We help IT Professionals succeed at work.

Web User security flaw.  Plesk 8.2

Last Modified: 2008-01-09
I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637

I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html


So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow webuser@domain.com for access.
Watch Question

SecurityMetrics is smoking crack. Most likely, he has some mod_rewrite rules or aliases that cause a request to /~root return something other than 404 expected by SecurityMetrics.

I would take a look at the apache logs during SecurityMetrics scans to see if this is the case.
Unlock this solution and get a sample of our free trial.
(No credit card required)


ah.  interesting.  


seems to have worked.  Thanks
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.