Hello,
today we received many phishing notifications from Google regarding some accounts of our reseller plan. The malicious urls look like this: http://www.ourdomain .com/~l0k0/cgi-bin/update.php
Our sites are not really compromised, but the problem is that an url like:
http://www.ourdomain.com/~otheruser/etc
gives access to the the web root of another account on the server (~l0k0 in this case), even if it seems on our domain.
I've read that there were similar issues in the past, and they were solved by disabling the apache userdirs on the affected domains.
I already opened a ticket about this issue, but I really believe that the userdir (/~user/ urls) should be disabled by default, or be enabled only when accessing through the IP and not through an hostname.
I think this is a major security issue.
today we received many phishing notifications from Google regarding some accounts of our reseller plan. The malicious urls look like this: http://www.ourdomain .com/~l0k0/cgi-bin/update.php
Our sites are not really compromised, but the problem is that an url like:
http://www.ourdomain.com/~otheruser/etc
gives access to the the web root of another account on the server (~l0k0 in this case), even if it seems on our domain.
I've read that there were similar issues in the past, and they were solved by disabling the apache userdirs on the affected domains.
I already opened a ticket about this issue, but I really believe that the userdir (/~user/ urls) should be disabled by default, or be enabled only when accessing through the IP and not through an hostname.
I think this is a major security issue.