|
Family: Web Servers --> Category: infos
Apache Remote Username Enumeration Vulnerability Vulnerability Scan
Vulnerability Scan Summary Checks for the error codes returned by Apache when requesting a non-existant user name
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote Apache server can be used to guess the existence of a given
user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with
a different error code. Therefore, a possible hacker may exploit this
vulnerability to guess the existence of a given user name on the remote
host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Threat Level:
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|