security hole? http://mail.domainxy....de:443

Discussion in 'Installation/Configuration' started by TimeJunky, Apr 1, 2007.

  1. TimeJunky

    TimeJunky New Member

    Yesterday, I incidentely found a security hole on my server with many domains.
    Everybody can see all server directories after typing http://mail.domainadress...xy.de:443

    But even not enough, calling up php-files displays the content which means for example calling certain config-files would show all important passwords :(

    Does anybody else suffer on the same problem? Any solution yet?
     
  2. edge

    edge Active Member Moderator

    I'm not having this problem on any of my servers.

    What version of ISPconfig are your using?

    A quick temp fix would be placing an empty index.html or index.php file in the directory. (it's not really secure, but it stops showing the directory listing)
     
  3. TimeJunky

    TimeJunky New Member

    ISPConfig:
    $go_info["server"]["version"] = "2.2.11";

    in combination with a debian-server

    ii apache-common 1.3.33-6sarge3 support files for all Apache webservers
    ii apache2 2.2.3-4 Next generation, scalable, extendable web se
    ii apache2-doc 2.0.54-5sarge1 documentation for apache2
    ii apache2-mpm-pr 2.2.3-4 Traditional model for Apache HTTPD 2.1
    ii apache2-utils 2.0.54-5sarge1 utility programs for webservers
    ii apache2.2-comm 2.2.3-4 Next generation, scalable, extendable web se
    rc libapache-mod- 4.3.10-18 server-side, HTML-embedded scripting languag
    ii libapache-mod- 5.1.4-0.1~sarg HTML-embedded scripting language (apache 1.3
    rc libapache2-mod 2.0.2-2.3 Integration of perl with the Apache2 web ser
    ii libapache2-mod 5.1.6-5c2c1 server-side, HTML-embedded scripting languag
    rc libapache2-mod 5.1.4-0.1~sarg HTML-embedded scripting language (apache 2.0


    Quick Fix: So I did.

    It seems to be on every domain on my server.
    Does SSL still works after removing
    Listen 443
    from /etc/apache2/ports.conf
    ?
     
  4. mtuser

    mtuser New Member

    same problem

    Apache/2.0.55 (Ubuntu) PHP/5.1.6 mod_ssl/2.0.55 OpenSSL/0.9.8b Server at xxx.xxx.xxx Port 443

    ISPConfig
    Version: 2.2.11
    ubuntu 6.10
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check that your linux system does not contain any default vhosts pointing to the directory /var/www for the SSL port in the apache configuration.
     
  6. TimeJunky

    TimeJunky New Member

    This problem disappeared after updating debian sarge to etch with new apache 2.2 (old was something like 2.0.x).

    Okay, and the main problem is

    [email protected]

    After removing this file, all IPs being not public (and controlled by ISPConfig) are not showing all directories anymore too. *grmpf*
    Hard to believe, that this gate stayed wide open for such a long time :)
     
    Last edited: Apr 10, 2007
  7. mtuser

    mtuser New Member

    Thank you for your guide :)

    i changed that file
    /var/www to /var/www/sharedip

    :)
     

Share This Page