Default /usr/share/doc serving should be removed (CVE-2012-0216)

Bug #1026797 reported by Steve Atwell on 2012-07-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)

Bug Description

CVE-2012-0216 reports an issue with the default Apache config serving a copy of /usr/share/doc:

"Niels Heinen noticed a security issue with the default Apache configuration on Debian if certain scripting modules like mod_php or mod_rivet are installed. The problem arises because the directory /usr/share/doc, which is mapped to the URL /doc, may contain example scripts that can be executed by requests to this URL. Although access to the URL /doc is restricted to connections from localhost, this still creates security issues in two specific configurations:

  * if some front-end server on the same host forwards connections to an apache2 backend server on the localhost address, or
  * if the machine running apache2 is also used for web browsing."

Debian recently removed this from the default config. See

Ubuntu Lucid and Precise still have this default config and should be fixed.

CVE References

Tyler Hicks (tyhicks) wrote :

This CVE is being tracked in the Ubuntu CVE tracker:

Changed in apache2 (Ubuntu):
importance: Undecided → Low
status: New → Triaged
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers