Security Flaw?

Discussion in 'General' started by gorni, Mar 31, 2008.

  1. gorni

    gorni New Member

    Directory Indexes appear to be left authorized on /var/www by ISPConfig default installation. In some circomstances, the "Shared-IP" page is not displayed when accessing the server with an IP address which is not bind to any site, and the full directory tree is browseable instead...

    See also:
    http://www.howtoforge.com/forums/showthread.php?p=51802

    Workaround: disable default apache web site, that doesn't appear to be needed (nor managed) by ISPConfig:
    a2dissite default
    /etc/init.d/apache2 reload
     
    Last edited: Mar 31, 2008
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is not a security flaw in ISPConfig as the default apache site is not used nor managed by ISPConfig. Its more a problem of the general apache setup.
     
  3. gorni

    gorni New Member

    OK, I understand this, however, when installing ISPConfig, one may think that the full config of managed services is taken care of. There should be at least some warning about apache default site during the install process / instructions about removing it in the "Perfect Server" guides...
     

Share This Page