• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1565
  • Last Modified:

Web User security flaw. Plesk 8.2

I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637


I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html

</IfModule>

So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow webuser@domain.com for access.
0
livegirllove
Asked:
livegirllove
  • 2
1 Solution
 
m1tk4Commented:
SecurityMetrics is smoking crack. Most likely, he has some mod_rewrite rules or aliases that cause a request to /~root return something other than 404 expected by SecurityMetrics.

I would take a look at the apache logs during SecurityMetrics scans to see if this is the case.
0
 
svsCommented:
"UserDir disable" is not the same as "UserDir disabled".  See http://httpd.apache.org/docs/2.0/mod/mod_userdir.html
0
 
livegirlloveAuthor Commented:
ah.  interesting.  
0
 
livegirlloveAuthor Commented:
seems to have worked.  Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now