joshkraemer
01-08-2009, 01:35 PM
I am going through the PCI verification process to verify that my website on Hostmonster is secure. McAfee shows that HM is secure in every way except the following. I have tried McAfee's suggested RedirectMatch fix using the .htaccess file, but it didn't do anything to fix the vulnerability.
Does anyone know anything about the vulnerability listed below and how to fix it?
-------------------------------------------------------------
The remote Apache server can be used to guess the presence of a given user name on the remote host.
An information leak occurs, due to a configuration error, on Apache based web servers whenever the UserDir module is enabled. Requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. Installations with this default misconfiguration allow remote users to determine whether a give username exists on the remote system.
The following example is proof of concept:
http://www.example.com/~foo
1. If user 'foo' exists, the HTTP result code will be 200, and foo's homepage will load in the browser.
2. If user 'foo' exists, but access is restricted, the HTTP result code will be 403, with the following message from Apache: "You don't have permission to access /~foo on this server."
3. If 'foo' does not exist, the HTTP result code will be 404, with the following message from Apache: "The requested URL /~foo was not found on this server".
Properly exploited, this information could be used to initiate specific attacks against a given system.
General Solution
1) Disable this feature by changing 'UserDir public_html' to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://servername.com/sample.html
ErrorDocument 403 http://servername.com/sample.html
NOTE: You need to use a FQDN inside the URL for it to work properly.
Does anyone know anything about the vulnerability listed below and how to fix it?
-------------------------------------------------------------
The remote Apache server can be used to guess the presence of a given user name on the remote host.
An information leak occurs, due to a configuration error, on Apache based web servers whenever the UserDir module is enabled. Requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. Installations with this default misconfiguration allow remote users to determine whether a give username exists on the remote system.
The following example is proof of concept:
http://www.example.com/~foo
1. If user 'foo' exists, the HTTP result code will be 200, and foo's homepage will load in the browser.
2. If user 'foo' exists, but access is restricted, the HTTP result code will be 403, with the following message from Apache: "You don't have permission to access /~foo on this server."
3. If 'foo' does not exist, the HTTP result code will be 404, with the following message from Apache: "The requested URL /~foo was not found on this server".
Properly exploited, this information could be used to initiate specific attacks against a given system.
General Solution
1) Disable this feature by changing 'UserDir public_html' to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://servername.com/sample.html
ErrorDocument 403 http://servername.com/sample.html
NOTE: You need to use a FQDN inside the URL for it to work properly.