The most plausible suggestion is that you have a misconfigured Apache server (eg. it allows a request of the form http://your.site/../../../etc/passwd or such), or a badly written cgi script that lists whatever files on the system. Check your web logs. On Mon, 3 Mar 2003, Pedro Marques wrote:
Hi all, I've made one of those web security scans and the result was pretty good in general, except for one point:
Vulnerability 3 (of max 5) for "Global User List" It seems it can obtain my user list, and it shows some system users that are created by default like gdm, irc, mail, news, etc.
The only service/port I keep public is 53/udp and 80/tcp, all the rest is dropped by the firewall.
How can I avoid this situation?
Thanks, Pedro Marques pedromarques@seara.com