# Security hole with apache2 and openssl [SOLVED]

## murad

Hi,

I have apache2 and openssl intalled in a server.

If I try https://200.xxx.xxx.xxx//etc/passwd it returns me the file. Does anybody knows how to fix that?

----------

## Chris W

Correct your configuration.   We'd need more information to allow any more helpful comment on how to do this.

----------

## murad

Software versions

apache 2.0.49

openssl 0.9.7d

Config files

 *Quote:*   

> apache2.conf
> 
> ### /etc/apache2/conf/apache2.conf
> 
> ### $Id: apache2.conf,v 1.1 2004/03/22 21:17:57 stuart Exp $
> ...

 

 *Quote:*   

> commonapache2.conf
> 
> ### /etc/apache2/conf/commonapache2.conf
> 
> ### $Id: commonapache2.conf,v 1.1 2004/03/22 21:17:57 stuart Exp $
> ...

 

 *Quote:*   

> modules.d/40_mod_ssl.conf
> 
> <IfDefine SSL>
> 
>   <IfModule !mod_ssl.c>
> ...

 

 *Quote:*   

> modules.d/41_mod_ssl.default-vhost.conf
> 
> <IfDefine SSL>
> 
>   <IfModule !mod_ssl.c>
> ...

 

----------

## Chris W

This chunk you have commented out of the commonapache.conf file is specifically designed to deny the sort of accesses you are asking about: 

```
#<Directory />

# Options -All -Multiviews

# AllowOverride None

# <IfModule mod_access.c>

# Order deny,allow

# Deny from all

# </IfModule>

#</Directory>
```

  The <Directory> directive controls web server's ability to access operating system directories on behalf of users i.e. the / above is the real root directory, not the document root of the server.  The permissions above deny all access.  Later directives in commonapache.conf, look for <Directory /var/www/localhost/htdocs>, selectively allow access to some subordinate directories.

----------

## murad

Thanks allot. It did work.

----------

