Web User security flaw.  Plesk 8.2

Posted on 2007-10-10
Medium Priority
Last Modified: 2008-01-09
I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637

I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html


So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow webuser@domain.com for access.
Question by:livegirllove
  • 2
LVL 15

Expert Comment

ID: 20062401
SecurityMetrics is smoking crack. Most likely, he has some mod_rewrite rules or aliases that cause a request to /~root return something other than 404 expected by SecurityMetrics.

I would take a look at the apache logs during SecurityMetrics scans to see if this is the case.

Accepted Solution

svs earned 2000 total points
ID: 20070932
"UserDir disable" is not the same as "UserDir disabled".  See http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

Author Comment

ID: 20072024
ah.  interesting.  

Author Comment

ID: 20076621
seems to have worked.  Thanks

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Screencast - Getting to Know the Pipeline
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question