Apache UserDir Directive Username Enumeration

medium Nessus Plugin ID 10766

Synopsis

The remote Apache server can be used to guess the presence of a given user name on the remote host.

Description

When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home.

For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/.

If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host.

Solution

In httpd.conf, set the 'UserDir' to 'disabled'.

Plugin Details

Severity: Medium

ID: 10766

File Name: apache_username.nasl

Version: 1.42

Type: remote

Family: Web Servers

Published: 9/18/2001

Updated: 6/29/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:http_server

Required KB Items: Settings/ParanoidReport, installed_sw/Apache

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/7/2000

Reference Information

CVE: CVE-2001-1013

BID: 3335