Page 4 of 28 FirstFirst ... 2345614 ... LastLast
Results 46 to 60 of 409

Thread: Solutions for handling symlink attacks

  1. #46
    Registered Member cPanel Partner NOC Badge
    Join Date
    Apr 2003
    Location
    Houston, TX
    Posts
    405
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    A good method we have found is setting the following in Apache pre_virtualhost_global includes:

    <Directory "/home">
    Options +All +ExecCGI -FollowSymLinks +Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>

    This requires all .htaccess files containing "FollowSymLinks" to be changed to "SymLinksIfOwnerMatch" and any future change by clients or installing new applications will result in 500 errors when using "FollowSymLinks" so inform your users that they must use "SymLinksIfOwnerMatch" instead.

  2. #47
    Registered Member cPanel Partner NOC Badge
    Join Date
    Jul 2003
    Posts
    130

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by DomineauX View Post
    A good method we have found is setting the following in Apache pre_virtualhost_global includes:

    <Directory "/home">
    Options +All +ExecCGI -FollowSymLinks +Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>

    This requires all .htaccess files containing "FollowSymLinks" to be changed to "SymLinksIfOwnerMatch" and any future change by clients or installing new applications will result in 500 errors when using "FollowSymLinks" so inform your users that they must use "SymLinksIfOwnerMatch" instead.
    You are going to break Joomla. Every single Joomla customer will need to go inside their .htaccess and comment out Options +FollowSymLinks . (Including any new customers that install Joomla)

    You may have magical customers. But most of ours won't know what that means.

    I really wish something like this would have worked -

    <Directory "/">
    Options +ExecCGI -FollowSymLinks -Includes +IncludesNOEXEC +Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    </Directory>
    But looks like when they set the FollowSymLinks, the SymLinksIfOwnerMatch is ignored...
    Last edited by Arvand; 11-02-2011 at 01:34 PM.
    Arvixe - Freedom of the web at your fingertips

  3. #48
    Registered Member cPanel Partner NOC Badge
    Join Date
    Apr 2003
    Location
    Houston, TX
    Posts
    405
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by Arvand View Post
    You are going to break Joomla. Every single Joomla customer will need to go inside their .htaccess and comment out Options +FollowSymLinks . (Including any new customers that install Joomla)

    You may have magical customers. But most of ours won't know what that means.
    Yes Joomla and many other scripts indeed are broken by this which is why I said you have to change existing .htaccess files and inform customers of the required change for new scripts they install and to avoid them changing it themselves. I guess I should add that you also need to be able to support users who find this beyond them.

    But the symlink based compromising of data is prevented, so it is really your choice.

  4. #49
    Registered Member cPanel Partner NOC Badge
    Join Date
    Jul 2003
    Posts
    130

    Default re: Solutions for handling symlink attacks

    Are you guys actively doing this?
    Arvixe - Freedom of the web at your fingertips

  5. #50
    Registered Member cPanel Partner NOC Badge
    Join Date
    Apr 2003
    Location
    Houston, TX
    Posts
    405
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Yes we have been for a while as per:
    Changes to the use of "Options All" and "FollowSymLinks" in .htaccess files

    While it has resulted in many support tickets, we handle them quickly and inform the user and they are usually more than happy to have been impacted by the momentary hassle instead of having the data compromised.

  6. #51
    Registered Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,154
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    One thing nobody seems to have thought of is that this mischief is only possible if a symlink is to a file, not a directory. I really can't think of many valid reasons for symlinking to an actual file.

    Secondly, the other option that could be used in an apache patch to detect this is when a file extension is changed by the symlink. Obviously a link from a .txt extension to a .php extension is dodgy but there may be others.

    cpanel: this is serious mojo, equivalent in danger to cpanel servers getting hacked prior to suexec. Remember cPanel once had a rep for being insecure? Let's ensure cPanel retains it's present much better reputation by being proactive. We're talking server-wide hacks here.
    Last edited by brianoz; 11-04-2011 at 04:09 PM. Reason: fixed extension typo
    White Dog Green Frog - web hosting and web development since 2002
    Blogs: SMB web use cPanel/WHM scripts

  7. #52
    Registered Member cPanel Partner NOC Badge
    Join Date
    Jul 2003
    Posts
    130

    Default re: Solutions for handling symlink attacks

    Thanks for that.

    I've done searches across all our servers for .htaccess files that have Options FollowSymlinks and we are talking about ~10,000 websites affected. Clearly, that is not an option.

    I've discussed this with Igor from CloudLinux who has been trying to communicate with cPanel in this regard.

    I also had a ticket into cPanel 4 or 5 months ago which was simply dismissed as not having to do anything with them.

    I think based on your response, any one of the following Apache patches would help/work -

    1) Apache doesn't follow symlinks which have different extensions than the files they are linking to.
    2) Apache doesn't follow symlinks to files.
    3) Apache doesn't throw a 500 error if a .htaccess attempts to include an Option which is disallowed in the main httpd.conf .
    Arvixe - Freedom of the web at your fingertips

  8. #53
    Registered Member
    Join Date
    Sep 2009
    Location
    Athens Greece
    Posts
    199

    Default re: Solutions for handling symlink attacks

    what exact changes you made to htacess since not only joomla and phphox sites are crashing
    get as an example if you want

  9. #54
    Registered Member
    Join Date
    Jan 2004
    Posts
    254

    Default re: Solutions for handling symlink attacks

    I hate cpanels stance on this so we have created a patch and have been using for some time. It turns FollowSymLinks into SymLinksIfOwnerMatch at the apache source code level.

