[Case 71205] Directory “/” Options not working all of a sudden?

[morrow95]

I was creating a new account on my server today and noticed that it was showing the directory structure when there is no index file. I have ALWAYS had this turned off.

I logged into whm and looked at Apaches Global Configuration :

Directory “/” Options - everything is unchecked (how I want it to be) although I can view the directory structure of any folder of any account on my server at the moment... as an example Example Domain where there is obviously not an index file and up pops all the files in the folder for anyone to see.

Is this a bug from the last update or what? My settings in WHM have not changed and are correct, but obviously something is wrong at the moment.

Any ideas... would like to get this fixed asap... I honestly do not know how long it has been like this either just noticed it today by chance.

 

[cPanelMichael]

Hello

Could you try clicking on "Save" with the existing configuration and let us know if that makes a difference? Note that you may need to clear browser cache for a specific website when testing.

Thank you.

 

[morrow95]

Thanks for the response. I took a closer look at my httpd.conf by ssh'ing into the server and found :

<Directory "/">
Options
AllowOverride All
</Directory>

changed it to :

<Directory "/">
Options None
AllowOverride All
</Directory>

restarted apache and now everything is fine. I have to be honest I do not know if this is how the file always was, but I do know that no settings were changed and it has always worked properly before. This only leads me to believe something changed with an update. I also find it strange then when I save options in WHM's Apache Configuration that having nothing selected does not ensure that httpd.conf is set to 'Options None'.

The only question I have now is do I need to worry about this mysteriously changing on me again - especially since I manually edited the httpd.conf file?

EDIT : I should also add that I tried your recommendation last night before posting and it did nothing. I even checked the options, saved and restarted, then unchecked and saved/restarted and it did not correct anything. I did not, however, look at the httpd.conf file after each to see what changes if any it made when doing so.

 

[cPanelMichael]

The values configured in "WHM Home » Service Configuration » Apache Configuration » Global Configuration" are stored in the following file:

/var/cpanel/conf/apache/local

If you notice this issue again, check this file from the command line to see if the values have been modified, and to determine the date it was last modified.

Thank you.

 

[morrow95]

I just looked at this... all the files in /var/cpanel/conf/apache/ were modified the other day (when I used the save feature in WHM's Global Configuration).

My httpd.conf file on the other hand was modified about 2 hours AFTER this when I manually changed it as I mentioned in the earlier post. So that pretty much confirms that saving the value in WHM did not correct the issue.

The values of /var/cpanel/conf/apache/local/ are :

root_options:
item:
root_options:
ExecCGI: 0
FollowSymLinks: 0
Includes: 0
IncludesNOEXEC: 0
Indexes: 0
MultiViews: 0
SymLinksIfOwnerMatch: 0

Why would the above values not correctly set the httpd.conf when saved? Is this perhaps a bug? In other words it originally set :

<Directory "/">
Options
AllowOverride All
</Directory>

and I had to manually change it to :

<Directory "/">
Options None
AllowOverride All
</Directory>

for the options to be disabled. I'd like to figure this out still especially since I have no idea when this change happened. Like I said it was always set and working till I just happened to notice it the other day. If I had not created the new site account I would have never noticed it.

 

[cPanelMichael]

Could you open a support ticket so we can take a closer look? You can open a ticket via:

Submit A Ticket

Post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[morrow95]

Could you open a support ticket so we can take a closer look? You can open a ticket via:

Submit A Ticket

Post the ticket number here so we can update this thread with the outcome.

Thank you.

Your Request id is: 4275185

 

[morrow95]

Just got work from Cpanel this morning that this appears to be a bug and an internal case has been opened to have it addressed - timeframe on this is unknown.

 

[cPanelMichael]

For reference, the internal case number is 71205. You can monitor our change log for it's inclusion:

cPanel - Change Log

Thank you.

 

[cPanelMichael]

A resolution for case 71205 was implemented with cPanel version 11.38.2.0. This version is currently available in the "Current" build tier, and will work it's way down to the other build tiers over time per standard protocol. The change log is available at:

cPanel - Change Log

Thank you.

 

[flwong]

hi

althouht now i can set the directory / option to none, but the hacker still can list or edit the file in /var/ or /etc/

can i send u the script by mail , so you can test it .?

 

[cPanelMichael]

hi

althouht now i can set the directory / option to none, but the hacker still can list or edit the file in /var/ or /etc/

can i send u the script by mail , so you can test it .?

Could you provide more information on how someone is accessing your /var or /etc directories? Please provide the full steps to reproduce this issue. Note, you may want to open a new thread for this issue because it's separate from the original problem that you reported.

Thank you.

 

[morrow95]

Well, today I noticed the SAME problem I had in the OP is back. Logged into WHM and am showing "WHM 11.38.2 (build 6)". According to CPanelVersion1138 < AllDocumentation/ChangeLog < TWiki this problem was fixed.

Perhaps someone should look into this as it apparently is not fixed, and, once again when the auto-update occurred it reverted my change (Options None) in httpd.conf and without my knowing all folders were viewable to anyone even if they did not have indexes. For all I know all other options were enabled too, but this is the only one I noticed. For the time being I just enabled symlinksifownermatch by default in WHM to fix rather than using my previous fix.

 

[cPanelMichael]

Perhaps someone should look into this as it apparently is not fixed, and, once again when the auto-update occurred it reverted my change (Options None) in httpd.conf and without my knowing all folders were viewable to anyone even if they did not have indexes. For all I know all other options were enabled too, but this is the only one I noticed. For the time being I just enabled symlinksifownermatch by default in WHM to fix rather than using my previous fix.

Please open bug reports via:

Submit A Bug Report

While a previous case may be open, it's important to open a new report if the issue still exists after a resolution has been pushed out. Let us know the ticket number and we can update this thread with the outcome.

Thank you.