hi, this is not my first install of ISPconfig. however only recently i found this rather odd behaviour: when accessing port 8081 of the ISPconfig instance i'm getting an empty directory listing. when appending /phpmyadmin an uninterpreted .php file is displayed when appending /webmail i get an octet stream offered for download when appending /rspamd a proper login page is displayed hostname and FQD are set properly, the whole instance sits on a subdomain... best regards, tim Code: ##### SERVER ##### IP-address (as per hostname): [localhost] [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 11 (bullseye) [INFO] uptime: 10:13:29 up 12:16, 1 user, load average: 0.00, 0.00, 0.00 [INFO] memory: total used free shared buff/cache available Mem: 39Gi 2.2Gi 35Gi 100Mi 1.1Gi 36Gi Swap: 974Mi 0B 974Mi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.7p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.27 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.27 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 4580) [INFO] I found the following mail server(s): Postfix (PID 1656) [INFO] I found the following pop3 server(s): Dovecot (PID 637) [INFO] I found the following imap server(s): Dovecot (PID 637) [INFO] I found the following ftp server(s): PureFTP (PID 1125) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:4190 (637/dovecot) [anywhere]:993 (637/dovecot) [anywhere]:995 (637/dovecot) [localhost]:11332 (660/rspamd:) [localhost]:11333 (660/rspamd:) [localhost]:11334 (660/rspamd:) [localhost]:10023 (497/postgrey) [anywhere]:587 (1656/master) [localhost]:6379 (659/redis-server) [localhost]:11211 (641/memcached) [anywhere]:110 (637/dovecot) [anywhere]:143 (637/dovecot) [anywhere]:465 (1656/master) [anywhere]:21 (1125/pure-ftpd) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) ***.***.***.***:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [localhost]:53 (642/named) [anywhere]:22 (724/sshd:) [anywhere]:25 (1656/master) [localhost]:953 (642/named) *:*:*:*::*:443 (4580/apache2) *:*:*:*::*:4190 (637/dovecot) *:*:*:*::*:993 (637/dovecot) *:*:*:*::*:995 (637/dovecot) *:*:*:*::*:11332 (660/rspamd:) *:*:*:*::*:11333 (660/rspamd:) *:*:*:*::*:11334 (660/rspamd:) *:*:*:*::*:10023 (497/postgrey) *:*:*:*::*:3306 (775/mariadbd) *:*:*:*::*:587 (1656/master) *:*:*:*::*:6379 (659/redis-server) [localhost]10 (637/dovecot) [localhost]43 (637/dovecot) *:*:*:*::*:8080 (4580/apache2) *:*:*:*::*:80 (4580/apache2) *:*:*:*::*:8081 (4580/apache2) *:*:*:*::*:465 (1656/master) *:*:*:*::*:21 (1125/pure-ftpd) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::*:53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::**:*:*:*::*53 (642/named) *:*:*:*::*:22 (724/sshd:) *:*:*:*::*:25 (1656/master) *:*:*:*::*:953 (642/named) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
Seems as if PHP is not installed globally on your system. Which tutorial did you use to install the server?
