A client just notified us that the /var/www/clients directory can be viewed online, potentially looking at any other sites, and in particular one site that didn't have any security is now exposed. We are running a multiserver setup, with 3.0.5.4p5 e.g. when I go to http://serverA.com/clients/ , I can view a directory listing of all the sites. And individual sites could be viewed like: http://serverA.com/clients/client2/web20/web/ Interestingly, I actually help run two different ISPConfig multiserver setups, both the same versions, and this setup has this major problem, but the other setup gives the correct 403 forbidden error. I can't see any real differences in config. From what I can see, this file should be denying access: /etc/apache/sites-available/ispconfig.conf With this code: <Directory /var/www/clients> AllowOverride None Order Deny,Allow Deny from all </Directory> Why wouldn't this be working? As a very quick and nasty hack, I had to add this to the bottom of /etc/apache/apache2.conf, as the clients did not want their data exposed: (yes I do realise this could block some legitimate URLs for websites that have /clients/ as a directory, but needed a quick fix, and can fine tune later) <Location /clients/> Order Deny,Allow Deny from all </Location> Any ideas? Thanks
Take a look in /etc/apache/sites-enabled/ if the ispconfig.conf file is linked there as 000-ispconfig.conf.
Yes: lrwxrwxrwx 1 root root 43 Sep 23 2013 /etc/apache2/sites-enabled/000-ispconfig.conf -> /etc/apache2/sites-available/ispconfig.conf It is strange that all servers linked in this multiserver setup are display the same behaviour. But in a completely different environment (different master server) it works fine. Any way to trace or debug apache rules to find out what config might be causing the problem?
So any tips on what I need to look for to fix this issue? Concerned that typing in http://<server-name>/clients/ lists all the available client directories (e.g. client123, client 124, client 125...). And clicking on a client directory shows the domain symlink, and the web folder like 'web665'.
See what that file contains; it is supposed to have a section specifically to block this (this is from 3.1, but yours should be similar): Code: <Directory /var/www/clients> AllowOverride None Require all denied </Directory>
Yes that file contains the following: (3.0.5, with Apache 2.2.22) Code: <Directory /var/www/clients> AllowOverride None Order Deny,Allow Deny from all </Directory>
So there must be something in your config that is loaded after the 000-ispconfig.conf file which unlocks this folder.
Found the issue! We were playing around with some code to block verifying pingback bots, for wordpress sites, and unfortunately this code wasn't right, and because it was in the /etc/apache2/conf.d/ directory, I didn't find it while searching sites-enabled! Doh. Anyway, this bad code is disabled until we fix it: Code: # Block "verifying pingback" bots, with a 403 SetEnvIfNoCase User-Agent "verifying pingback from" bad_ua <Location /> Deny from env=bad_ua </Location>
