Apache HTTP Server UserDir Directive Username Enumeration

2000-07-07T00:00:00
ID OSVDB:637
Type osvdb
Reporter Heikki Korpela(heko@iki.fi), Tobias J. Kreidl(Tobias.Kreidl@nau.edu), Josha Bronson(), Alexander A. Kelner(akson@tts.debryansk.ru)
Modified 2000-07-07T00:00:00

Description

Vulnerability Description

Apache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home directory. By monitoring the web server response, an attacker is able to enumerate valid user names, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

Workaround 1: Disable the default-enabled UserDir directive in httpd.conf: UserDir Disabled

Workaround 2: Set generic error pages for 403/404 messages in httpd.conf.

Short Description

Apache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home directory. By monitoring the web server response, an attacker is able to enumerate valid user names, resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/~<username>

HTTP result code 200 - User root exists and you should be able to view root's homepage.

HTTP result code 403 - You receive the following error message, "You don't have permission to access /~root on this server" because Apache cannot read root's directory or files.

HTTP result code 404 - You receive the following error message, "The requested URL /~nosuchuser was not found on this server." because "nosuchuser" does not exist on the system.

References:

Vendor URL: http://httpd.apache.org/ Other Advisory URL: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html Nessus Plugin ID:10766 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0103.html Mail List Post: http://marc.theaimsgroup.com/?l=vuln-dev&m=96297636413302&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=vuln-dev&m=96297697414539&w=2 ISS X-Force ID: 7129 Generic Exploit URL: http://packetstormsecurity.org/0407-exploits/getusr.c CVE-2001-1013 Bugtraq ID: 3335