Skip to main content

mod_userdir protection issues

Comments

9 comments

  • cPanelLauren
    Hi @webworker You'll want to exclude hosts from protection that you want to access this way. Any host protected will get a 404 error.
    0
  • webworker
    Hello @cPanelLauren ! I don't want any hosts to be accessed by mod_userdir, all hosts are protected. The issue is that on the base IP or hostname for the server will return a 403 for some system accounts with 404s for all other accounts. I've attached example screenshots of the responses. I'm not sure where to configure the responses for the cpanel software itself. Thanks!
    0
  • cPanelLauren
    I apologize, I missed this initially: [QUOTE]Desired functionality: any attempt to access a user account returns a 404.
    Interestingly I'm not able to replicate that behavior: Can you show me a screenshot of the Apache mod_userdir Tweak UI that resembles the following: 59503
    0
  • webworker
    Here's a screenshot of the mod_userdir Tweak UI. It's a little strange since it all works normally otherwise but root/nobody/admin all seem to return 403.
    0
  • cPanelLauren
    I don't know offhand/without being able to see the server configuration what the difference between our servers would be - you may want to open a ticket if you need it to respond with a 404 instead of a 403. What specifically is the end goal/reasoning behind needing it to be a 404 - maybe there's another method to get your desired result.
    0
  • webworker
    PCI compliance. Our scanning vendor flags it as an issue but despite it seemingly being a non-issue. Client sites are a simple fix with htaccess but the base cpanel software I wouldn't know where to begin looking :) I'll see about putting in a ticket! Thanks for the help
    0
  • cPanelLauren
    Ah ok, I read this and assumed that PCI compliance was passing it but you had wanted to make a different change.
    PCI Compliance is fine with setting ErrorDocuments for both error codes (403 and 404) to the same content/response code

    0
  • Yasza
    Hi, I currently have same issues. Already following all the step, enable the Apache mod_userdir Tweak & exclude the host that we want to see the temporary url but just showing 403 when I check it.
    0
  • cPanelLauren
    What is the output in the apache error log?
    0

Please sign in to leave a comment.