Ubuntu
apache2 package

link in default index.html should be HTTPS

Bug #2045055 reported by Chris Murray
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Debian)
New
Unknown
apache2 (Ubuntu)
New
Wishlist
Unassigned

Bug Description

Hi folks,

When running the Hardenize (https://www.hardenize.com) tool against my web server, it picked up that on the default Apache2 web page (located at /var/www/html/index.html) has an insecure link. Upon further investigation, it's the "Document Roots" section, where it says "By default, Ubuntu does not allow access through the web browser to any file outside of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications)."; public_html is a link to the apache docs page for mod_userdir (https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd as a http:// link. IMO this should be updated to be https.

To reproduce

* Start with a base install of ubuntu server
* run the following commands:
sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2
* optionally set up SSL
* browse to http(s)://<your server IP or hostname>/index.html
* hover over the link on public_html & observe it begins with http://

All the best,

Chris 8-)

Bug Watch Updater (bug-watch-updater)
Changed in apache2 (Debian):
status: Unknown → New
Revision history for this message
Paride Legovini (paride) wrote (last edit ):

Hello and thanks for this bug report. There is indeed a plan http link in the default index.html:

  <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>

I doubt this is going to be an issue in any practical way, so I don't think we're going to deviate from Debian in order to fix this in Ubuntu: the extra maintenance effort is not justified. The right place to fix this is in the Debian packaging, and I see you already filed a Debian bug.

If you feel so inclined, you could submit a MR on salsa (the Debian GitLab) that updates these links:

https://salsa.debian.org/apache-team/apache2/-/blob/87fb3dac24ae682fb15182c2ab1dc7e717ded818/debian/index.html#L329

https://salsa.debian.org/apache-team/apache2/-/blob/87fb3dac24ae682fb15182c2ab1dc7e717ded818/debian/index.html#L350

Eventually Ubuntu will pick up the fix.

Changed in apache2 (Ubuntu):
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.