Ubuntu
lighttpd package

lighttpd makes /usr/share/doc visible to everyone

Bug #406957 reported by Chris Siebenmann
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: lighttpd

Ubuntu release: hardy (8.04)
Version: 1.4.19-0ubuntu3.1

The normal Ubuntu lighttpd configuration file exposes /usr/share/doc to
everyone who can talk to your web server, as the /doc/ URL, not just
people on the same machine

The lighttpd configuration file claims:

  #### handle Debian Policy Manual, Section 11.5. urls
  #### and by default allow them only from localhost

and then sets up aliases for /usr/share/doc and
/usr/share/images. However, contrary to the comment
in the file, it does not restrict them to requests from
localhost, as you can easily verify, because it puts
the 'alias.url +=' directive inside a 'global' section.
Removing the 'global { ... }' around the alias directive
fixes the problem; /doc/ and /images/ remain accessible
from localhost but stop being accessible from the outside
world.

(I don't know if this should be considered a security bug,
so I'm opting to not mark it as such.)

Revision history for this message
Daniel Hahler (blueyed) wrote :

I cannot confirm this, /etc/lighttpd/lighttpd.conf should look as follows (tested it with 1.4.19-0ubuntu3.1 in Hardy):

#### handle Debian Policy Manual, Section 11.5. urls
### by default allow them only from localhost
### (This must come last due to #445459)
$HTTP["remoteip"] == "127.0.0.1" {
        alias.url += (
                "/doc/" => "/usr/share/doc/",
                "/images/" => "/usr/share/images/"
        )
        $HTTP["url"] =~ "^/doc/|^/images/" {
                dir-listing.activate = "enable"
        }
}

Changed in lighttpd (Ubuntu):
status: New → Incomplete
Revision history for this message
Chris Siebenmann (cks) wrote :

Whoops, I effectively got the version number and Ubuntu release
wrong, because I missed that we are still using a Dapper-derived
lighttpd.conf on our Hardy machines. (My apologies for the
confusion; I should have checked to be sure.)

The dapper lighttpd.conf says:

$HTTP["host"] == "localhost" {
        global {
                alias.url += (
                        "/doc/" => "/usr/share/doc/",
                        "/images/" => "/usr/share/images/"
                )
        }
        dir-listing.activate = "enable"
}

This is from the current lighttpd_1.4.11-3ubuntu3.8_i386.deb
package for dapper (6.06 LTS).

Arguably this is still not a bug because the config file also
binds lighttpd only to localhost. But it doesn't match the
comment, and it's dangerous if you change that to
let lighttpd talk to the world without knowing that you need
to change other things in the configuration.

Revision history for this message
Daniel Hahler (blueyed) wrote :

Thank you for reporting back.
I'm marking this as fixes.
If you want to get the fix into older releases, e.g. Dapper, this requires a StableReleaseUpdate (http://wiki.ubuntu.com/SRU)

Changed in lighttpd (Ubuntu):
status: Incomplete → Fix Released
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.