Multiple Web Server ~nobody/ Request Arbitrary File Access

This script is Copyright (C) 2000-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server is affected by an information disclosure

Description :

It is possible to access arbitrary files on the remote web server by
appending ~nobody/ in front of their name (as in ~nobody/etc/passwd).

This problem is due to a misconfiguration in the web server that sets
'UserDir' or its equivalent to './'.

Solution :

If using Apache, set 'UserDir' to 'public_html/' or something else.

If using lighttpd, upgrade to version 1.4.19 or later.

Otherwise, contact the web server vendor.

Risk factor :

Medium / CVSS Base Score : 5.0

Family: Web Servers

Nessus Plugin ID: 10484 (httpd_nobody.nasl)

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now