Info

Disclosure

Jul 07, 2000

Discovery

Unknown

Dates

Exploit

Jul 07, 2000

Solution

Unknown

Description

Apache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home directory. By monitoring the web server response, an attacker is able to enumerate valid user names, resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Workaround 1: Disable the default-enabled UserDir directive in httpd.conf: UserDir Disabled Workaround 2: Set generic error pages for 403/404 messages in httpd.conf.

Products

Apache Software Foundation

Apache HTTP Server

All

References

CVE ID: 2001-1013 (see also: NVD)
Bugtraq ID: 3335
ISS X-Force ID: 7129
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0103.html
http://marc.theaimsgroup.com/?l=vuln-dev&m=96297636413302&w=2
http://marc.theaimsgroup.com/?l=vuln-dev&m=96297697414539&w=2
Vendor URL: http://httpd.apache.org/
Generic Exploit URL: http://packetstormsecurity.org/0407-exploits/getusr.c
Other Advisory URL: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html

Credit

Alexander A. Kelner - aksontts.debryansk.ru -
Josha Bronson - Angry Packet Security
Tobias J. Kreidl - Tobias.Kreidlnau.edu -
Heikki Korpela - hekoiki.fi -

Direct URL: http://osvdb.org/637