security hole? http://mail.domainxy....de:443

Discussion in 'Installation/Configuration' started by TimeJunky, Apr 1, 2007.

  1. TimeJunky

    TimeJunky New Member

    Yesterday, I incidentely found a security hole on my server with many domains.
    Everybody can see all server directories after typing http://mail.domainadress...xy.de:443

    But even not enough, calling up php-files displays the content which means for example calling certain config-files would show all important passwords :(

    Does anybody else suffer on the same problem? Any solution yet?
     
    TimeJunky, Apr 1, 2007
    #1
  2. edge

    edge Active Member Moderator

    I'm not having this problem on any of my servers.

    What version of ISPconfig are your using?

    A quick temp fix would be placing an empty index.html or index.php file in the directory. (it's not really secure, but it stops showing the directory listing)
     
    edge, Apr 1, 2007
    #2
  3. TimeJunky

    TimeJunky New Member

    ISPConfig:
    $go_info["server"]["version"] = "2.2.11";

    in combination with a debian-server

    ii apache-common 1.3.33-6sarge3 support files for all Apache webservers
    ii apache2 2.2.3-4 Next generation, scalable, extendable web se
    ii apache2-doc 2.0.54-5sarge1 documentation for apache2
    ii apache2-mpm-pr 2.2.3-4 Traditional model for Apache HTTPD 2.1
    ii apache2-utils 2.0.54-5sarge1 utility programs for webservers
    ii apache2.2-comm 2.2.3-4 Next generation, scalable, extendable web se
    rc libapache-mod- 4.3.10-18 server-side, HTML-embedded scripting languag
    ii libapache-mod- 5.1.4-0.1~sarg HTML-embedded scripting language (apache 1.3
    rc libapache2-mod 2.0.2-2.3 Integration of perl with the Apache2 web ser
    ii libapache2-mod 5.1.6-5c2c1 server-side, HTML-embedded scripting languag
    rc libapache2-mod 5.1.4-0.1~sarg HTML-embedded scripting language (apache 2.0


    Quick Fix: So I did.

    It seems to be on every domain on my server.
    Does SSL still works after removing
    Listen 443
    from /etc/apache2/ports.conf
    ?
     
    TimeJunky, Apr 1, 2007
    #3
  4. mtuser

    mtuser New Member

    same problem

    Apache/2.0.55 (Ubuntu) PHP/5.1.6 mod_ssl/2.0.55 OpenSSL/0.9.8b Server at xxx.xxx.xxx Port 443

    ISPConfig
    Version: 2.2.11
    ubuntu 6.10
     
    mtuser, Apr 2, 2007
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check that your linux system does not contain any default vhosts pointing to the directory /var/www for the SSL port in the apache configuration.
     
    till, Apr 2, 2007
    #5
  6. TimeJunky

    TimeJunky New Member

    This problem disappeared after updating debian sarge to etch with new apache 2.2 (old was something like 2.0.x).

    Okay, and the main problem is

    /etc/apache2/sites-enabled/@000default

    After removing this file, all IPs being not public (and controlled by ISPConfig) are not showing all directories anymore too. *grmpf*
    Hard to believe, that this gate stayed wide open for such a long time :)
     
    Last edited: Apr 10, 2007
    TimeJunky, Apr 9, 2007
    #6
  7. mtuser

    mtuser New Member

    Thank you for your guide :)

    i changed that file
    /var/www to /var/www/sharedip

    :)
     
    mtuser, Apr 10, 2007
    #7

Share This Page