Page 1 of 28 12311 ... LastLast
Results 1 to 15 of 409

Thread: Solutions for handling symlink attacks

  1. #1
    Registered Member HostingH's Avatar
    Join Date
    Jan 2008
    Posts
    73
    cPanel/WHM Access Level

    Root Administrator

    Default Solutions for handling symlink attacks

    =
    Mod Note: Please see the summary here: https://forums.cpanel.net/f185/how-p...ml#post1397221
    =

    How to prevent following on the server.

    Server got hacked by creating symlink under non root user.

    Example: Once you cd 1.txt then you will get full access to /

    1.txt -> //

    Please advise.

  2. #2
    Registered Member
    Join Date
    Dec 2001
    Location
    Long Beach, NY
    Posts
    313
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this.

    Any advice would be much appreciated.

    Thanks.

  3. #3
    Registered Member HostingH's Avatar
    Join Date
    Jan 2008
    Posts
    73
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Hi lbeachmike,

    We can disable it in httpd.conf but hacker is enabling it under .htaccess as follows. So we can not disable it in Apache configuration. Also chmoded 700 to ln.
    -----------
    Options +FollowSymLinks
    -----------

    Please advise us.

  4. #4
    cPanel Staff cPanelTristan's Avatar
    Join Date
    Oct 2010
    Location
    somewhere over the rainbow
    Posts
    7,611
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

    Code:
    <Directory "/">
        Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    <Directory "/usr/local/apache/htdocs">
        Options Includes Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    
    </Directory>
    The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.
    cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
    -- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

    Submit a ticket | Check an existing ticket

  5. #5
    IBZ
    IBZ is offline
    Registered User
    Join Date
    Apr 2011
    Posts
    2

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by cPanelTristan View Post
    How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

    Code:
    <Directory "/">
        Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    <Directory "/usr/local/apache/htdocs">
        Options Includes Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    
    </Directory>
    The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

    FollowSymLinks still can be enabled by .htaccess .
    Im also looking for solution for this issue .

  6. #6
    Registered Member
    Join Date
    Nov 2004
    Posts
    46

    Default re: Solutions for handling symlink attacks

    You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
    But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink

    Quote Originally Posted by cPanelTristan View Post
    How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

    Code:
    <Directory "/">
        Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    <Directory "/usr/local/apache/htdocs">
        Options Includes Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    
    </Directory>
    The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

  7. #7
    Registered Member
    Join Date
    Dec 2001
    Location
    Long Beach, NY
    Posts
    313
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by majidnt View Post
    You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
    But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink
    Excellent point - bringing my question back to -

    Is there a way to ensure that a user would in no way have access to files outside of their home directory? I realize the symlink looks and feels like part of the home directory, but there certainly must be some viable solution to this otherwise any hacker can fully exploit any server with the very same recipe.

    mrk

  8. #8
    Registered Member HostingH's Avatar
    Join Date
    Jan 2008
    Posts
    73
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Hello,

    Can we set Sticky bit for / or /home so only owner can delete/modify the files like /tmp?

  9. #9
    Registered User
    Join Date
    Oct 2008
    Posts
    1

    Default re: Solutions for handling symlink attacks

    So other than disabling FollowSymlinks all together are their any other solutions to this? We just got hit as well.

  10. #10
    Registered User
    Join Date
    Apr 2004
    Posts
    69

    Default re: Solutions for handling symlink attacks

    Got hit like this as well. how to prevent -if we disable follow symlinks any impact on web sites?

  11. #11
    Registered Member cPanel Partner NOC Badge
    Join Date
    Apr 2003
    Location
    Houston, TX
    Posts
    405
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Seeing more of these attacks as well lately.

  12. #12
    Registered Member
    Join Date
    Apr 2003
    Posts
    174
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Wait... creating a symlink to / won't give the user write access to anything they didn't already have write access to -- symlinks don't give the user any extra privileges. What exactly is the problem here?

    I'm aware of the problems of Apache following symlinks to other users' files, but as someone already pointed out all you need to do to stop that is disable FollowSymlinks, turn on SymLinksIfOwnerMatch and make sure FollowSymlinks isn't in AllowOverride. (And also be prepared to deal with all the support requests from people who try to install scripts with "Options +FollowSymlinks" in their default .htaccess files. Joomla, I'm looking at you )

  13. #13
    Registered Member
    Join Date
    Dec 2007
    Posts
    75

    Default re: Solutions for handling symlink attacks

    What exactly is the problem here?
    It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.

  14. #14
    Registered Member
    Join Date
    Apr 2003
    Posts
    174
    cPanel/WHM Access Level

    Root Administrator

    Default re: Solutions for handling symlink attacks

    Quote Originally Posted by BigLebowski View Post
    It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.
    Again, surely disabling FollowSymlinks and only allowing SymLinksIfOwnerMatch would prevent that?

  15. #15
    Registered Member
    Join Date
    Dec 2007
    Posts
    75

    Default re: Solutions for handling symlink attacks

    Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.

    Best
    Dude

Page 1 of 28 12311 ... LastLast

Similar Threads

  1. easyapache 3 symlink handling undesirable!
    By jmarcv in forum EasyApache
    Replies: 5
    Last Post: 01-03-2008, 10:44 AM
  2. Email Handling Questions
    By jhg in forum E-mail Discussions
    Replies: 3
    Last Post: 10-08-2002, 11:45 PM
bargain