Back to files

Yngvi -- Apache Delouser

What It Does

This script is intended to be run interactively and locally on an Apache Web server system. It scans the server's configuration files to locate all the Alias, ScriptAlias, and DocumentRoot declarations. It uses these together with the <VirtualHost> containers, Listen directives, and possibly Port directives, to come up with a list of URLs, which are requested from the server. The results are listed alphabetically within each status code.

Typical responses will be 200 (success), 401 (credential-protected), and 403 (access forbidden). You may also get 500 (internal server error) or 3xx (redirection). The things to look for are 200s for directories that should not be accessible, 4xx for directories that should be, and 500s under any circumstances (indicates a bad .htaccess file or broken script).

How is Yngvi Different?

There are lots of tools for scanning Web sites for broken links. However, they all work by scraping the pages and extracting published links from them. Yngvi differs in that it is designed to locate UNpublished pages. For one thing, it checks for access to global alii which are silently inherited by <VirtualHost> sections.

Caveats

This script is very simple-minded. It recognises and distinguishes between global and per-vhost alii, and spots Listen and Port directives. It does not handle configurations with SSL enabled, Include directives, nor mod_vhost_alias constructs.

About the Name

The name comes from a segment in "The Incompleat Enchanter" (by L Sprague de Camp and Fletcher Pratt) in which a prisoner incarcerated in the fire giants' dungeon would regularly shuffle to the front of his cell and shout, "Yngvi is a louse!"