• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Web_user Security Problem

J

JointTech

New Pleskian
I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:p/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637


I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html

</IfModule>

So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow [email protected] for access.
 
you can comment this out of httpd.conf

LoadModule userdir_module modules/mod_userdir.so
 
What are the ramifications to the rest of plesk? I only have one client using a web user and I can have him change. But will it break updates etc?

thanks
 
Nope, wont break plesk at all. If you disable it you should also hide it in your interface template so customers cant create them and find they dont work.
 
I have the same problem (under Plesk 8.1.1 and Fedora) -- commenting out the loadmodule didn't help.

Any other suggestions?

TIA
 
Commenting the load module will no longer allow apache to let it work, so if it didnt help then you did it wrong or didnt restart apache afterwards.
 
Thanks for the suggestion -- it didn't help.

I keep thinking I must be missing a conf or include file somewhere...are there any more besides:

/etc/httpd/conf/httpd.conf
/usr/local/psa/admin/conf/httpsd.conf
/var/www/vhosts/<DOMAIN>/conf/httpd.include

Thanks
 
Yes -- with the following files:

README
perl.conf
python.conf
webalizer.conf
zz010_psa_httpd.conf
manual.conf
php.conf
ssl.conf
welcome.conf

I checked the zz010 file -- The UserDir Disabled is there.

Just asking -- should it be
UserDir Disable
or
UserDir Disabled

I've seen documentation with both.
 
no, you only got to do that if you are changing or configuring a specific vhost - if your changing the entire server with a config change then you just have to restart httpd (/sbin/service httpd restart)
 
Hey I was able to pass the test after making this change.

"UserDir disable" is not the same as "UserDir disabled". See http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

so I did:

<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled oneuserthatneedsit
</IfModule>

That lets the one user that would be a pain to move keep there web users and I guess trick securitymetrics. I assume they test common web users like admin or root which are now disabled.
 
JointTech:

Which file (or files)?

(And would it make a difference if we're using SSL as well?)
 
JointTech:

Didn't work for me -- I'm still failing.

To make sure I did everything correctly:

1) you edited /etc/httpd/conf/httpd.conf

2) made the following change:

<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled oneuserthatneedsit
</IfModule>

3) restarted httpd with a:

/etc/init.d/httpd restart

And that was all that was required to pass?
 
You must log in or register to reply here.

Similar threads

A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
2K
_Alberto_
A
J
SSL server accepts weak ciphers on port 12443
Replies
2
Views
3K
KirkM
KirkM
D
How do I turn off TRACK and TRACE HTTP please.
Replies
2
Views
5K
Dave-Brown
D
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
19K
RalphP
R
O
PCI compliance problem
Replies
0
Views
2K
Otakucouk
O
Back
Top