mod_userdir protection issues

webworker

Member
Feb 8, 2017
10
0
1
United States
cPanel Access Level
Root Administrator
Hello,

I've read, re-read, googled, and read some more but I'm still butting up against this issue.

Under WHM -> Apache mod_userdir Tweak

I have Enable mod_userdir Protection check marked.
No hosts are excluded from protection.

The following occurs:
accessing http://IP_ADDRESS/~root/ -> 403 Forbidden (along with nobody/admin, other users on the server return 404)
accessing http://IP_ADDRESS/~random_account_that_doesn't_exist/ -> 404 Not Found

Desired functionality:
any attempt to access a user account returns a 404.

PCI Compliance is fine with setting ErrorDocuments for both error codes (403 and 404) to the same content/response code but I'm not sure how to accomplish that with the standard cPanel error pages that are served by the server IP address or hostname pages.

Thanks!
 

webworker

Member
Feb 8, 2017
10
0
1
United States
cPanel Access Level
Root Administrator
Hello @cPanelLauren !

I don't want any hosts to be accessed by mod_userdir, all hosts are protected.

The issue is that on the base IP or hostname for the server will return a 403 for some system accounts with 404s for all other accounts. I've attached example screenshots of the responses.

I'm not sure where to configure the responses for the cpanel software itself.

Thanks!
 

Attachments

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
I don't know offhand/without being able to see the server configuration what the difference between our servers would be - you may want to open a ticket if you need it to respond with a 404 instead of a 403.

What specifically is the end goal/reasoning behind needing it to be a 404 - maybe there's another method to get your desired result.
 

webworker

Member
Feb 8, 2017
10
0
1
United States
cPanel Access Level
Root Administrator
PCI compliance. Our scanning vendor flags it as an issue but despite it seemingly being a non-issue.

Client sites are a simple fix with htaccess but the base cpanel software I wouldn't know where to begin looking :)

I'll see about putting in a ticket!

Thanks for the help