Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > ISPConfig 3 Priority Support

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd April 2013, 21:58
Fluotonic Fluotonic is offline
Junior Member
 
Join Date: Jan 2013
Posts: 27
Thanks: 4
Thanked 0 Times in 0 Posts
Default /mail folder publicly accessible!!!

Hi guys,

I just noticed a serious problem in my server config: when I type in the following address to access my website, I get access to the full directory and can download all php files!

The address looks like this (fake domain)
https://my-site.tld:8080/mail/

If I go in the parent directory, I land in the ISPConfig admin interface, which is OK.

I have an SSL certificate in place and it works perfectly for my domain otherwise.

Please help me, I'm a bit stressed with this leak I just discovered. I might have made a mistake in my config...

Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 24th April 2013, 09:27
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

This does not work for me.

Do you use Apache or nginx? Which tutorial (URL) did you use? Did you customize your configuration in some way?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 24th April 2013, 11:46
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
Please help me, I'm a bit stressed with this leak I just discovered. I might have made a mistake in my config...
No need to be stressed, what the user can see there is the same that he sees when he downloads the ispconfig tar.gz file, so there is no sensitive data there and not data that is specific to your installation.

The reason for the filelisting is that Indexes is on in the ispconfig vhost, this has been changed already in svm some time ago and will get changed in the next patch release. But as I explained above, thats uncritical.

If you want to change it on your server, edit the ispconfig vhost file and add change the Option line to:

Options -Indexes FollowSymLinks MultiViews +ExecCGI
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Fluotonic (24th April 2013)
  #4  
Old 24th April 2013, 21:24
Fluotonic Fluotonic is offline
Junior Member
 
Join Date: Jan 2013
Posts: 27
Thanks: 4
Thanked 0 Times in 0 Posts
Thumbs up

Hi guys!

Thank you very much for this explanation Till! Much appreciated: I can sleep well now ;-)

Falko, sorry for my lack of information explaining my concern. To answer you, I actually use Apache. My installation has been done automatically through my hosting provider. Apart of SSL, I didn't really customize my installation either.

Thank you very much guys. You rock!
Reply With Quote
  #5  
Old 13th May 2013, 01:16
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

I know its already stated that there's no sensitive data in the folders exhibiting this but for sake of completion would it be better to have an emtpy index.php file in these folders so not relying on switching off Indexes?

I see valid index.php with code in remote, tools, help, admin, login, mailuser and designer folders but as per OP not in client, dashboard, dns, js, monitor, mail, sites, strengthmeter, temp, themes and vm

I didn't go any further folders down the structure, but I did copy a blank index.php into each of the ones above anyhow. To me, it tidies it up?

Last edited by monkfish; 13th May 2013 at 01:18. Reason: spelling
Reply With Quote
  #6  
Old 13th May 2013, 14:07
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
 
Default

The index.php files in some modules mean that this module has a start page which is not a list page, so adding empty files would just confuse the schema. I'am not a fan of adding unescessary files btw. . The current situation is not as it should be and fixed in svn already. But it does not really harm on the other hand as all files are written in a way that direct access without logging in first can not be misused and which files are available in a folder can everybody see by downloading the ispconfig tar.gz, so even if the -Indexes would fail on a server, its uncritical.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
I want to run a backup script, what folder would be best to place it in? chaloum General 8 20th March 2012 16:08
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 10:49
Images not served by apache over a symbolic link folder hhhhhh Server Operation 0 27th January 2009 04:01
URGENT!! Website no longer publicly accessible captnops Installation/Configuration 3 18th January 2008 22:35
Rename folder -> create new folder equals contents of old folder BlueStream General 20 15th December 2006 03:32


All times are GMT +2. The time now is 17:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.