Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: Fix access to other users files from Apache - FollowSymLinks vs. SymLinksIfOwnerMatch

  1. #1
    Registered Member
    Join Date
    Nov 2004
    Posts
    126

    Default Fix access to other users files from Apache - FollowSymLinks vs. SymLinksIfOwnerMatch

    There exists an easy method to read any file with permissions 644 from a user's home directory by creating a symbolic link to the file.

    We have confirmed this on a server running php as mod_fcgid. All user homedirs and files are owned by the appropriate user, and all php scripts are executed under this user. The same breach can be accomplished on a mod_php server as well.

    This is important because any user on a cpanel server can easily read other user config files and acquire database passwords and other sensitive data.

    One possible fix is to make file permissions in each user homedir 600.

    A better way would be to add

    Code:
    <Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>
    to /usr/local/apache/conf/includes/pre_virtualhost_2.conf

    How to test if your server is vulnerable

    Lets have two accounts: attack account and victim account.

    1. In attack account create directory public_html/fakesymlink with appropriate permissions

    2. In attack account save /http://seo.r1servers.com/symlink.txt as public_html/symlink.php

    3. find out what other users are on server by reading /etc/passwd (can be done by opening file from any php script) and choose victim account

    4. In symlink.php enter path to victim index.php:
    /home/victim-account/public_html/index.php

    5. Now read the file in apache.

  2. #2
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Quote Originally Posted by panayot View Post
    Code:
    <Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>
    Within cPanel/WHM it is already possible to customize the specified Apache Options directive via the following menu path:
    WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration

    On the aforementioned page in WHM simply perform the following steps:
    1.) Look for the section labeled Directory '/' Options
    2.) Disable (uncheck) FollowSymLinks
    3.) Enable (check) SymLinksIfOwnerMatch
    4.) Click Save to finalize changes.

    It is dependent upon the server administrator or business to decide how they wish to configure their systems; in certain cases, such as in a non-shared environment, it may not be desirable to apply the same configuration as what may be preferred in a shared hosting environment.

  3. #3
    s1y
    s1y is offline
    Registered User
    Join Date
    Jun 2007
    Posts
    4

    Default

    Any customization of apache configuration file is useless because simple .htaccess file with one row "+FollowSymLinks" in it, make the hack possible again. Some other suggestions?

    May be "AllowOverride Options" instead "AllowOverride All" ?
    Last edited by s1y; 08-27-2010 at 04:54 PM.

  4. #4
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Quote Originally Posted by s1y View Post
    Any customization of apache configuration file is useless because simple .htaccess file with one row "+FollowSymLinks" in it, make the hack possible again. Some other suggestions?

    May be "AllowOverride Options" instead "AllowOverride All" ?
    I may consider using an Apache configuration include file to add further customizations depending on your specific requirements; here is a basic example:
    Code:
    <Directory "/home">
            Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
            AllowOverride Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    Here is an example path to one of the stock-default include files that could be used:
    Code:
    /usr/local/apache/conf/includes/pre_virtualhost_global.conf
    Apache configuration includes may be setup and modified using WebHost Manager via the following menu path:


    To determine what Apache configuration directives and values may be used, please refer to the following official Apache/httpd documentation:

  5. #5
    s1y
    s1y is offline
    Registered User
    Join Date
    Jun 2007
    Posts
    4

    Default

    exactly what I was thinking about. My bad, I forgot to mention that everything is defined in the pre_virtualhost_*.conf file and nothing from this:

    <Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>

    was actually in the main httpd configuration file.

