Issue with Debian's default installation of Apache | Linux Today
Security
SHARE
Facebook X Pinterest WhatsApp

Issue with Debian’s default installation of Apache

Written By
Web Webster
Web Webster
Apr 5, 1999

Andrei D. Caraman
posted to BUGTRAQ:

This pertains to the Apache configuration as shipped with Debian
2.1 (codename slink).

The default setup of Apache (apache_1.3.3-7.deb) makes the
/usr/doc directory available to anyone as http://some.host/doc/.
The relevant line is in the srm.conf file:

Alias /doc/ /usr/doc/

That would allow any user from the net (malicious or not) to
know the exact version of the software packages installed on a
Debian box. It looks more of a privacy issue then a security one.
However, if a security vulnerability affecting any of those packes
is found, attackers may already know which targets to hit (and
maybe the ones to be avoided).

At first I thought that alias should be disabled, but upon
further reading the lines below (`The above line is for Debian
webstandard 3.0, which specifies that /doc refers to /usr/doc. Some
packages may not work otherwise.’) I’d say that access to that
location should be only allowed from localhost (note that a web
proxy on the same machine might render that limitation useless).
The site administrator could easily change that if he/she so
needs.

Johnie Ingram (the Apache maintainer for Debian) has been
notified, and replied that this was already formally reported on
the Bug Tracking System by another Debian user (details available
here:

http://www.debian.org/Bugs/db/34/34099.html

including this suggested fix:

    <Directory /usr/doc>
    AllowOverride None
    order deny,allow
    deny from all
    allow from localhost
    </Directory>
)

Johnie said he intended to change the old default it in the
following release.

On March 26 he also stated that a new apache deb package was to
be uploaded on the following day, so I suppose it has already made
it’s way to the Debian mirrors.

<propaganda>

This is not a serious bug, since the Debian is the safest Linux
distribution. That’s why I’m using it.

</propaganda>

I haven’t bothered to check other distributions…

Regards,

---------------------------------------------------------------
Andrei D. Caraman           phone: +40 (1) 2050 637
Network Engineer              fax: +40 (1) 2050 655
Mediasat SA          office hours: 10:00 - 18:00 GMT
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

facebook
linkedin
x

Company

Contact us

Categories

News IT Management Infrastructure Developer Security High Performance Storage Blog

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information