bozohttpd show index of /homt/user if there is no public_html there
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bozohttpd (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: bozohttpd
Description: Ubuntu 10.04 LTS
Release: 10.04
bozohttpd:
Installiert: 20090522-2
Kandidat: 20090522-2
Versions-Tabelle:
*** 20090522-2 0
500 http://
100 /var/lib/
Bozohttpd is started from inetd with a configuration line in /etc/inetd.conf like this:
www stream tcp nowait root /usr/sbin/tcpd /usr/sbin/bozohttpd /var/www -X -H -S foobar -c /usr/lib/cgi-bin -U www-data -u
There is a ~user1/public_html and there are other users on the system but without a public_html
1) Go to "http://
I get the index.html from user1/public_html as expected
2) Go to "http://
I get a
"403 Forbidden
/~user2/:
Access to this item has been denied", as expected
3) Go to "http://
I don't get the error above, but just the directory index of ~user2 (/home/user2).
If I reload the page I get the result of 2) and 3) swapping around. 3) Shouldn't happen, as there is no public_html there. And anyone can:
a) Probe for user names in the system (dir is there or not)
b) Look at least the name of the files of some user.
This bug, doesn't seem to be fixed (or even known) in the last upstream version (20100512)
Changed in bozohttpd (Ubuntu): | |
status: | New → Confirmed |
Thank you for using Ubuntu and reporting a bug. Email sent to upstream and vendor-sec with requested CRD of 2010-06-16.