I am trying to maintain PCI compliance with our server, but one of the issues that is standing in the way of that is the UserDir directive. I have mod_userdir protection enabled via WHM, but I find I can still reach the websites via IP_ADDRESS/~user/, which the compliance scanner claims is a vulnerability since the username is provided in the directory. Looking at httpd.conf, I see the following:
## User USERNAME # Needed for Cpanel::ApacheConf
UserDir disabled
UserDir enabled USERNAME
This is set up for nearly every zone. What is the purpose of enabling mod_userdir protection if the cPanel is simply going to override it in the apache configuration? How do I remove this feature once and for all? Is it safe to remove these UserDir lines from httpd.conf?
Thanks for any assistance offered.
## User USERNAME # Needed for Cpanel::ApacheConf
UserDir disabled
UserDir enabled USERNAME
This is set up for nearly every zone. What is the purpose of enabling mod_userdir protection if the cPanel is simply going to override it in the apache configuration? How do I remove this feature once and for all? Is it safe to remove these UserDir lines from httpd.conf?
Thanks for any assistance offered.