Issue with Debian’s default installation of Apache

Andrei D. Caraman
posted to BUGTRAQ:

This pertains to the Apache configuration as shipped with Debian
2.1 (codename slink).

The default setup of Apache (apache_1.3.3-7.deb) makes the
/usr/doc directory available to anyone as http://some.host/doc/.
The relevant line is in the srm.conf file:

Alias /doc/ /usr/doc/

That would allow any user from the net (malicious or not) to
know the exact version of the software packages installed on a
Debian box. It looks more of a privacy issue then a security one.
However, if a security vulnerability affecting any of those packes
is found, attackers may already know which targets to hit (and
maybe the ones to be avoided).

At first I thought that alias should be disabled, but upon
further reading the lines below (`The above line is for Debian
webstandard 3.0, which specifies that /doc refers to /usr/doc. Some
packages may not work otherwise.’) I’d say that access to that
location should be only allowed from localhost (note that a web
proxy on the same machine might render that limitation useless).
The site administrator could easily change that if he/she so

Johnie Ingram (the Apache maintainer for Debian) has been
notified, and replied that this was already formally reported on
the Bug Tracking System by another Debian user (details available


including this suggested fix:

    <Directory /usr/doc>
    AllowOverride None
    order deny,allow
    deny from all
    allow from localhost

Johnie said he intended to change the old default it in the
following release.

On March 26 he also stated that a new apache deb package was to
be uploaded on the following day, so I suppose it has already made
it’s way to the Debian mirrors.


This is not a serious bug, since the Debian is the safest Linux
distribution. That’s why I’m using it.


I haven’t bothered to check other distributions…


Andrei D. Caraman           phone: +40 (1) 2050 637
Network Engineer              fax: +40 (1) 2050 655
Mediasat SA          office hours: 10:00 - 18:00 GMT

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis