cPanel 10.9.x - world readable /usr/local/apache/conf/modsec.user.conf


cPanel provided a point and click mod_security install by root through WHM. Upon being installed on older builds of cPanel, the /usr/local/apache/conf/modsec.user.conf file had permissions of 0644.

[user@host ~]$ ls -l /usr/local/apache/conf/modsec.user.conf
-rw-r--r-- 1 root root 254 Aug 18 00:33 /usr/local/apache/conf/modsec.user.conf
[user@host ~]$ cat /usr/local/apache/conf/modsec.user.conf
# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "
[ ... ]


Local users could learn which mod_security rules were in use on the server.