mod_userdir protection issues

webworker

Member
Feb 8, 2017
10
0
1
United States
cPanel Access Level
Root Administrator
Hello,

I've read, re-read, googled, and read some more but I'm still butting up against this issue.

Under WHM -> Apache mod_userdir Tweak

I have Enable mod_userdir Protection check marked.
No hosts are excluded from protection.

The following occurs:
accessing http://IP_ADDRESS/~root/ -> 403 Forbidden (along with nobody/admin, other users on the server return 404)
accessing http://IP_ADDRESS/~random_account_that_doesn't_exist/ -> 404 Not Found

Desired functionality:
any attempt to access a user account returns a 404.

PCI Compliance is fine with setting ErrorDocuments for both error codes (403 and 404) to the same content/response code but I'm not sure how to accomplish that with the standard cPanel error pages that are served by the server IP address or hostname pages.

Thanks!
 

webworker

Member
Feb 8, 2017
10
0
1
United States
cPanel Access Level
Root Administrator
Hello @cPanelLauren !

I don't want any hosts to be accessed by mod_userdir, all hosts are protected.

The issue is that on the base IP or hostname for the server will return a 403 for some system accounts with 404s for all other accounts. I've attached example screenshots of the responses.

I'm not sure where to configure the responses for the cpanel software itself.

Thanks!
 

Attachments

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,237
1,232
313
Houston
I apologize, I missed this initially:

Desired functionality:
any attempt to access a user account returns a 404.
Interestingly I'm not able to replicate that behavior:

404_admin.png 404_root.png

Can you show me a screenshot of the Apache mod_userdir Tweak UI that resembles the following:


user_dir_page.png
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,237
1,232
313
Houston
I don't know offhand/without being able to see the server configuration what the difference between our servers would be - you may want to open a ticket if you need it to respond with a 404 instead of a 403.

What specifically is the end goal/reasoning behind needing it to be a 404 - maybe there's another method to get your desired result.
 

webworker

Member
Feb 8, 2017
10
0
1
United States
cPanel Access Level
Root Administrator
PCI compliance. Our scanning vendor flags it as an issue but despite it seemingly being a non-issue.

Client sites are a simple fix with htaccess but the base cpanel software I wouldn't know where to begin looking :)

I'll see about putting in a ticket!

Thanks for the help
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,237
1,232
313
Houston
Ah ok, I read this and assumed that PCI compliance was passing it but you had wanted to make a different change.

PCI Compliance is fine with setting ErrorDocuments for both error codes (403 and 404) to the same content/response code
 

Yasza

Registered
Oct 16, 2020
1
0
1
Bali
cPanel Access Level
Root Administrator
Hi, I currently have same issues. Already following all the step, enable the Apache mod_userdir Tweak & exclude the host that we want to see the temporary url but just showing 403 when I check it.