hi till. not really. all works fine, cli php version also works, FPM are properly deployed, one client domain up and running. i used the automatic install script on debian 11 with apache without any errors (install logs are gone unfortunately) btw: invoking the apps over standard SSL port (appending e.g. /phpmyadmin) works flawlessly... that's why i generally wondered what the 8081 vhost setup is for unless it's proxied. probably have to RTFM on that. Code: root@nostromo:~# php -v PHP 7.4.27 (cli) (built: Dec 20 2021 21:30:45) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.27, Copyright (c), by Zend Technologies root@nostromo:~# sudo -u www-data php -v PHP 7.4.27 (cli) (built: Dec 20 2021 21:30:45) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.27, Copyright (c), by Zend Technolog
hi till, conf was enabled already and also the panel itself runs well. were you able to reproduce this behaviour on your end? i just checked with 2 VMs (debian11, ISPconfig, apache) i have set up and they show the exact same behaviour. would be willing to send over the PGP encrypted ssh-key in case you'd want to have a closer look. best, t Code: root@nostromo:~# cd /etc/apache2/conf-enabled/ root@nostromo:/etc/apache2/conf-enabled# ls total 12K drwxr-xr-x 2 root root 4.0K Feb 9 16:20 . drwxr-xr-x 8 root root 4.0K Feb 9 16:16 .. lrwxrwxrwx 1 root root 34 Feb 9 16:16 apache2-doc.conf -> ../conf-available/apache2-doc.conf lrwxrwxrwx 1 root root 30 Feb 9 16:16 charset.conf -> ../conf-available/charset.conf lrwxrwxrwx 1 root root 30 Feb 9 16:19 httpoxy.conf -> ../conf-available/httpoxy.conf lrwxrwxrwx 1 root root 44 Feb 9 16:16 localized-error-pages.conf -> ../conf-available/localized-error-pages.conf lrwxrwxrwx 1 root root 46 Feb 9 16:16 other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf lrwxrwxrwx 1 root root 33 Feb 9 16:19 php7.4-fpm.conf -> ../conf-available/php7.4-fpm.conf lrwxrwxrwx 1 root root 33 Feb 9 16:19 phpmyadmin.conf -> ../conf-available/phpmyadmin.conf lrwxrwxrwx 1 root root 32 Feb 9 16:20 roundcube.conf -> ../conf-available/roundcube.conf -rw-r--r-- 1 root root 1.2K Feb 9 16:20 roundcube.conf~20220209162024 lrwxrwxrwx 1 root root 31 Feb 9 16:16 security.conf -> ../conf-available/security.conf lrwxrwxrwx 1 root root 36 Feb 9 16:16 serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf root@nostromo:/etc/apache2/conf-enabled# a2enconf php7.4-fpm Conf php7.4-fpm already enabled root@nostromo:/etc/apache2/conf-enabled# systemctl restart apache2.service root@nostromo:/etc/apache2/conf-enabled#
ok. when you look at the actual apps.vhost defnition processing PHP files is rendered dead (taking precedence over any other directive?) in lines 13-15 Code: <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> also directory listing is INCLUDED in the directory directive on lines 73-85 Code: <IfModule mod_fcgid.c> DocumentRoot /var/www/apps SuexecUserGroup ispapps ispapps <Directory /var/www/apps> Options +Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/apps/.php-fcgi-starter .php Require all granted </Directory> </IfModule> after "fixing" those two things, directory listing is properly denied as well as e.g. phpmyadmin php is interpreted (via CGI/FastCGI 7.4) and rendered correctly.
Do you have the fcgid module enabled? The earlier "SetHandler None" is overridden by "SetHandler fcgid-script" if you have mod_fcgid loaded. The directory indexing could be removed, though it's probably relatively harmless in this case, as /var/www/apps/ is an empty directory, at least on servers I checked; maybe that's not always the case, eg. if someone installs an app there manually. I'll also note I've never used the apps vhost, so I may have a poor/unrepresentative sample.
hi jesse, yes the module is loaded - yet it does not look like the fcgid handler is actually triggered at all. anyway - i disabled the whole apps-vhost in server-config as i also don't see any particular need/use. the only thing might be the rspamd frontend. well, having an open directory listing on an open port in factory config isn't exactly what i would expect... thanks for your reply! best, t
I also don't think it's the intention to have the Directory Listing open. What advice would you give Jesse or Till? I would like to fix these vulnerabilities? Regards, Ben
I believe there's an issue open on this, the plan is probably to disable directory listing and of course fix PHP to execute for apps.
I now see that I missed updating the tpl in server/ - will do that tomorrow. So this is fixed on systems until they make changes to the UI for the apps vhost.
Will be fixed in 3.2.9. Workaround to put the new template in the server/conf folder: Code: curl https://git.ispconfig.org/ispconfig/ispconfig3/-/raw/develop/install/tpl/apache_apps.vhost.master --output /usr/local/ispconfig/server/conf/apache_apps.vhost.master
