mod_userdir Affecting Thousands Of cPanel Websites

mod_userdir Affecting Thousands Of cPanel Websites

mod_userdir is an Apache module which allows users to access their content with or without having domain name. It is good for those users who can’t afford domain name, SSL or if their web application is in testing mode.
x.x.x.x/~username/
OR
hosting.com/~username/
But here comes the worst part when same module is exploited against a normal user on same shared host. For example the host x.x.x.x has mod_userdir enabled and there are several sites hosted under same shared host.

mydomain.com
anothersite1.com
anothersite2.com
victim.com

Lets say victim.com gets hacked and here is how hacker can infect all other sites on same shared host with just 1 domain.

mydomain.com/~victim/xss.html (Someone can generate XSS one your site)
anothersite1.com/~victim/phishing.html (Someone can use your site for phishing)
anothersite2.com/~victim/spam.html (Someone can use your site to create tons of spam pages)

Technically these sites do not contain any malicious content but just getting the advantage of mod_userdir, hacker has infected each and every site on same shared host. There are many ways to find other sites hosted on same shared host.

Another worst scenario is when you are helpless and can’t fix the bug until you are root admin. In some cases, server admins deny to enable mod_userdir protection because they don’t care or they have no idea what is going on. I have seen same bug on hostgator, inmotionhosting, some of bluehost and many other giant hosts. All these hosts contain thousands of sites on 1 server and it is not difficult to hack just 1 site and infect entire server with phishing or spam. I have contacted on behalf of many of my clients to their hosting support and some agreed to enable the protection and some won’t. Among giant hosts, hostgator agreed to enable protection on specific server I requested for (not all) while inmotionhosting didn’t and thats the reason all of their servers are still vulnerable. There is still no proper patch released from cPanel yet as they have already given the right of enabling or disabling mod_userdir to the server admin and thats the reason this bug is still being exploited in vast.

How to FIX

If you are having VPS or dedicated server then all you need is to go to “Apache mod_userdir Tweak” in WHM Panel and check “Enable mod_userdir Protection”.
I will discuss in next post on how you can protect yourself if you are on shared host using Cloudflare.

Expert in PHP, Wordpress and Web Security Analyst