Ubuntu

bozohttpd show index of /homt/user if there is no public_html there

Reported by Claudio Clemens on 2010-05-18
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bozohttpd (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: bozohttpd

Description: Ubuntu 10.04 LTS
Release: 10.04
bozohttpd:
  Installiert: 20090522-2
  Kandidat: 20090522-2
  Versions-Tabelle:
 *** 20090522-2 0
        500 http://de.archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

Bozohttpd is started from inetd with a configuration line in /etc/inetd.conf like this:
www stream tcp nowait root /usr/sbin/tcpd /usr/sbin/bozohttpd /var/www -X -H -S foobar -c /usr/lib/cgi-bin -U www-data -u

There is a ~user1/public_html and there are other users on the system but without a public_html

1) Go to "http://localhost/~user1/"
    I get the index.html from user1/public_html as expected
2) Go to "http://localhost/~user2/" (who don't have a public_html dir)
   I get a
"403 Forbidden
/~user2/:

Access to this item has been denied", as expected
3) Go to "http://localhost/~user2/" again (reload the page)
  I don't get the error above, but just the directory index of ~user2 (/home/user2).

If I reload the page I get the result of 2) and 3) swapping around. 3) Shouldn't happen, as there is no public_html there. And anyone can:
a) Probe for user names in the system (dir is there or not)
b) Look at least the name of the files of some user.

This bug, doesn't seem to be fixed (or even known) in the last upstream version (20100512)

Changed in bozohttpd (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Email sent to upstream and vendor-sec with requested CRD of 2010-06-16.

Jamie Strandboge (jdstrand) wrote :

This is now public. Upstream has a fix that will be available shortly.

Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

visibility: private → public
Changed in bozohttpd (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Claudio Clemens (asturioweb) wrote :

Hi,

can you describe in 3 lines, how I can to a debdiff?

Thanks,

Andreas Moog (amoog) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. However, I am closing it because the bug has been fixed in the latest development version of Ubuntu - Natty Narwhal.

This is a significant bug in Ubuntu. If you need a fix for the bug in previous versions of Ubuntu, please do steps 1 and 2 of the SRU Procedure [1] to bring the need to a developer's attention.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Changed in bozohttpd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers