Family: Web Servers --> Category: infos
Apache Remote Username Enumeration Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Checks for the error codes returned by Apache when requesting a non-existant user name
Detailed Explanation for this Vulnerability Test
The remote Apache server can be used to guess the existence of a given
user name on the remote host.
When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with
a different error code. Therefore, a possible hacker may exploit this
vulnerability to guess the existence of a given user name on the remote
In httpd.conf, set the 'UserDir' to 'disabled'.
Low / CVSS Base Score : 2
Click HERE for more information and discussions on this network vulnerability scan.