    We currently are working on rewriting the patch, and part of apache to take care of some possible race conditions. But given the rare race condition possibility, this is by far a better option than causing everyone to have to reconfigure their .htaccess files or allowing your server to be wide open to attack.

    How to install our patch (apache 2.2 only):

    wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make
    chmod 700 /scripts/before_apache_make
    #Rebuild apache after.
    /scripts/easyapache

    If you have any issues, let us know, we would be interested in hearing it.
    If you want to thank us, your free to do that aswell.

    When trying to access a file located in another account via a symlink, you will see this in the error log:

    [Sun Nov 06 05:06:23 2011] [error] [client xxxxxx] Symbolic link not allowed or link target not accessible: /home/xxxxx/public_html/1/confirm.txt
    Also, find out if your already a victim:

    find /home*/*/public_html -type l
    ---

    How to remove?:

    rm -f /scripts/before_apache_make
    #Rebuild apache after.
    /scripts/easyapache
    Enjoy.
    Last edited by StevenC; 11-06-2011 at 06:12 PM.
    Rack911.com - Competent Server Administration
    Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters

  10. #55
    Registered Member
    Join Date
    Sep 2009
    Location
    Athens Greece
    Posts
    199

    Default re: Solutions for handling symlink attacks

    thanks for the suggestion i appreciate this
    one thing to ask
    Server version: Apache/2.2.21 (Unix)
    should be working on Apache/2.2.21?
    if you build later on a new patch for this issue is there any way to learn it?

  11. #56
    Registered Member
    Join Date
    May 2008
    Location
    Islamabad, Pakistan, Pakistan
    Posts
    73
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by StevenC View Post
    I hate cpanels stance on this so we have created a patch and have been using for some time. It turns FollowSymLinks into SymLinksIfOwnerMatch at the apache source code level.

    We currently are working on rewriting the patch, and part of apache to take care of some possible race conditions. But given the rare race condition possibility, this is by far a better option than causing everyone to have to reconfigure their .htaccess files or allowing your server to be wide open to attack.

    How to install our patch (apache 2.2 only):



    Rebuild apache after.
    If you have any issues, let us know, we would be interested in hearing it.
    If you want to thank us, your free to do that aswell.

    When trying to access a file located in another account via a symlink, you will see this in the error log:



    Also, find out if your already a victim:



    ---

    How to remove?:



    Rebuild apache after.

    Enjoy.

    We tried to run the patch on our test machine and found the result below.

    root@root [/scripts]# /scripts/before_apache_make
    --2011-11-06 15:09:33-- http://layer1.rack911.com/harden-symlinks.patch
    Resolving layer1.rack911.com... 69.65.40.29
    Connecting to layer1.rack911.com|69.65.40.29|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1902 (1.9K) [text/plain]
    Saving to: ‚harden-symlinks.patch‚

    100%[==============================================================================================================================>] 1,902 --.-K/s in 0s

    2011-11-06 15:09:33 (181 MB/s) - ‚harden-symlinks.patch‚

    can't find file to patch at input line 3
    Perhaps you used the wrong -p or --strip option?
    The text leading up to this was:
    --------------------------
    |--- httpd-2.2.21.orig/include/http_core.h
    |+++ httpd-2.2.21/include/http_core.h
    --------------------------
    File to patch:

  12. #57
    Registered Member
    Join Date
    Jan 2004
    Posts
    254

    Default re: Solutions for handling symlink attacks

    You have to run easyapache after. That will incorporate the patch into apache.

    /scripts/easyapache
    Rack911.com - Competent Server Administration
    Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters

  13. #58
    Registered Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,154
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by StevenC View Post
    I hate cpanels stance on this so we have created a patch and have been using for some time. It turns FollowSymLinks into SymLinksIfOwnerMatch at the apache source code level.
    Thanks Steven; that's extremely generous of you to share this with the community at no charge.

    Nice, simple, idea! Symlinks aren't usable by hackers without FollowSymLinks, and if it checks for an owner match always, there's no security issue. And the use of /scripts/before_apache_make means it's a few seconds work to install. Thanks again!
    White Dog Green Frog - web hosting and web development since 2002
    Blogs: SMB web use cPanel/WHM scripts

  14. #59
    Registered Member
    Join Date
    Nov 2011
    Posts
    423
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by brianoz View Post
    Thanks Steven; that's extremely generous of you to share this with the community at no charge.

    Nice, simple, idea! Symlinks aren't usable by hackers without FollowSymLinks, and if it checks for an owner match always, there's no security issue. And the use of /scripts/before_apache_make means it's a few seconds work to install. Thanks again!
    Indeed setting up SymLinksIfOwnerMatch in apache conf improve the symlink protection and hence server security but that affect server performance. However server security can not be compromised against server performance.
    Lifetime Linux Hosting | Linux Dedicated Servers

    ISPA Award Winner-2013 & 2014

  15. #60
    Registered Member
    Join Date
    May 2008
    Location
    Islamabad, Pakistan, Pakistan
    Posts
    73
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Atleast patch is not working for us. If someone need step by step guide to replicate please contact.

Page 4 of 28 FirstFirst ... 2345614 ... LastLast

Similar Threads

  1. easyapache 3 symlink handling undesirable!
    By jmarcv in forum EasyApache
    Replies: 5
    Last Post: 01-03-2008, 10:44 AM
  2. Email Handling Questions
    By jhg in forum E-mail Discussions
    Replies: 3
    Last Post: 10-08-2002, 11:45 PM
bargain