Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 3rd March 2011, 07:51
GoremanX GoremanX is offline
Member
 
Join Date: Apr 2010
Posts: 50
Thanks: 2
Thanked 0 Times in 0 Posts
Default Potential Security Vulnerability?

How are people able to reach this directory?
[Wed Mar 02 12:59:09 2011] [error] [client 217.22.231.30] File does not exist: /usr/share/phpmyadmin/scripts

This is from a vhost's error log, it shows up fairly frequently. This directory is way outside of the vhost's path (/var/www/clients/client1/web1/web). I can't even figure out how I could point a web browser to that directory.

Running ISPConfig 3.0.3.2 using the Ubuntu 10.04 Perfect Server setup
Reply With Quote
Sponsored Links
  #2  
Old 3rd March 2011, 11:06
Dark_Balor Dark_Balor is offline
Junior Member
 
Join Date: Feb 2011
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
Default

It's not a security hole

just look at your php-cgi wrapper the open-base-dir:
Quote:
"/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/tmp:/var/www/clients/client1/web1/backup:/var/www/friendlyphotozone.com/web:/srv/www/friendlyphotozone.com/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin"
(took from your other topic)

Without allowing to acces /usr/share/phpmyadmin, www.friendlyphotozone.com/phpmyadmin/ will not work correctly.

If you ask why www.friendlyphotozone.com/phpmyadmin/ work by default, just look at the file :
Code:
/etc/apache2/conf.d/phpmyadmin.conf
If you want to change the alias
Code:
Alias /phpmyadmin /usr/share/phpmyadmin
by
Code:
Alias /what-ever-you-want /usr/share/phpmyadmin
and do
Code:
/etc/init.d/apache2 reload
of course to do that you must be root or have root privilege.
Reply With Quote
The Following User Says Thank You to Dark_Balor For This Useful Post:
GoremanX (3rd March 2011)
  #3  
Old 3rd March 2011, 11:16
GoremanX GoremanX is offline
Member
 
Join Date: Apr 2010
Posts: 50
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by Dark_Balor View Post
It's not a security hole
Thank you! I didn't realize that each vhost had a separate phpmyadmin alias. That explains a lot.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
disable security constrain in ispconfig 3 control panel to enable the multisites qiubosu Installation/Configuration 3 11th December 2010 00:04
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
Security Error: Domain Name Mismatch cctex10 Installation/Configuration 6 2nd August 2007 15:07
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 09:57
ProFTPD potential security hole domino Server Operation 3 19th August 2005 04:25


All times are GMT +2. The time now is 06:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.