PCI Compliance Issue with httpd.conf

Discussion in 'H-Sphere Reseller Hosting' started by Rokatesh, Dec 2, 2007.

  1. Rokatesh

    Rokatesh Perch


    Our website passed the PCI Compliance last year. This month, however, it has failed due to this error on port 80 and 443:

    The remote Apache server can be used to guess the presence of a given user name on the remote host. Description : When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/. If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host. Solution: In httpd.conf, set the 'UserDir' to 'disabled'. Risk Factor: Medium

    How would I go about changing that httpd.conf file? Where is it located?

  2. Rokatesh

    Rokatesh Perch

    Oh - this is what I found on the apache website:

    If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

    UserDir disabled root

    Is this something I can do? Or does it have to be done by the Jodohost team?

  3. Stephen

    Stephen US Operations Staff Member

    best snd via ticket :)
  4. tanmaya

    tanmaya APAC Operations Staff Member

    It seems the PCI Compliance scanner is misinterpreting the results.
    The module is not even enabled on the server.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services