Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: httpd.conf in Suse 6.4
From: "Martin S. Hasemann" <ozone () ISOC NET>
Date: Fri, 22 Sep 2000 15:20:19 -0400

 A probable better idea, and one I've seen from RedHat distributions (6.2 is
the one I just looked at) is:

Alias /doc/ /usr/doc/
<Location /doc>
  order deny,allow
  deny from all
  allow from localhost
  Options Indexes FollowSymLinks
</Location>

 Unless you want your domain users to have access to these areas, then
include the addresses you want to have access. As for a 'packages'
directory/alias itself, I'd rem that unless there is a need to have those
displayed, in which case .htaccess works.

Martin S. Hasemann
Systems Administrator
http://www.wispinc.com
http://www.infogalaxy.com

----- Original Message -----
From: "zab0ra aka t0maszek" <zabora () SZERMIERZ UNI WROC PL>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, September 21, 2000 5:24 AM
Subject: httpd.conf in Suse 6.4


hy...

in SuSe 6.4 (maybe another) any user from any host can get info about
packages installed on SuSe systems.
httpd.conf file have entry "Alias /doc/  /usr/doc/" (and others)

in www browser you cat set http://hosts.any/doc/packages/ and you get list
of installed packages

Solusion:
in httpd.conf

<Directory /usr/doc/packages>
order deny,allow
allow from your.ip.or.domain
deny from all
</Directory>


zab0ra aka t0maszek
-------------------



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]