link in default index.html should be HTTPS

Bug #2045055 reported by Chris Murray
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Debian)
New
Unknown
apache2 (Ubuntu)
Fix Released
Low
Bryce Harrington

Bug Description

Hi folks,

When running the Hardenize (https://www.hardenize.com) tool against my web server, it picked up that on the default Apache2 web page (located at /var/www/html/index.html) has an insecure link. Upon further investigation, it's the "Document Roots" section, where it says "By default, Ubuntu does not allow access through the web browser to any file outside of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications)."; public_html is a link to the apache docs page for mod_userdir (https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd as a http:// link. IMO this should be updated to be https.

To reproduce

* Start with a base install of ubuntu server
* run the following commands:
sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2
* optionally set up SSL
* browse to http(s)://<your server IP or hostname>/index.html
* hover over the link on public_html & observe it begins with http://

All the best,

Chris 8-)

Related branches

Changed in apache2 (Debian):
status: Unknown → New
Revision history for this message
Paride Legovini (paride) wrote (last edit ):

Hello and thanks for this bug report. There is indeed a plan http link in the default index.html:

  <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>

I doubt this is going to be an issue in any practical way, so I don't think we're going to deviate from Debian in order to fix this in Ubuntu: the extra maintenance effort is not justified. The right place to fix this is in the Debian packaging, and I see you already filed a Debian bug.

If you feel so inclined, you could submit a MR on salsa (the Debian GitLab) that updates these links:

https://salsa.debian.org/apache-team/apache2/-/blob/87fb3dac24ae682fb15182c2ab1dc7e717ded818/debian/index.html#L329

https://salsa.debian.org/apache-team/apache2/-/blob/87fb3dac24ae682fb15182c2ab1dc7e717ded818/debian/index.html#L350

Eventually Ubuntu will pick up the fix.

Changed in apache2 (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Bryce Harrington (bryce) wrote :

We already maintain index.html due to branding, and fixing the https link adds little to that. I agree this should go to Debian since the same issue affects them as well, but meanwhile it makes sense to me to fix in Ubuntu.

Changed in apache2 (Ubuntu):
importance: Wishlist → Low
assignee: nobody → Bryce Harrington (bryce)
Revision history for this message
Chris Murray (chris18890) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.59-2ubuntu2

---------------
apache2 (2.4.59-2ubuntu2) oracular; urgency=medium

  * d/index.html, d/apache2.postrm: Fix https link to apache documentation.
    (LP: #2045055)

apache2 (2.4.59-2ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064378). Remaining changes:
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm,
      d/source/include-binaries, d/t/check-ubuntu-branding: Replace
      Debian with Ubuntu on default homepage.
      (LP #1966004, LP #1947459)
    - d/apache2.py, d/apache2-bin.install: Add apport hook
      (LP #609177)
    - d/control, d/apache2.install, d/apache2-utils.ufw.profile,
      d/apache2.dirs: Add ufw profiles
      (LP #261198)
    - d/control: Upgrade lua build dependency to 5.4
      (LP #1910372)
    - d/c/m/setenvif.conf, d/p/fix-dolphin-to-delete-webdav-dirs.patch: Add
      dolphin and Konqueror/5 careful redirection so that directories can be
      deleted via webdav.
      (LP #1927742)
    - d/debhelper/apache2-maintscript-helper: Allow execution when called from a
      postinst script through a trigger (i.e., postinst triggered).
      Thanks to Roel van Meer. (Closes: #1060450)
      (LP #2038912)
  * Dropped:
    - d/p/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
      [Included in 2.4.59]
    - HTTP Response Splitting in multiple modules
      + d/p/CVE-2024-24795.patch: let httpd handle CL/TE for
        non-http handlers in include/util_script.h,
        modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
        modules/generators/mod_cgid.c, modules/http/http_filters.c,
        modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
        modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
      [Included in 2.4.59]
    - HTTP/2 DoS by memory exhaustion on endless continuation frames
      + d/p/CVE-2024-27316.patch: bail after too many failed reads
        in modules/http2/h2_session.c, modules/http2/h2_stream.c,
        modules/http2/h2_stream.h.
      [Included in 2.4.59]

apache2 (2.4.59-2) unstable; urgency=medium

  * Breaks against fossil due to CVE-2024-24795 follows up

apache2 (2.4.59-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Remove old transitional packages libapache2-mod-md and
    libapache2-mod-proxy-uwsgi. Closes: #1032628

  [ Yadd ]
  * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564)
  * Refresh patches
  * New upstream version 2.4.59
    (Closes: #1068412 CVE-2024-27316 CVE-2024-24795 CVE-2023-38709)
  * Refresh patches
  * Update patches
  * Update test framework

 -- Bryce Harrington <email address hidden> Mon, 10 Jun 2024 23:04:49 +0000

Changed in apache2 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.