  6. #6
    Registered Member
    Join Date
    Dec 2007
    Posts
    45

    Default

    Hello cPanelDon
    I use this according your post :
    Code:
    <Directory "/home">
        Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
        AllowOverride Options=Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    But about all sites on the server are dealing with Error 500

    some .htaccess that make Error 500 after doing this change and restart apache:

    .htaccess1:
    Code:
    #IndexIgnore *
    AddDefaultCharset utf-8
    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript
    RewriteEngine on
    RewriteRule ^buy-sell.php ?page=buy-sell [nc]
    RewriteRule ^contact.php ?page=contact [nc]
    RewriteRule ^aboutus.php ?page=aboutus [nc]



    .htaccess2:
    Code:
    RewriteEngine on
    # -FrontPage-
    
    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
    
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName sitename.tld
    AuthUserFile /home/user/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/user/public_html/_vti_pvt/service.grp
    RewriteCond %{HTTP_HOST} ^.*$
    RewriteRule ^/?$ "http\:\/\/sitename\.com" [R=301,L]
    .
    .
    .


    Please help me.
    Thank you
    Last edited by Bahram0110; 08-28-2010 at 11:07 AM.

  7. #7
    Registered Member
    Join Date
    Nov 2004
    Posts
    126

    Default

    Quote Originally Posted by Bahram0110 View Post
    Hello cPanelDon
    I use this according your post :
    Code:
    <Directory "/home">
        Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
        AllowOverride Options=Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    But about all sites on the server are dealing with Error 500

    some .htaccess that make Error 500 after doing this change and restart apache:

    .htaccess1:
    Code:
    #IndexIgnore *
    AddDefaultCharset utf-8
    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript
    RewriteEngine on
    RewriteRule ^buy-sell.php ?page=buy-sell [nc]
    RewriteRule ^contact.php ?page=contact [nc]
    RewriteRule ^aboutus.php ?page=aboutus [nc]



    .htaccess2:
    Code:
    RewriteEngine on
    # -FrontPage-
    
    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
    
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName sitename.tld
    AuthUserFile /home/user/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/user/public_html/_vti_pvt/service.grp
    RewriteCond %{HTTP_HOST} ^.*$
    RewriteRule ^/?$ "http\:\/\/sitename\.com" [R=301,L]
    .
    .
    .


    Please help me.
    Thank you
    Try this:

    Code:
    <Directory "/">
        Options All
        Options -FollowSymLinks
        Options +SymLinksIfOwnerMatch
        AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks                                         
    </Directory>
    Last edited by panayot; 08-29-2010 at 09:44 AM.

  8. #8
    Registered Member
    Join Date
    Dec 2007
    Posts
    45

    Default

    Hello panayot,
    I,m using this flowing your example:
    Code:
    <Directory "/home">
        Options All
        Options -FollowSymLinks
        Options -ExecCGI
        Options +SymLinksIfOwnerMatch
        AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,MultiViews,FollowSymLinks                                         
    </Directory>
    I want to permanently disable execCGI and FollowSymLinks

    But when I test it, I can enable ExecCGI simply with adding this line in .htaccess

    Code:
    Options +ExecCGI
    How Can I use AllowOverride to disable the effect of htaccess for that two options?

  9. #9
    Registered Member
    Join Date
    Nov 2004
    Posts
    126

    Default

    Quote Originally Posted by Bahram0110 View Post
    Hello panayot,
    I,m using this flowing your example:
    Code:
    <Directory "/home">
        Options All
        Options -FollowSymLinks
        Options -ExecCGI
        Options +SymLinksIfOwnerMatch
        AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,MultiViews,FollowSymLinks                                         
    </Directory>
    I want to permanently disable execCGI and FollowSymLinks

    But when I test it, I can enable ExecCGI simply with adding this line in .htaccess

    Code:
    Options +ExecCGI
    How Can I use AllowOverride to disable the effect of htaccess for that two options?
    In your case, you can put this in /usr/local/apache/conf/includes/pre_virtualhost_2.conf:

    Code:
    <Directory "/">
        Options All
        Options -FollowSymLinks
        Options +SymLinksIfOwnerMatch
        Options -ExecCGI
        AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks                                         
    </Directory>

  10. #10
    Registered Member
    Join Date
    Dec 2007
    Posts
    45

    Default

    AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    Hi,
    what the bold section do?
    it Limit change of Includes,IncludesNOEXEC,... Or allow them to be changed?

    thank you very much
    Last edited by Bahram0110; 08-30-2010 at 12:35 PM.

