The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 71205] Directory “/” Options not working all of a sudden?

Discussion in 'Security' started by morrow95, Jun 19, 2013.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    I was creating a new account on my server today and noticed that it was showing the directory structure when there is no index file. I have ALWAYS had this turned off.

    I logged into whm and looked at Apaches Global Configuration :

    Directory “/” Options - everything is unchecked (how I want it to be) although I can view the directory structure of any folder of any account on my server at the moment... as an example Example Domain where there is obviously not an index file and up pops all the files in the folder for anyone to see.

    Is this a bug from the last update or what? My settings in WHM have not changed and are correct, but obviously something is wrong at the moment.

    Any ideas... would like to get this fixed asap... I honestly do not know how long it has been like this either just noticed it today by chance.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you try clicking on "Save" with the existing configuration and let us know if that makes a difference? Note that you may need to clear browser cache for a specific website when testing.

    Thank you.
     
  3. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the response. I took a closer look at my httpd.conf by ssh'ing into the server and found :

    <Directory "/">
    Options
    AllowOverride All
    </Directory>

    changed it to :

    <Directory "/">
    Options None
    AllowOverride All
    </Directory>

    restarted apache and now everything is fine. I have to be honest I do not know if this is how the file always was, but I do know that no settings were changed and it has always worked properly before. This only leads me to believe something changed with an update. I also find it strange then when I save options in WHM's Apache Configuration that having nothing selected does not ensure that httpd.conf is set to 'Options None'.

    The only question I have now is do I need to worry about this mysteriously changing on me again - especially since I manually edited the httpd.conf file?

    EDIT : I should also add that I tried your recommendation last night before posting and it did nothing. I even checked the options, saved and restarted, then unchecked and saved/restarted and it did not correct anything. I did not, however, look at the httpd.conf file after each to see what changes if any it made when doing so.
     
    #3 morrow95, Jun 19, 2013
    Last edited: Jun 19, 2013
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The values configured in "WHM Home » Service Configuration » Apache Configuration » Global Configuration" are stored in the following file:

    Code:
    /var/cpanel/conf/apache/local
    If you notice this issue again, check this file from the command line to see if the values have been modified, and to determine the date it was last modified.

    Thank you.
     
  5. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    I just looked at this... all the files in /var/cpanel/conf/apache/ were modified the other day (when I used the save feature in WHM's Global Configuration).

    My httpd.conf file on the other hand was modified about 2 hours AFTER this when I manually changed it as I mentioned in the earlier post. So that pretty much confirms that saving the value in WHM did not correct the issue.

    The values of /var/cpanel/conf/apache/local/ are :

    root_options:
    item:
    root_options:
    ExecCGI: 0
    FollowSymLinks: 0
    Includes: 0
    IncludesNOEXEC: 0
    Indexes: 0
    MultiViews: 0
    SymLinksIfOwnerMatch: 0

    Why would the above values not correctly set the httpd.conf when saved? Is this perhaps a bug? In other words it originally set :

    <Directory "/">
    Options
    AllowOverride All
    </Directory>

    and I had to manually change it to :

    <Directory "/">
    Options None
    AllowOverride All
    </Directory>

    for the options to be disabled. I'd like to figure this out still especially since I have no idea when this change happened. Like I said it was always set and working till I just happened to notice it the other day. If I had not created the new site account I would have never noticed it.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket so we can take a closer look? You can open a ticket via:

    Submit A Ticket

    Post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Your Request id is: 4275185
     
  8. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Just got work from Cpanel this morning that this appears to be a bug and an internal case has been opened to have it addressed - timeframe on this is unknown.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    A resolution for case 71205 was implemented with cPanel version 11.38.2.0. This version is currently available in the "Current" build tier, and will work it's way down to the other build tiers over time per standard protocol. The change log is available at:

    cPanel - Change Log

    Thank you.
     
  11. flwong

    flwong Registered

    Joined:
    Feb 16, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    hi

    althouht now i can set the directory / option to none, but the hacker still can list or edit the file in /var/ or /etc/

    can i send u the script by mail , so you can test it .?
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you provide more information on how someone is accessing your /var or /etc directories? Please provide the full steps to reproduce this issue. Note, you may want to open a new thread for this issue because it's separate from the original problem that you reported.

    Thank you.
     
  13. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Well, today I noticed the SAME problem I had in the OP is back. Logged into WHM and am showing "WHM 11.38.2 (build 6)". According to CPanelVersion1138 < AllDocumentation/ChangeLog < TWiki this problem was fixed.

    Perhaps someone should look into this as it apparently is not fixed, and, once again when the auto-update occurred it reverted my change (Options None) in httpd.conf and without my knowing all folders were viewable to anyone even if they did not have indexes. For all I know all other options were enabled too, but this is the only one I noticed. For the time being I just enabled symlinksifownermatch by default in WHM to fix rather than using my previous fix.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please open bug reports via:

    Submit A Bug Report

    While a previous case may be open, it's important to open a new report if the issue still exists after a resolution has been pushed out. Let us know the ticket number and we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page