Web_user Security Problem

[JointTech]

I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637


I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html

</IfModule>

So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow [email protected] for access.

 

[Amin Taheri]

you can comment this out of httpd.conf

LoadModule userdir_module modules/mod_userdir.so

 

[JointTech]

What are the ramifications to the rest of plesk? I only have one client using a web user and I can have him change. But will it break updates etc?

thanks

 

[Amin Taheri]

Nope, wont break plesk at all. If you disable it you should also hide it in your interface template so customers cant create them and find they dont work.

 

[JointTech]

thanks!!

 

[akiva]

I have the same problem (under Plesk 8.1.1 and Fedora) -- commenting out the loadmodule didn't help.

Any other suggestions?

TIA

 

[Amin Taheri]

Commenting the load module will no longer allow apache to let it work, so if it didnt help then you did it wrong or didnt restart apache afterwards.

 

[akiva]

I did a apachectl -k restart -- shouldn't that do it?

 

[Amin Taheri]

Try /etc/init.d/httpd restart

 

[akiva]

Thanks for the suggestion -- it didn't help.

I keep thinking I must be missing a conf or include file somewhere...are there any more besides:

/etc/httpd/conf/httpd.conf
/usr/local/psa/admin/conf/httpsd.conf
/var/www/vhosts/<DOMAIN>/conf/httpd.include

Thanks

 

[Amin Taheri]

in my httpd conf file I have

Include /etc/httpd/conf.d/*

you may have something similar

 

[akiva]

Yes -- with the following files:

README
perl.conf
python.conf
webalizer.conf
zz010_psa_httpd.conf
manual.conf
php.conf
ssl.conf
welcome.conf

I checked the zz010 file -- The UserDir Disabled is there.

Just asking -- should it be
UserDir Disable
or
UserDir Disabled

I've seen documentation with both.

 

[Amin Taheri]

mine says

UserDir disable

 

[akiva]

I\ll give that a try.

Do I need to run websrvmng ?

 

[Amin Taheri]

no, you only got to do that if you are changing or configuring a specific vhost - if your changing the entire server with a config change then you just have to restart httpd (/sbin/service httpd restart)

 

[JointTech]

Hey I was able to pass the test after making this change.

"UserDir disable" is not the same as "UserDir disabled". See http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

so I did:

<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled oneuserthatneedsit
</IfModule>

That lets the one user that would be a pain to move keep there web users and I guess trick securitymetrics. I assume they test common web users like admin or root which are now disabled.

 

[Amin Taheri]

I dont see disable listed anywhere, only disabled.

 

[akiva]

JointTech:

Which file (or files)?

(And would it make a difference if we're using SSL as well?)

 

[JointTech]

/etc/httpd/httpd.conf

 

[akiva]

JointTech:

Didn't work for me -- I'm still failing.

To make sure I did everything correctly:

1) you edited /etc/httpd/conf/httpd.conf

2) made the following change:

<IfModule mod_userdir.c>
UserDir disabled
UserDir enabled oneuserthatneedsit
</IfModule>

3) restarted httpd with a:

/etc/init.d/httpd restart

And that was all that was required to pass?