Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st April 2007, 15:32
TimeJunky TimeJunky is offline
Junior Member
 
Join Date: Dec 2006
Posts: 23
Thanks: 6
Thanked 1 Time in 1 Post
Default security hole? http://mail.domainxy....de:443

Yesterday, I incidentely found a security hole on my server with many domains.
Everybody can see all server directories after typing http://mail.domainadress...xy.de:443

But even not enough, calling up php-files displays the content which means for example calling certain config-files would show all important passwords

Does anybody else suffer on the same problem? Any solution yet?
Reply With Quote
Sponsored Links
  #2  
Old 1st April 2007, 15:41
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,034
Thanks: 265
Thanked 151 Times in 131 Posts
Default

I'm not having this problem on any of my servers.

What version of ISPconfig are your using?

A quick temp fix would be placing an empty index.html or index.php file in the directory. (it's not really secure, but it stops showing the directory listing)
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #3  
Old 1st April 2007, 16:51
TimeJunky TimeJunky is offline
Junior Member
 
Join Date: Dec 2006
Posts: 23
Thanks: 6
Thanked 1 Time in 1 Post
Default

ISPConfig:
$go_info["server"]["version"] = "2.2.11";

in combination with a debian-server

ii apache-common 1.3.33-6sarge3 support files for all Apache webservers
ii apache2 2.2.3-4 Next generation, scalable, extendable web se
ii apache2-doc 2.0.54-5sarge1 documentation for apache2
ii apache2-mpm-pr 2.2.3-4 Traditional model for Apache HTTPD 2.1
ii apache2-utils 2.0.54-5sarge1 utility programs for webservers
ii apache2.2-comm 2.2.3-4 Next generation, scalable, extendable web se
rc libapache-mod- 4.3.10-18 server-side, HTML-embedded scripting languag
ii libapache-mod- 5.1.4-0.1~sarg HTML-embedded scripting language (apache 1.3
rc libapache2-mod 2.0.2-2.3 Integration of perl with the Apache2 web ser
ii libapache2-mod 5.1.6-5c2c1 server-side, HTML-embedded scripting languag
rc libapache2-mod 5.1.4-0.1~sarg HTML-embedded scripting language (apache 2.0


Quick Fix: So I did.

It seems to be on every domain on my server.
Does SSL still works after removing
Listen 443
from /etc/apache2/ports.conf
?
Reply With Quote
  #4  
Old 2nd April 2007, 12:49
mtuser mtuser is offline
Member
 
Join Date: Jan 2006
Location: Bangkok
Posts: 40
Thanks: 19
Thanked 4 Times in 4 Posts
Send a message via ICQ to mtuser Send a message via Yahoo to mtuser Send a message via Skype™ to mtuser
Default

same problem

Apache/2.0.55 (Ubuntu) PHP/5.1.6 mod_ssl/2.0.55 OpenSSL/0.9.8b Server at xxx.xxx.xxx Port 443

ISPConfig
Version: 2.2.11
ubuntu 6.10
__________________
ispconfig v3 site test.
Reply With Quote
  #5  
Old 2nd April 2007, 13:28
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,777
Thanks: 821
Thanked 5,332 Times in 4,184 Posts
Default

Please check that your linux system does not contain any default vhosts pointing to the directory /var/www for the SSL port in the apache configuration.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
TimeJunky (10th April 2007)
  #6  
Old 9th April 2007, 22:37
TimeJunky TimeJunky is offline
Junior Member
 
Join Date: Dec 2006
Posts: 23
Thanks: 6
Thanked 1 Time in 1 Post
Default

This problem disappeared after updating debian sarge to etch with new apache 2.2 (old was something like 2.0.x).

Okay, and the main problem is

/etc/apache2/sites-enabled/@000default

After removing this file, all IPs being not public (and controlled by ISPConfig) are not showing all directories anymore too. *grmpf*
Hard to believe, that this gate stayed wide open for such a long time

Last edited by TimeJunky; 10th April 2007 at 02:45.
Reply With Quote
The Following User Says Thank You to TimeJunky For This Useful Post:
mtuser (10th April 2007)
  #7  
Old 10th April 2007, 10:56
mtuser mtuser is offline
Member
 
Join Date: Jan 2006
Location: Bangkok
Posts: 40
Thanks: 19
Thanked 4 Times in 4 Posts
Send a message via ICQ to mtuser Send a message via Yahoo to mtuser Send a message via Skype™ to mtuser
 
Default

Quote:
Originally Posted by TimeJunky
Okay, and the main problem is

/etc/apache2/sites-enabled/@000default
Thank you for your guide

i changed that file
/var/www to /var/www/sharedip

__________________
ispconfig v3 site test.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Error: Domain Name Mismatch cctex10 Installation/Configuration 6 2nd August 2007 14:07
pass phrase for security rvstubbs Installation/Configuration 1 5th October 2006 10:58
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 08:57
Are there any security bugs? MvincM General 3 21st April 2006 17:54
ProFTPD potential security hole domino Server Operation 3 19th August 2005 03:25


All times are GMT +2. The time now is 22:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.