Security If it's not required it should be disabled after install. In case if someone would add some system accounts for ssh access to the system with ISPConfig installed (without mail,webs etc.) he could be able to compromise ISPConfig using mod_userdir.All it takes is to have an account and create a directory named public_html in a user's home directory.Then the user could write a php script that could erase anything that belongs to user admispconfig.It could be done after loading a page like: https://server_domain:81/~username/bad_code.php I've tested it on a test machine.It works !!!
Ok,well I was talking about the ISPConfig's Apache. The subject is very similar. I'd like to know Your opinion about what I wrote.
mod_userdir isn't enabled in ISPConfig's Apache. The only module that is enabled is PHP5: Code: LoadModule php5_module libexec/libphp5.so
Well I don't know why does it work then. I've tried on another server.This time it was ISPConfig virtual appliance and got the same effect. Commenting out this part of /root/ispconfig/httpd/conf/httpd.conf and restarting ISPConfig's Apache helped: Code: <IfModule mod_userdir.c> # UserDir public_html </IfModule> Could You please check that ?
On my installation Code: /root/ispconfig/httpd/bin/ispconfig_httpd -l tells me that mod_userdir is compiled in. Then this is a security vulnerabity. set the directive to Code: <IfModule mod_userdir.c> UserDir disabled </IfModule> And restart ispconfig Code: /etc/init.d/ispconfig_server restart to fix that. More info here http://httpd.apache.org/docs/1.3/mod/mod_userdir.html#userdir
It would be a good idea if ISPConfig's Apache could identify itself a little less than now,ex. ntop shows information about Apache,PHP and SSL. Could You think about it also ?
