Multiple Web Server ~nobody/ Request Arbitrary File Access
Medium Nessus Plugin ID 10484
SynopsisThe remote web server is affected by an information disclosure vulnerability.
DescriptionIt is possible to access arbitrary files on the remote web server by appending ~nobody/ in front of their name (as in ~nobody/etc/passwd).
This problem is due to a misconfiguration in the web server that sets 'UserDir' or its equivalent to './'.
SolutionIf using Apache, set 'UserDir' to 'public_html/' or something else.
If using lighttpd, upgrade to version 1.4.19 or later.
Otherwise, contact the web server vendor.