Author Topic: /usr/local/cwpsrv/htdocs/admin  (Read 12746 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
/usr/local/cwpsrv/htdocs/admin
« on: September 16, 2016, 01:37:16 AM »
I am unable to create a .htaccess in /usr/local/cwpsrv/htdocs/admin and directory listing is enabled for this path. You also have your gravatars in there? Some scenic pictures of the ocean? I wonder why?

Offline
*
Re: /usr/local/cwpsrv/htdocs/admin
« Reply #1 on: September 17, 2016, 08:42:40 PM »
Is anyone going to reply to this thread? I am logged in to my server as root and tried and touching .htaccess and it says permission denied.. Why?

[root@server ~]# cd /usr/local/cwpsrv/htdocs/admin
[root@server admin]# touch .htaccess
touch: cannot touch `.htaccess': Permission denied
[root@server admin]#

This is not just on one server. I have multiple servers running and all do the same. I need directory listing disabled on that folder using .htaccess and I am denied creating a file. Thats some really funning business. Please explain..

Offline
*
Re: /usr/local/cwpsrv/htdocs/admin
« Reply #2 on: September 18, 2016, 07:07:19 AM »
cd  /usr/local/cwpsrv/htdocs/admin
lsattr
----i--------e- ./admin
-------------e- ./index.html
-------------e- ./resources

"The "I" attribute is used by the htree code to indicate that a directory is being indexed using hashed trees. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1)."

??

On my system I get 404 if I try to go to http://my.ip.addr/admin even though there's an index.html. same if I switch it to port 2030.

Offline
*
Re: /usr/local/cwpsrv/htdocs/admin
« Reply #3 on: September 20, 2016, 05:07:24 AM »
Right click on the new centos web panel logo and view image in a new tab. Once there, navigate one level back to the IP:2030/design/ or http://HTTPS://IP:2031/design/ folder and you will see what I am referring to..

ssh term jars sitting there so they can be downloaded..???
/design/3rdparty/sshterm/
 jcterm-0.0.10.jar
jsch-0.1.46.jar
jzlib-1.1.1.jar

CSS publicly accessible?
/design/css/
 bootstrap/
custom.css
droid-sans-400-700.css
droid-sans-400.css
droid-sans-700.css
fonts/
icons.css
ie8.css
main.css
open-sans-400-700.css
open-sans-400.css
open-sans-700.css
supr-theme/

The dev's face can be seen in his avatars???
/design/images/
 apple-touch-icon-114-precomposed.png
apple-touch-icon-144-precomposed.png
apple-touch-icon-57-precomposed.png
apple-touch-icon-72-precomposed.png
arrowdown.png
arrowup.png
avatar.jpg
avatar2.jpeg
avatar3.jpeg
cwp_small.png
del.png
favicon.ico
gallery/
glyphicons-halflings-white.png
glyphicons-halflings.png
handle.png
icons/
loader.gif
loaders/
patterns/
search.png
spinner.png
ui.totop.png

And this is the gallery folder that has completely unrelated images.. these have nothing to do with the server and just have what the dev wanted put in there.. shameful!!
/design/images/gallery/
 1.jpg
10.jpg
11.jpg
12.jpg
13.jpg
14.jpg
15.jpg
16.jpg
17.jpg
18.jpg
19.jpg
2.jpg
20.jpg
3.jpg
4.jpg
5.jpg
7.jpg
8.jpg
9.jpg
preload.png


ALL OF THIS IS PUBLICLY ACCESSIBLE. SHAME ON THE DEV!!!!!

Offline
*
Re: /usr/local/cwpsrv/htdocs/admin
« Reply #4 on: September 25, 2016, 05:16:24 AM »
Ok, yes I can confirm that you can go to http://you_server:2030/design/ and NOT LOGGED IN see these directories.  :o 

A work around that's not the greatest is to edit /usr/local/cwpsrv/conf/httpd.conf on line 146 where it says:

Options Idexes FollowSymLinks

Remove Indexes so it just says:

Options FollowSymLinks

Then service cwpsrv restart and you won't get the directory listing anymore. However, this is obviously just another layer of obscurity and security through obscurity is never the best policy.

Offline
***
Re: /usr/local/cwpsrv/htdocs/admin
« Reply #5 on: September 25, 2016, 09:09:36 AM »
Great, thanks