• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Web_user Security Problem

J

JointTech

New Pleskian
I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:p/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637


I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html

</IfModule>

So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow [email protected] for access.
 
you can comment this out of httpd.conf

LoadModule userdir_module modules/mod_userdir.so
 
What are the ramifications to the rest of plesk? I only have one client using a web user and I can have him change. But will it break updates etc?

thanks
 
Nope, wont break plesk at all. If you disable it you should also hide it in your interface template so customers cant create them and find they dont work.
 
I have the same problem (under Plesk 8.1.1 and Fedora) -- commenting out the loadmodule didn't help.

Any other suggestions?

TIA
 
Commenting the load module will no longer allow apache to let it work, so if it didnt help then you did it wrong or didnt restart apache afterwards.
 
Thanks for the suggestion -- it didn't help.

I keep thinking I must be missing a conf or include file somewhere...are there any more besides:

/etc/httpd/conf/httpd.conf
/usr/local/psa/admin/conf/httpsd.conf
/var/www/vhosts/<DOMAIN>/conf/httpd.include

Thanks
 
Yes -- with the following files:

README
perl.conf
python.conf
webalizer.conf
zz010_psa_httpd.conf
manual.conf
php.conf
ssl.conf
welcome.conf

I checked the zz010 file -- The UserDir Disabled is there.

Just asking -- should it be
UserDir Disable
or
UserDir Disabled

I've seen documentation with both.
 
no, you only got to do that if you are changing or configuring a specific vhost - if your changing the entire server with a config change then you just have to restart httpd (/sbin/service httpd restart)
 
Hey I was able to pass the test after making this change.

"UserDir disable" is not the same as "UserDir disabled". See http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

so I did:

<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled oneuserthatneedsit
</IfModule>

That lets the one user that would be a pain to move keep there web users and I guess trick securitymetrics. I assume they test common web users like admin or root which are now disabled.
 
JointTech:

Which file (or files)?

(And would it make a difference if we're using SSL as well?)
 
JointTech:

Didn't work for me -- I'm still failing.

To make sure I did everything correctly:

1) you edited /etc/httpd/conf/httpd.conf

2) made the following change:

<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled oneuserthatneedsit
</IfModule>

3) restarted httpd with a:

/etc/init.d/httpd restart

And that was all that was required to pass?
 
You must log in or register to reply here.

Similar threads

A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
3K
_Alberto_
A
J
SSL server accepts weak ciphers on port 12443
Replies
2
Views
3K
KirkM
KirkM
D
How do I turn off TRACK and TRACE HTTP please.
Replies
2
Views
5K
Dave-Brown
D
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
19K
RalphP
R
O
PCI compliance problem
Replies
0
Views
2K
Otakucouk
O
Back
Top