/var/www/clients exposed via Apache and accessible

Discussion in 'General' started by snowfly, Sep 28, 2016.

  1. snowfly

    snowfly Member

    A client just notified us that the /var/www/clients directory can be viewed online, potentially looking at any other sites, and in particular one site that didn't have any security is now exposed.

    We are running a multiserver setup, with 3.0.5.4p5

    e.g. when I go to http://serverA.com/clients/ , I can view a directory listing of all the sites.
    And individual sites could be viewed like: http://serverA.com/clients/client2/web20/web/

    Interestingly, I actually help run two different ISPConfig multiserver setups, both the same versions, and this setup has this major problem, but the other setup gives the correct 403 forbidden error.
    I can't see any real differences in config.

    From what I can see, this file should be denying access: /etc/apache/sites-available/ispconfig.conf
    With this code:
    <Directory /var/www/clients>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    Why wouldn't this be working?

    As a very quick and nasty hack, I had to add this to the bottom of /etc/apache/apache2.conf, as the clients did not want their data exposed: (yes I do realise this could block some legitimate URLs for websites that have /clients/ as a directory, but needed a quick fix, and can fine tune later)
    <Location /clients/>
    Order Deny,Allow
    Deny from all
    </Location>

    Any ideas?
    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look in /etc/apache/sites-enabled/ if the ispconfig.conf file is linked there as 000-ispconfig.conf.
     
  3. snowfly

    snowfly Member

    Yes:
    lrwxrwxrwx 1 root root 43 Sep 23 2013 /etc/apache2/sites-enabled/000-ispconfig.conf -> /etc/apache2/sites-available/ispconfig.conf

    It is strange that all servers linked in this multiserver setup are display the same behaviour. But in a completely different environment (different master server) it works fine.

    Any way to trace or debug apache rules to find out what config might be causing the problem?
     
  4. snowfly

    snowfly Member

    So any tips on what I need to look for to fix this issue?
    Concerned that typing in http://<server-name>/clients/ lists all the available client directories (e.g. client123, client 124, client 125...).
    And clicking on a client directory shows the domain symlink, and the web folder like 'web665'.
     
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    See what that file contains; it is supposed to have a section specifically to block this (this is from 3.1, but yours should be similar):
    Code:
    <Directory /var/www/clients>
        AllowOverride None
            Require all denied
        </Directory>
    
     
  6. snowfly

    snowfly Member

    Yes that file contains the following: (3.0.5, with Apache 2.2.22)

    Code:
    <Directory /var/www/clients>
        AllowOverride None
                    Order Deny,Allow
            Deny from all
            </Directory>
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    So there must be something in your config that is loaded after the 000-ispconfig.conf file which unlocks this folder.
     
  8. snowfly

    snowfly Member

    Found the issue!
    We were playing around with some code to block verifying pingback bots, for wordpress sites, and unfortunately this code wasn't right, and because it was in the /etc/apache2/conf.d/ directory, I didn't find it while searching sites-enabled! Doh.
    Anyway, this bad code is disabled until we fix it:
    Code:
    # Block "verifying pingback" bots, with a 403
    SetEnvIfNoCase User-Agent "verifying pingback from" bad_ua
    <Location />
        Deny from env=bad_ua
    </Location>
     
    Jesse Norell likes this.

Share This Page