HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   ISPConfig 3 Priority Support (http://www.howtoforge.com/forums/forumdisplay.php?f=35)
-   -   /mail folder publicly accessible!!! (http://www.howtoforge.com/forums/showthread.php?t=61580)

Fluotonic 23rd April 2013 21:58

/mail folder publicly accessible!!!
 
Hi guys,

I just noticed a serious problem in my server config: when I type in the following address to access my website, I get access to the full directory and can download all php files! :eek:

The address looks like this (fake domain)
https://my-site.tld:8080/mail/

If I go in the parent directory, I land in the ISPConfig admin interface, which is OK.

I have an SSL certificate in place and it works perfectly for my domain otherwise.

Please help me, I'm a bit stressed with this leak I just discovered. I might have made a mistake in my config...

Thanks!

falko 24th April 2013 09:27

This does not work for me.

Do you use Apache or nginx? Which tutorial (URL) did you use? Did you customize your configuration in some way?

till 24th April 2013 11:46

Quote:

Please help me, I'm a bit stressed with this leak I just discovered. I might have made a mistake in my config...
No need to be stressed, what the user can see there is the same that he sees when he downloads the ispconfig tar.gz file, so there is no sensitive data there and not data that is specific to your installation.

The reason for the filelisting is that Indexes is on in the ispconfig vhost, this has been changed already in svm some time ago and will get changed in the next patch release. But as I explained above, thats uncritical.

If you want to change it on your server, edit the ispconfig vhost file and add change the Option line to:

Options -Indexes FollowSymLinks MultiViews +ExecCGI

Fluotonic 24th April 2013 21:24

Hi guys!

Thank you very much for this explanation Till! Much appreciated: I can sleep well now ;-)

Falko, sorry for my lack of information explaining my concern. To answer you, I actually use Apache. My installation has been done automatically through my hosting provider. Apart of SSL, I didn't really customize my installation either.

Thank you very much guys. You rock!

monkfish 13th May 2013 01:16

I know its already stated that there's no sensitive data in the folders exhibiting this but for sake of completion would it be better to have an emtpy index.php file in these folders so not relying on switching off Indexes?

I see valid index.php with code in remote, tools, help, admin, login, mailuser and designer folders but as per OP not in client, dashboard, dns, js, monitor, mail, sites, strengthmeter, temp, themes and vm

I didn't go any further folders down the structure, but I did copy a blank index.php into each of the ones above anyhow. To me, it tidies it up?

till 13th May 2013 14:07

The index.php files in some modules mean that this module has a start page which is not a list page, so adding empty files would just confuse the schema. I'am not a fan of adding unescessary files btw. :). The current situation is not as it should be and fixed in svn already. But it does not really harm on the other hand as all files are written in a way that direct access without logging in first can not be misused and which files are available in a folder can everybody see by downloading the ispconfig tar.gz, so even if the -Indexes would fail on a server, its uncritical.


All times are GMT +2. The time now is 23:35.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.