  11. #11
    Registered Member
    Join Date
    Nov 2004
    Posts
    126

    Default

    Limit has nothing to do with Options.

    Code:
    AuthConfig FileInfo Indexes Limit Options
    These are configuration groups

    Code:
    Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    This specifies which members of the group Options can be overriden

  12. #12
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Quote Originally Posted by Bahram0110 View Post
    Hello cPanelDon
    I use this according your post :
    [...]

    But about all sites on the server are dealing with Error 500

    some .htaccess that make Error 500 after doing this change and restart apache:
    [...]
    Depending on the contents of individual Apache .htaccess files it may be expected that the combination could result in an HTTP status code 500 ("Internal Server Error"); this is because the htaccess files may contain one or more Apache directives that are not permitted by the custom setting of your AllowOverride directive. Upon my testing of the provided basic example I did not experience an error; however, I am also not using FrontPage Extensions. Individual results can vary as server configurations may differ and site-specific Apache .htaccess files may have unique customizations.

    Please refer to the official Apache/httpd documentation to determine all configuration options available:

  13. #13
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Quote Originally Posted by cPanelDon View Post
    [...] here is a basic example:
    Code:
    <Directory "/home">
            Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
            AllowOverride Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    Here is an alternative to the initial example I provided; the following specifies you may override All but still retains the narrowed set of Options that excludes FollowSymLinks; the only difference is that of adding "All" to the beginning of the list specified by AllowOverride:
    Code:
    <Directory "/home">
            Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
            AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    Adding "All" should allow other directives to be used without having to explicitly them in AllowOverride.

    Upon testing the above (revised) example I found it successfully prevented the "FollowSymLinks" Option from being re-enabled -- and instead of allowing "FollowSymLinks" the access attempt triggered HTTP status code 500 ("Internal Server Error") and logged the following detail:
    Code:
    # tail -fvn0 /usr/local/apache/logs/error_log
    ==> /usr/local/apache/logs/error_log <==
    [Mon Aug 30 18:25:13 2010] [alert] [client $IP] /home/$USER/public_html/.htaccess: Option FollowSymLinks not allowed here

  14. #14
    Registered Member
    Join Date
    Nov 2004
    Posts
    126

    Default

    Because many cms systems (Joomla for example) have FollowSymLinks in .htaccess, I was wondering if instead of disableing it, we could just add SymLinksIfOwnerMatch.

    If both are enabled then I guess SymLinksIfOwnerMatch will enforce owner checking.

    Then we can tell apache to not allow turning off SymLinksIfOwnerMatch while allowing FollowSymLinks and not causeing 500 errors.

    Code:
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    Of course this reasoning is based on the assumption that SymLinksIfOwnerMatch is almost not used anywhare.

  15. #15
    Registered Member
    Join Date
    Sep 2001
    Posts
    315

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Hi

    Sorry for opening such an old posting, but I have exactly the same problem and I guess nearly everybody here has the same problem. Hacker can create symlinks to config files of other users and get mysql login details like this. Did someone find a solution for this security problem without loosing the functionality of Joomla and other cms systems?

Page 1 of 2 12 LastLast

Similar Threads

  1. allowing users access to files not owned by them
    By hostcadet in forum cPanel & WHM Discussions
    Replies: 2
    Last Post: 02-22-2011, 03:58 PM
  2. Replies: 1
    Last Post: 04-28-2008, 02:04 PM
  3. FIX: Apache error - "Too many open files"
    By Echelon17 in forum cPanel & WHM Discussions
    Replies: 5
    Last Post: 05-25-2007, 05:08 AM
  4. All ftp users can access the files on the server
    By devdev in forum New User Questions
    Replies: 1
    Last Post: 04-13-2006, 04:05 AM
  5. ssh - user access to another users files
    By ladydi711 in forum cPanel & WHM Discussions
    Replies: 2
    Last Post: 03-11-2006, 11:13 AM
bargain