SuSE Installed Package Disclosure Vulnerability
BID:1707
Info
SuSE Installed Package Disclosure Vulnerability
| Bugtraq ID: | 1707 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 21 2000 12:00AM |
| Updated: | Sep 21 2000 12:00AM |
| Credit: | This vulnerability was reported to bugtraq by zab0ra aka t0maszek <[email protected]> on September 21, 2000. Karl Papendick <[email protected]> contacted SecurityFocus.com and verified that 6.3 was vulnerable on September 25, 2000. |
| Vulnerable: |
SuSE Linux 6.4 SuSE Linux 6.3 |
| Not Vulnerable: | |
Discussion
SuSE Installed Package Disclosure Vulnerability
By submitting a specific url to the web server ("http://hosts.any/doc/packages/") , any user from any host may obtain a list of packages installed on a S.u.S.E 6.3 or 6.4 system. This problem is due to a configuration in the Apache httpd.conf supplied with S.u.S.E that permits anyone to request documents from this webroot subdirectory. The end result is that attackers will know what packages the victim has installed, which can assist in executing more complicated attacks.
By submitting a specific url to the web server ("http://hosts.any/doc/packages/") , any user from any host may obtain a list of packages installed on a S.u.S.E 6.3 or 6.4 system. This problem is due to a configuration in the Apache httpd.conf supplied with S.u.S.E that permits anyone to request documents from this webroot subdirectory. The end result is that attackers will know what packages the victim has installed, which can assist in executing more complicated attacks.
Exploit / POC
SuSE Installed Package Disclosure Vulnerability
Request "http://target/doc/packages/" with a web browser.
Request "http://target/doc/packages/" with a web browser.
Solution / Fix
SuSE Installed Package Disclosure Vulnerability
Solution:
The configuration file for apache (/etc/httpd/httpd.conf), line 801, reads:
----------------------------------------------------------------------------------------------------------
<Directory /usr/doc>
Options FollowSymLinks Indexes +Includes
AllowOverride None
</Directory>
----------------------------------------------------------------------------------------------------------
Rewrite this to:
----------------------------------------------------------------------------------------------------------
<Directory /usr/doc>
order deny,allow
deny from all
allow from localhost
Options Indexes FollowSymLinks +Includes
AllowOverride None
</Directory>
----------------------------------------------------------------------------------------------------------
Solution:
The configuration file for apache (/etc/httpd/httpd.conf), line 801, reads:
----------------------------------------------------------------------------------------------------------
<Directory /usr/doc>
Options FollowSymLinks Indexes +Includes
AllowOverride None
</Directory>
----------------------------------------------------------------------------------------------------------
Rewrite this to:
----------------------------------------------------------------------------------------------------------
<Directory /usr/doc>
order deny,allow
deny from all
allow from localhost
Options Indexes FollowSymLinks +Includes
AllowOverride None
</Directory>
----------------------------------------------------------------------------------------------------------
References
SuSE Installed Package Disclosure Vulnerability
References:
References: