Vulnerability Note VU#913704

MandrakeSoft Mandrake Linux Apache default configuration enables directory indexing

Original Release date: 21 Nov 2001 | Last revised: 06 Dec 2002

Overview

The default installation of Apache on MandrakeSoft Mandrake Linux enables directory indexing on directories that may unnecessarily disclose information about the server.

Description

MandrakeSoft produces a Linux distribution called Mandrake Linux that includes the Apache web server. The default installation of Apache on Mandrake Linux enabes indexing at the root of the web server. Most of the directories of the web server are therefore browsable, and any new directories will inherit the index setting. The server may disclose directory structure, file names and locations, and possibly file contents.

Impact

Apache running on a Mandrake Linux system may disclose directory structure, file names and locations, and possibly the contents of files.

Solution

Install Updated Package

Install an updated Apache package when available.

Disable Indexing
Disable indexing where desired by modifying /etc/httpd/conf/httpd.conf. Note that the following example disables indexing for the entire default web site: /var/www/ and all subdirectories.

    <Directory /var/www/*>
       Options -Indexes
    </Directory>

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MandrakeSoftAffected26 Sep 200105 Dec 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks ProCheckup Ltd for reporting this vulnerability.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 20 Nov 2001
  • Date First Published: 21 Nov 2001
  • Date Last Updated: 06 Dec 2002
  • Severity Metric: 0.21
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.