Access Denied Directories??

N

NC-Designs

Well-Known Member
#1
#1
Hi, what exactly are access denied directories there for? I am sure with the previous version (4.0.17) they used to work as customers could not get hold of files such as passwd..

Now I find that they can view these files (Since updating to 4.0.18)

Any ideas or suggestions on this?

Kind Regards,
Chris
 
W

webizen

Well-Known Member
#2
#2
An access denied directory is for protecting data inside (such as configurations, sensitive info or something in the middle of updating) from being accessed directly via HTTP (web access from end user). It is mainly for security reason.

Are you saying files in a directory used to be blocked in 4.0.17 become accessible once lsws is upgraded to 4.0.18? If so, can you check if context for the blocked directory has been changed (web console->Configuration->Virtual Host->Context->URI in question->accessible) after upgrade?
 
N

NC-Designs

Well-Known Member
#3
#3
Yeah, exactly that... In my access denied directories I have the following -
Code: 
/
/var/*
/install/*
/sys/*
/selinux/*
/etc/*
/dev/*
$SERVER_ROOT/conf/*
$SERVER_ROOT/admin/conf/*
With version 4.0.17 I could not access files under /etc/ via web scripts (for example /etc/passwd) that litespeed was serving. Now since upgrading I can.

I am running cPanel with this so have no virtual host entries on the Litespeed panel.

Thanks,
Chris.
 
W

webizen

Well-Known Member
#4
#4
Please post here or via private message some sample apache configuration and how your web script access one of the files. This is to help us reproduce the issue.
 
N

NC-Designs

Well-Known Member
#5
#5
Hi, sorry for delayed reply. I am not sure what you mean by how it accesses files?

It is litespeed, it calls the configuration of the httpd.conf to get the virtualhost location. This file is located at /usr/local/apache/conf/httpd.conf

It then calls the file from the correct location. Below is an example of the Virtualhost entry with sensitive content removed.

Thanks.


Code: 
<VirtualHost XX.XXX.XX.XX:80>
    ServerName testserver.config.com
    ServerAlias www.testserver.config.com
    DocumentRoot /home/filetest/public_html
    ServerAdmin webmaster@testserver.config.com
    UseCanonicalName Off
        Options -ExecCGI -Includes
        RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
    CustomLog /usr/local/apache/domlogs/testserver.nchost.co.uk combined
    CustomLog /usr/local/apache/domlogs/testserver.nchost.co.uk-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User filetest # Needed for Cpanel::ApacheConf
    UserDir disabled
    UserDir enabled filetest
    <IfModule mod_suphp.c>
        suPHP_UserGroup filetest filetest
    </IfModule>
    <IfModule concurrent_php.c>
        php4_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        php5_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    <IfModule !concurrent_php.c>
        <IfModule mod_php4.c>
            php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        </IfModule>
        <IfModule mod_php5.c>
            php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/local/lib/php:/tmp"
        </IfModule>
        <IfModule sapi_apache2.c>
            php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        </IfModule>
    </IfModule>
    <IfModule !mod_disable_suexec.c>
        SuexecUserGroup filetest filetest
    </IfModule>
    ScriptAlias /cgi-bin/ /home/filetest/public_html/cgi-bin/

    Include "/usr/local/apache/conf/userdata/*.conf"
    Include "/usr/local/apache/conf/userdata/*.owner-root"
    Include "/usr/local/apache/conf/userdata/std/*.conf"
    Include "/usr/local/apache/conf/userdata/std/*.owner-root"
    Include "/usr/local/apache/conf/userdata/std/2/*.conf"
    Include "/usr/local/apache/conf/userdata/std/2/*.owner-root"

</VirtualHost>
 
M

mistwang

LiteSpeed Staff
#6
#6
NC-Designs said:
With version 4.0.17 I could not access files under /etc/ via web scripts (for example /etc/passwd) that litespeed was serving. Now since upgrading I can.
Click to expand...
LiteSpeed wont be able to control external web scripts, if you use PHP for the web script, it is likely the open_basedir configuration of php to prevent the script from accessing /etc/*. you can compare phpinfo page between 4.0.18 and 4.0.17.
 
S

sameer

New Member
#7
#7
Actually 4.0.18 is ignoring open_basedir completely. Recently had upgraded two of our servers to 4.0.18 but ended up downgrading to 4.0.17 to get open_basedir protection working.
 
S

sameer

New Member
#9
#9
What configuration information is needed??

I am using cPanel's "PHP open_basedir Tweak" i have downgraded/upgraded several time but open_basedir doesn't works with 4.0.18.
 
N

NC-Designs

Well-Known Member
#11
#11
So is there a solution to this?

Access denied directories used to work and should still work as it clearly states in the following text -

Code: 
Specifies the directories that should be blocked from access.  Add directories that contain sensitive data to this list to prevent accidentally  exposing sensitive files to clients. Append a "*" to the path to include all sub-directories.  If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic  links will be checked against the denied directories.
So.. you are coming up with a crap excuse for support and saying that litespeed won't be able to control external web scripts.. LiteSpeed serves the content hence LiteSpeed can simply block the content.

Webizen was completely right in stating
An access denied directory is for protecting data inside (such as configurations, sensitive info or something in the middle of updating) from being accessed directly via HTTP (web access from end user). It is mainly for security reason.
Click to expand...
Please, look into this seriously. Now i'm not stupid and I have paid a lot of money for this product... I know this feature used to work. And if it isn't to prevent external scripts from getting the data.. What is it there for?
 
Last edited:
N

NC-Designs

Well-Known Member
#14
#14
Open_basedir is set yeah but I don't want them to receive such a descriptive error - Litespeed's access denied directories did this perfectly when they were working.

Also open_basedir only prevents PHP scripts from accessing these directories, what about perl exploits that happily list out every single domain on the server?

Regards,
Chris.
 
M

mistwang

LiteSpeed Staff
#15
#15
NC-Designs said:
Also open_basedir only prevents PHP scripts from accessing these directories, what about perl exploits that happily list out every single domain on the server?
Click to expand...
access denied dir never stop perl or CGI script no matter which version of LSWS you use. Feel free to verify that by switching back to older version.
Those scripts run in there own process, talks to linux kernel directly, LiteSpeed has no way to interfere with that, no user land application can do that.
 
M

muiruri

Well-Known Member
#16
#16
In my case, I'm having trouble with several sites running on Miva application. they do not load and give following error;

"403 Forbidden Access to this resource on the server is denied!"

When I check the error details on LSWS console get the following;

[ERROR] [99.999.99.99:3667-0#APVH_domain.com] MIME type [application/x-httpd-miva] for suffix '.mv' does not allow serving as static file, access denied!

How do I make this work?

We've temporary switched back to Apache, because none of the sites running miva will work.

Had seen a post somewhere that may be can use "Script Handler" to define or using the "External App" menu option at the LSWS console.

If this is one of the places to use, which one would I use and what lines should I use? For example what would be the "handler type"?

We have LSWS 4.1.1

Apache works fine and does not have this error.

Regards, Sam
 
Last edited:
You must log in or register to reply here.
Top