OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: (no subject)
From: Slawek (sgpTELSATGP.COM.PL)
Date: Fri Jul 07 2000 - 05:26:24 CDT


Hi,

If user's home dir is flagged 0700 (or 750 or etc - so "world" cannot get
there) that you'd get code 403.

On multiuser boxes such flags for homedirs are rather common.

User has to set o+x if he wants to create public_html. But in that situation
we'll probably get result code 200 when trying to retrieve
http://somehost/~userinquestion/ ;)

Hopefully Apache has an option to map all 403 result codes to 404.

Bye,
Slawek

----- Original Message -----
From: "3APA3A" <3APA3ASECURITY.NNOV.RU>
To: <VULN-DEVSECURITYFOCUS.COM>
Sent: Thursday, July 06, 2000 3:14 PM
Subject: [VULN-DEV]

> Hello The Incubus,
>
> 05.07.2000 21:03, you wrote: ;
>
> T> When we do www.redhatserver.com/~validlogin we get a 403, when we try
with
> T> another login (which is not valid) we get a 404.
>
> This only depends on existance of public_html directory in user's
> home. If user has no public_html you will also get 404. Using of
> User's dir is configurable. By default
> UserDir public_html
> is in srm.conf
>
> /3APA3A
>