Does ISPConfig require mod_userdir?

Discussion in 'Installation/Configuration' started by tom, Aug 3, 2007.

  1. tom

    tom Member

    Which apache mods are realy required by ISPConfig to work?
     
  2. falko

    falko Super Moderator ISPConfig Developer

    mod_userdir is not required.
     
  3. Leszek

    Leszek New Member

    Security

    If it's not required it should be disabled after install.
    In case if someone would add some system accounts for ssh access to the system with ISPConfig installed (without mail,webs etc.) he could be able to compromise ISPConfig using mod_userdir.All it takes is to have an account and create a directory named public_html in a user's home directory.Then the user could write a php script that could erase anything that belongs to user admispconfig.It could be done after loading a page like: https://server_domain:81/~username/bad_code.php

    I've tested it on a test machine.It works :(!!!
     
  4. falko

    falko Super Moderator ISPConfig Developer

    But tom was talking about mod_userdir in the main Apache, not in ISPConfig's Apache.
     
  5. Leszek

    Leszek New Member

    Ok,well I was talking about the ISPConfig's Apache.
    The subject is very similar.
    I'd like to know Your opinion about what I wrote.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    mod_userdir isn't enabled in ISPConfig's Apache. The only module that is enabled is PHP5:
    Code:
    LoadModule php5_module libexec/libphp5.so
     
  7. Leszek

    Leszek New Member

    Well I don't know why does it work then. I've tried on another server.This time it was ISPConfig virtual appliance and got the same effect.
    Commenting out this part of /root/ispconfig/httpd/conf/httpd.conf and restarting ISPConfig's Apache helped:
    Code:
    <IfModule mod_userdir.c>
    #    UserDir public_html
    </IfModule>
    Could You please check that ?
     
  8. falko

    falko Super Moderator ISPConfig Developer

    I'll check it.
     
  9. tensor

    tensor New Member

    On my installation

    Code:
    /root/ispconfig/httpd/bin/ispconfig_httpd -l
    tells me that mod_userdir is compiled in.
    Then this is a security vulnerabity.
    set the directive to
    Code:
    <IfModule mod_userdir.c>
        UserDir disabled
    </IfModule>
    
    And restart ispconfig
    Code:
    /etc/init.d/ispconfig_server restart
    
    to fix that.
    More info here
    http://httpd.apache.org/docs/1.3/mod/mod_userdir.html#userdir
     
    Last edited: Jan 19, 2008
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I added this to the bugtracker.
     
  11. Leszek

    Leszek New Member

    It would be a good idea if ISPConfig's Apache could identify itself a little less than now,ex. ntop shows information about Apache,PHP and SSL.
    Could You think about it also ?
     
  12. falko

    falko Super Moderator ISPConfig Developer

    Fixed. :)
     

Share This Page