AbanteCart Community

Shopping Cart Operations => Security => Topic started by: llegrand on September 16, 2016, 01:08:11 PM

Title: Apache UserDir Protection
Post by: llegrand on September 16, 2016, 01:08:11 PM
One of my servers cPanel is now "recommending" a new feature  UserDir Protection to be enabled.  This will configure Apache’s mod_userdir functionality to only be active on the default hostname. User site data will no longer be accessible under other usernames.

Here is the link to more information:

https://documentation.cpanel.net/display/ALD/Apache+mod_userdir+Tweak (https://documentation.cpanel.net/display/ALD/Apache+mod_userdir+Tweak)

under warnings it has this:
Websites that use the mod_rewrite or other directives in their .htaccess files will not function correctly when visitors view them through mod_userdir URLs.

So my question to the developers is  -  what is the correct setting for mod-userdir for AbanteCart installations?

Thanks
Lee

Title: Re: Apache UserDir Protection
Post by: abantecart on September 17, 2016, 11:54:49 AM
I do not think this change anything. Just another way to access user's web directory.
Title: Re: Apache UserDir Protection
Post by: llegrand on September 17, 2016, 12:12:47 PM
The "mod_userdir" fuctionality has some security risks associated with it. As you can see by the documentation, it is only used when a visitor accesses their website via a username.
 
 For example: http://example.net/~username (http://example.net/%7Eusername)
 
 Where username would be the username of the website user. This is a very niche option, so I don't believe that you need it unless that is how customers get to your sites.

AbanteCart Admins   access their admin panel with the user name in the url .  In discussing this with my server manager he "highly suggest discussing this with your developers as they are likely more familiar with the way Apache is set to handle logins to the site. You will likely find the directives to do this within your .htaccess file."

so my question remains unanswered -  to enable userDir   or not?

Title: Re: Apache UserDir Protection
Post by: John-PH on January 28, 2017, 07:53:06 AM
Long story short ... I suggest to not enable mod_userdir.

Also, for a more secure environment you can use mod_ruid2. /https://documentation.cpanel.net/display/EA/Apache+Module%3A+ModRuid2