lighttpd makes /usr/share/doc visible to everyone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lighttpd (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: lighttpd
Ubuntu release: hardy (8.04)
Version: 1.4.19-0ubuntu3.1
The normal Ubuntu lighttpd configuration file exposes /usr/share/doc to
everyone who can talk to your web server, as the /doc/ URL, not just
people on the same machine
The lighttpd configuration file claims:
#### handle Debian Policy Manual, Section 11.5. urls
#### and by default allow them only from localhost
and then sets up aliases for /usr/share/doc and
/usr/share/images. However, contrary to the comment
in the file, it does not restrict them to requests from
localhost, as you can easily verify, because it puts
the 'alias.url +=' directive inside a 'global' section.
Removing the 'global { ... }' around the alias directive
fixes the problem; /doc/ and /images/ remain accessible
from localhost but stop being accessible from the outside
world.
(I don't know if this should be considered a security bug,
so I'm opting to not mark it as such.)
I cannot confirm this, /etc/lighttpd/ lighttpd. conf should look as follows (tested it with 1.4.19-0ubuntu3.1 in Hardy):
#### handle Debian Policy Manual, Section 11.5. urls
"/doc/ " => "/usr/share/doc/",
"/images/ " => "/usr/share/ images/ "
$HTTP[ "url"] =~ "^/doc/|^/images/" {
dir-listing. activate = "enable"
### by default allow them only from localhost
### (This must come last due to #445459)
$HTTP["remoteip"] == "127.0.0.1" {
alias.url += (
)
}
}