full path disclosure on autoindex

[felosi]

For example if you chmod a directory 000 in order to disable it
Like this http://protectedhost.com/test/
http://sph1.net/test

Instead of giving a php error displaying full path it should simply give a forbidden error. It does the same any time it cannot read any folder, despite the contents

Is there any quick fix for this? Its somewhat of a security risk because it displays full path giving the sites username on the server.
Seems like it should invoke an error page instead of trying to open autoindex
Despite error reporting off will still show this

 

[brrr]

Some suggestions...

Disable auto-index for that server. And your PHP error reporting settings in php.ini may also be a factor too - eg ensure display_errors = Off.

But yeah, when LSWS encounters a file-system resource that it has no permissions to access, I would have thought a 403 error would have come up despite every other setting on the server.

 

[felosi]

does the same despite display errors, the links I posted display errors is on. Which I really have to leave that on so people can see problems with their apps, sites, etc
bottom one is with error reporting off

 

[admin]

OK. We will set "display_errors = off" for the autoindex script.

 

[admin]

And the autoindex script will be changed not to show the error.

 

[mistwang]

Changes has been made to the latest 3.3 build, you are welcome to give it a try.

 

[felosi]

Will give it a try tonight, been taking the weekend off. A much needed break, been working 7 days a week like 2 years now

Thanks guys

 

[felosi]

tried the 3.3 build, soon as I did, all sites got a 503 error and wouldnt load

 

[mistwang]

Are you using PHP suExec on that server?

 

[felosi]

yeah, all of them I do

 

[mistwang]

If you downloaded the 3.3 release package earlier than yesterday, you should download again, it has been actively updated.
If you downloaded it yesterday, I may have to take another look on the 503 issue

 

[PSS]

3.3? Where?

 

[mistwang]

Jut change the version number in the download link to get 32 or 64 bit linux package.

 

[PSS]

Jut change the version number in the download link to get 32 or 64 bit linux package.

Thanks. Is there a changelog somewhere?

 

[mistwang]

just published http://www.litespeedtech.com/support/forum/showthread.php?t=1530

 

[felosi]

just published http://www.litespeedtech.com/support/forum/showthread.php?t=1530

Thanks a lot George!

I would have to say LiteSpeed is the best people Ive dealt with concerning bug reports. They take them seriously and fix them asap. I have never been brushed off or had problems filing a report or simply asking a question. Thats just awesome in software because back in my hacking/security days we used to notify vendors about exploits and such. 90% of the time they would either deny it, ignore it, or take months fixing and almost all of them never treated anything like an emergency.

Everytime anyone reports problems to litespeed they are taken care of fast and everything is treated like a serious issue. Cant ask for no more.

Thanks again!