Web User security flaw. Plesk 8.2
Posted on 2007-10-10
I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.
I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637
I have already checked /etc/httpd/httpd.conf and I already find:
So it seems it would be disabled. However I know it must be enable somewhere.
I also checked the httpd.include in /vhosts/domain.com/conf
Any idea how to turn this off? I looked in the control panel and the closest I could see was allow firstname.lastname@example.org for access.