Return Same Error Document for 404 and 403 (CVE-2001-1013)
I'm hardening for PCI and my scanner requests that I do this. The full reason for this is:
"The web server running on this host allows attackers to probe for user names via requests for user home pages (e.g., http://host/~username). Many different types of web servers exhibit this behavior, but it is most commonly associated with Apache HTTP Server."
And the solution is: "Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page Not Found) responses. Additionally, if Apache is being used, the UserDir directive should be disabled in the Apache configuration file (httpd.conf)."
How can I go about this? I should be able to disable UserDir just fine, but I'm not sure how to go about the rest.
I'm using WHM 11.48 with Cpanel.
-
Just an update: something I did made this issue go away and I am now PCI compliant. Maybe it was just the disabling of UserDir, I have no idea! So I guess this isn't much of a priority for me anymore. 0 -
Hello :) Yes, disabling Apache mod_userdir results in 404 errors when attempting to access those URLs, so that would have addressed the issue. Thank you. 0
Please sign in to leave a comment.
Comments
2 comments