[Bug 406957] [NEW] lighttpd makes /usr/share/doc visible to everyone
Chris Siebenmann
cks.ubuntu-bugs at cs.toronto.edu
Thu Jul 30 15:50:57 UTC 2009
Public bug reported:
Binary package hint: lighttpd
Ubuntu release: hardy (8.04)
Version: 1.4.19-0ubuntu3.1
The normal Ubuntu lighttpd configuration file exposes /usr/share/doc to
everyone who can talk to your web server, as the /doc/ URL, not just
people on the same machine
The lighttpd configuration file claims:
#### handle Debian Policy Manual, Section 11.5. urls
#### and by default allow them only from localhost
and then sets up aliases for /usr/share/doc and
/usr/share/images. However, contrary to the comment
in the file, it does not restrict them to requests from
localhost, as you can easily verify, because it puts
the 'alias.url +=' directive inside a 'global' section.
Removing the 'global { ... }' around the alias directive
fixes the problem; /doc/ and /images/ remain accessible
from localhost but stop being accessible from the outside
world.
(I don't know if this should be considered a security bug,
so I'm opting to not mark it as such.)
** Affects: lighttpd (Ubuntu)
Importance: Undecided
Status: New
--
lighttpd makes /usr/share/doc visible to everyone
https://bugs.launchpad.net/bugs/406957
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list