DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Usernames leakage on Directadmin server through phpMyAdmin logs

| 12:28:30 01.08.2016

There was a usernames leakage on Directadmin servers through phpMyAdmin logs recently discovered. And here we will guide you through the security update in order to protect your server against this vulnerability.

Test your server

In order to test your server open in a browser the following link (replace domain.com with a real domain name from your server):

  • http://domain.com/phpMyAdmin/log/ or 
  • http://domain.com/phpmyadmin/log/

If your server is affected by the vulnerability you'll see a listing of log-files, which might contain sensitive information such as usernames and IPs.


Protect your server

Create custom file:

touch /etc/httpd/conf/extra/httpd-custom-poralix.conf

Open the newly created file in a text editor with the following command:

vi /etc/httpd/conf/extra/httpd-custom-poralix.conf

Add content:

<Directory "/var/www/html">
     Options -Indexes
</Directory>
<Directory "/var/www/html/*/log">
     Deny from all
</Directory>
<Directory "/var/www/html/*/sql">
     Deny from all
</Directory>

Save and exit the text editor.

Include the custom file into the running configuration:

echo "Include /etc/httpd/conf/extra/httpd-custom-poralix.conf " | tee -a "/etc/httpd/conf/extra/httpd-includes.conf"

And restart Apache

service httpd restart

Have a nice day!

Tags: directadmin Security phpMyAdmin 
←  Domain is missing on a Custom HTTPD Configurations page in Directadmin  | Start |  Mitigation of HTTPoxy vulnerability on Directadmin powered server  →
About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




SEE HOW WE CAN HELP!
All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition