enterprise-support team mailing list archive

[Chris Murray <2045055@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Hi folks,

When running the Hardenize (https://www.hardenize.com) tool against my
web server, it picked up that on the default Apache2 web page (located
at /var/www/html/index.html) has an insecure link. Upon further
investigation,  it's the "Document Roots" section, where it says "By
default, Ubuntu does not allow access through the web browser to any
file outside of those located in /var/www, public_html directories (when
enabled) and /usr/share (for web applications)."; public_html is a link
to the apache docs page for mod_userdir
(https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being
serverd as a http:// link. IMO this should be updated to be https.

To reproduce

* Start with a base install of ubuntu server
* run the following commands:
sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2
* optionally set up SSL
* browse to http(s)://<your server IP or hostname>/index.html
* hover over the link on public_html & observe it begins with http://


All the best,

Chris 8-)

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2045055

Title:
  link in default index.html should be HTTPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2045055/+subscriptions