Does ISPConfig require mod_userdir? [Archive] - HowtoForge Forums

PDA

View Full Version : Does ISPConfig require mod_userdir?

tom

3rd August 2007, 12:30

Which apache mods are realy required by ISPConfig to work?

falko

4th August 2007, 12:24

mod_userdir is not required.

Leszek

15th January 2008, 18:20

If it's not required it should be disabled after install.
In case if someone would add some system accounts for ssh access to the system with ISPConfig installed (without mail,webs etc.) he could be able to compromise ISPConfig using mod_userdir.All it takes is to have an account and create a directory named public_html in a user's home directory.Then the user could write a php script that could erase anything that belongs to user admispconfig.It could be done after loading a page like: https://server_domain:81/~username/bad_code.php

I've tested it on a test machine.It works :(!!!

falko

16th January 2008, 12:18

But tom was talking about mod_userdir in the main Apache, not in ISPConfig's Apache.

Leszek

16th January 2008, 13:36

But tom was talking about mod_userdir in the main Apache, not in ISPConfig's Apache.

Ok,well I was talking about the ISPConfig's Apache.
The subject is very similar.
I'd like to know Your opinion about what I wrote.

falko

17th January 2008, 17:34

mod_userdir isn't enabled in ISPConfig's Apache. The only module that is enabled is PHP5:
LoadModule php5_module libexec/libphp5.so

Leszek

18th January 2008, 03:22

mod_userdir isn't enabled in ISPConfig's Apache. The only module that is enabled is PHP5:
LoadModule php5_module libexec/libphp5.so
Well I don't know why does it work then. I've tried on another server.This time it was ISPConfig virtual appliance and got the same effect.
Commenting out this part of /root/ispconfig/httpd/conf/httpd.conf and restarting ISPConfig's Apache helped:
<IfModule mod_userdir.c>
# UserDir public_html
</IfModule>
Could You please check that ?

falko

18th January 2008, 20:22

I'll check it.

tensor

19th January 2008, 16:11

On my installation

/root/ispconfig/httpd/bin/ispconfig_httpd -l

tells me that mod_userdir is compiled in.
Then this is a security vulnerabity.
set the directive to

<IfModule mod_userdir.c>
UserDir disabled
</IfModule>

And restart ispconfig

/etc/init.d/ispconfig_server restart

to fix that.
More info here
http://httpd.apache.org/docs/1.3/mod/mod_userdir.html#userdir

till

20th January 2008, 15:39

I added this to the bugtracker.

Leszek

20th January 2008, 18:59

It would be a good idea if ISPConfig's Apache could identify itself a little less than now,ex. ntop shows information about Apache,PHP and SSL.
Could You think about it also ?

falko

30th January 2008, 18:55

Fixed. :)