Default /usr/share/doc serving should be removed (CVE-2012-0216)

Bug #1026797 reported by Steve Atwell on 2012-07-19
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Low
Unassigned

Bug Description

CVE-2012-0216 reports an issue with the default Apache config serving a copy of /usr/share/doc:

"Niels Heinen noticed a security issue with the default Apache configuration on Debian if certain scripting modules like mod_php or mod_rivet are installed. The problem arises because the directory /usr/share/doc, which is mapped to the URL /doc, may contain example scripts that can be executed by requests to this URL. Although access to the URL /doc is restricted to connections from localhost, this still creates security issues in two specific configurations:

  * if some front-end server on the same host forwards connections to an apache2 backend server on the localhost address, or
  * if the machine running apache2 is also used for web browsing."

Debian recently removed this from the default config. See http://www.debian.org/security/2012/dsa-2452.

Ubuntu Lucid and Precise still have this default config and should be fixed.

CVE References

Tyler Hicks (tyhicks) wrote :

This CVE is being tracked in the Ubuntu CVE tracker:

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-0216

Changed in apache2 (Ubuntu):
importance: Undecided → Low
status: New → Triaged
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers