We help IT Professionals succeed at work.

Web User security flaw.  Plesk 8.2

1,585 Views
Last Modified: 2008-01-09
I have a client that is getting scanned by SecurityMetrics for his visa/mastercard accepting website.
I have plesk 8.2 on CentOs.

I am getting an error :
Synopsis : The remote Apache server can be used to guess the presence of a given user
name on the remote host. Description : When configured with the 'UserDir' option, requests to
URLs containing a tilde followed by a username will redirect the user to a given subdirectory in
the user home. For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/. If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability to guess the presence
of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE :
CVE-2001-1013 BID : 3335 Other references : OSVDB:637


I have already checked /etc/httpd/httpd.conf and I already find:
<IfModule mod_userdir.c>

UserDir disable
#UserDir public_html

</IfModule>

So it seems it would be disabled. However I know it must be enable somewhere.

I also checked the httpd.include in /vhosts/domain.com/conf

nothing interesting.

Any idea how to turn this off? I looked in the control panel and the closest I could see was allow webuser@domain.com for access.
Comment
Watch Question

Commented:
SecurityMetrics is smoking crack. Most likely, he has some mod_rewrite rules or aliases that cause a request to /~root return something other than 404 expected by SecurityMetrics.

I would take a look at the apache logs during SecurityMetrics scans to see if this is the case.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
ah.  interesting.  

Author

Commented:
seems to have worked.  Thanks
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.