible from localhost but stop being accessible from the outside world. (I don't know if this should be considered a security bug, so I'm opting to not mark it as such.) ** Affects: lighttpd (Ubuntu) Importance: Undecided Status: New -- lighttpd makes /usr/share/doc visible to everyone https://bugs.launchpad.net/bugs/406957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs