/mail folder publicly accessible!!!

Discussion in 'ISPConfig 3 Priority Support' started by invino, Apr 23, 2013.

  1. invino

    invino Member HowtoForge Supporter

    Hi guys,

    I just noticed a serious problem in my server config: when I type in the following address to access my website, I get access to the full directory and can download all php files! :eek:

    The address looks like this (fake domain)

    If I go in the parent directory, I land in the ISPConfig admin interface, which is OK.

    I have an SSL certificate in place and it works perfectly for my domain otherwise.

    Please help me, I'm a bit stressed with this leak I just discovered. I might have made a mistake in my config...

  2. falko

    falko Super Moderator ISPConfig Developer

    This does not work for me.

    Do you use Apache or nginx? Which tutorial (URL) did you use? Did you customize your configuration in some way?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    No need to be stressed, what the user can see there is the same that he sees when he downloads the ispconfig tar.gz file, so there is no sensitive data there and not data that is specific to your installation.

    The reason for the filelisting is that Indexes is on in the ispconfig vhost, this has been changed already in svm some time ago and will get changed in the next patch release. But as I explained above, thats uncritical.

    If you want to change it on your server, edit the ispconfig vhost file and add change the Option line to:

    Options -Indexes FollowSymLinks MultiViews +ExecCGI
  4. invino

    invino Member HowtoForge Supporter

    Hi guys!

    Thank you very much for this explanation Till! Much appreciated: I can sleep well now ;-)

    Falko, sorry for my lack of information explaining my concern. To answer you, I actually use Apache. My installation has been done automatically through my hosting provider. Apart of SSL, I didn't really customize my installation either.

    Thank you very much guys. You rock!
  5. monkfish

    monkfish Member

    I know its already stated that there's no sensitive data in the folders exhibiting this but for sake of completion would it be better to have an emtpy index.php file in these folders so not relying on switching off Indexes?

    I see valid index.php with code in remote, tools, help, admin, login, mailuser and designer folders but as per OP not in client, dashboard, dns, js, monitor, mail, sites, strengthmeter, temp, themes and vm

    I didn't go any further folders down the structure, but I did copy a blank index.php into each of the ones above anyhow. To me, it tidies it up?
    Last edited: May 13, 2013
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The index.php files in some modules mean that this module has a start page which is not a list page, so adding empty files would just confuse the schema. I'am not a fan of adding unescessary files btw. :). The current situation is not as it should be and fixed in svn already. But it does not really harm on the other hand as all files are written in a way that direct access without logging in first can not be misused and which files are available in a folder can everybody see by downloading the ispconfig tar.gz, so even if the -Indexes would fail on a server, its uncritical.

Share This Page