• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Plesk is listing directory /usr/share/httpd/icons

Nilton Santos

Nilton Santos

Basic Pleskian
Hi everybody,

I noticed that all sites hosted on plesk servers are listing the contents of the folder /usr/share/httpd/icons when accessed through the link: http://domain.com/icons/
Even if the folder icons does not exist on site

Could someone please let me know if this behavior is normal, because We use a tool that is identifying this folder as unsafe.
 

Attachments

  • icons_list.png
    icons_list.png
    82.4 KB · Views: 17
Hi Nilton Santos,

could you pls. let us know, HOW you checked this behaviour? ( step-by-step, pls. ), so we could confirm your statement? And could you pls. name the "tool", that "We use a tool that is identifying this folder as unsafe" ?
 
Can't reproduce it on test Plesk servers. Need more details.
 
Hello Nilton,

Please check the following documentations:
https://kb.odin.com/en/130400
https://blog.cotten.io/why-is-apache-vulnerable-by-default-743eec222013#.d4d2urirj

Apache includes Fancy Indexes and the /icons folder has a specific override in /etc/httpd/conf.d/autoindex.conf

In my opinion to solve this problem you can choose between two alternatives as follows:

1- Resolving globally by editing the file /etc/httpd/conf.d/autoindex.conf

From:

# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/httpd/icons/"

<Directory "/usr/share/httpd/icons">
Options Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>


To:

# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/httpd/icons/"

<Directory "/usr/share/httpd/icons">
Options -Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>

Remember to restart apache

(Ref: https://blog.cotten.io/why-is-apache-vulnerable-by-default-743eec222013#.d4d2urirj)

2- By domain

Through the Plesk Panel go to:
Domains > domain.tld > Apache & nginx Settigs

<Directory "/usr/share/httpd/icons">
Options -Indexes
</Directory>


I hope it helps
 
Tanks everybody,

Question was solved add the follow option on Apache settings:

2- By domain

Through the Plesk Panel go to:
Domains > domain.tld > Apache & nginx Settigs

<Directory "/usr/share/httpd/icons">
Options -Indexes
</Directory>

Tanks a lot Rafael.
 
I realise this is an old topic, but still mostly gave the solution.
using the above solution
Rich (BB code): 
# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/httpd/icons/"

<Directory "/usr/share/httpd/icons">
Options -Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>

apache failed to restart with the following error:
Rich (BB code): 
Nov 07 11:39:01 server.co.uk httpd[11727]: AH00526: Syntax error on line 24 of /etc/httpd/conf.d/autoindex.conf:
Nov 07 11:39:01 server.co.uk httpd[11727]: Either all Options must start with + or -, or no Option may.
Nov 07 11:39:01 server.co.uk systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Nov 07 11:39:01 server.co.uk systemd[1]: Failed to start The Apache HTTP Server.

The solution is to do as it says:
Rich (BB code): 
# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/httpd/icons/"

<Directory "/usr/share/httpd/icons">
Options -Indexes +MultiViews +FollowSymlinks
AllowOverride None
Require all granted
</Directory>

Accessing the folder or subfolder now returns a 403
if you reference the image file eg /icons/index.png they still work correctly just removed the directory browse.

Regards
Keith
 
You must log in or register to reply here.

Similar threads

H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
555
Raul A.
R
P
Question Drupal CMS 1.0 with Plesk: Composer PATH issue for automatic updates
Replies
7
Views
1K
horvan
H
M
Resolved Plesk restore from a ZIP after server failure.
Replies
0
Views
456
mad_inventor
M
J
Question Issue with Laravel on Plesk server - Domain not pointing to the correct directory
Replies
8
Views
11K
mauricekindermann
M
C
Issue Apache mod_substitute & mod_proxy_html not doing anything, using mod_proxy
Replies
1
Views
828
ConquerThis
C
Back
Top