The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Return Same Error Document for 404 and 403 (CVE-2001-1013)

Discussion in 'Security' started by Brian Johnson, Mar 3, 2015.

  1. Brian Johnson

    Brian Johnson Member

    Joined:
    Mar 2, 2015
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lakeville, Minnesota, United S
    cPanel Access Level:
    Website Owner
    I'm hardening for PCI and my scanner requests that I do this. The full reason for this is:

    "The web server running on this host allows attackers to probe for user names via requests for user home pages (e.g., http://host/~username). Many different types of web servers exhibit this behavior, but it is most commonly associated with Apache HTTP Server."

    And the solution is: "Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page Not Found) responses. Additionally, if Apache is being used, the UserDir directive should be disabled in the Apache configuration file (httpd.conf)."

    How can I go about this? I should be able to disable UserDir just fine, but I'm not sure how to go about the rest.

    I'm using WHM 11.48 with Cpanel.
     
  2. Brian Johnson

    Brian Johnson Member

    Joined:
    Mar 2, 2015
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lakeville, Minnesota, United S
    cPanel Access Level:
    Website Owner
    Just an update: something I did made this issue go away and I am now PCI compliant. Maybe it was just the disabling of UserDir, I have no idea! So I guess this isn't much of a priority for me anymore.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, disabling Apache mod_userdir results in 404 errors when attempting to access those URLs, so that would have addressed the issue.

    Thank you.
     
Loading...

Share This Page