Default /usr/share/doc serving should be removed (CVE-2012-0216)

Bug #1026797 reported by Steve Atwell
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Triaged
Low
Unassigned

Bug Description

CVE-2012-0216 reports an issue with the default Apache config serving a copy of /usr/share/doc:

"Niels Heinen noticed a security issue with the default Apache configuration on Debian if certain scripting modules like mod_php or mod_rivet are installed. The problem arises because the directory /usr/share/doc, which is mapped to the URL /doc, may contain example scripts that can be executed by requests to this URL. Although access to the URL /doc is restricted to connections from localhost, this still creates security issues in two specific configurations:

  * if some front-end server on the same host forwards connections to an apache2 backend server on the localhost address, or
  * if the machine running apache2 is also used for web browsing."

Debian recently removed this from the default config. See http://www.debian.org/security/2012/dsa-2452.

Ubuntu Lucid and Precise still have this default config and should be fixed.

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This CVE is being tracked in the Ubuntu CVE tracker:

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-0216

Changed in apache2 (Ubuntu):
importance: Undecided → Low
status: New → Triaged
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.