Fix access to other users files from Apache - FollowSymLinks vs. SymLinksIfOwnerMatch

[panayot]

There exists an easy method to read any file with permissions 644 from a user's home directory by creating a symbolic link to the file.

We have confirmed this on a server running php as mod_fcgid. All user homedirs and files are owned by the appropriate user, and all php scripts are executed under this user. The same breach can be accomplished on a mod_php server as well.

This is important because any user on a cpanel server can easily read other user config files and acquire database passwords and other sensitive data.

One possible fix is to make file permissions in each user homedir 600.

A better way would be to add

Code:

<Directory "/">
Options All
Options -FollowSymLinks
Options +SymLinksIfOwnerMatch
AllowOverride All
</Directory>

to /usr/local/apache/conf/includes/pre_virtualhost_2.conf

How to test if your server is vulnerable

Lets have two accounts: attack account and victim account.

1. In attack account create directory public_html/fakesymlink with appropriate permissions

2. In attack account save /http://seo.r1servers.com/symlink.txt as public_html/symlink.php

3. find out what other users are on server by reading /etc/passwd (can be done by opening file from any php script) and choose victim account

4. In symlink.php enter path to victim index.php:
/home/victim-account/public_html/index.php

5. Now read the file in apache.

[cPanelDon]

Code:

<Directory "/">
Options All
Options -FollowSymLinks
Options +SymLinksIfOwnerMatch
AllowOverride All
</Directory>

Within cPanel/WHM it is already possible to customize the specified Apache Options directive via the following menu path:
WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration

On the aforementioned page in WHM simply perform the following steps:
1.) Look for the section labeled Directory '/' Options
2.) Disable (uncheck) FollowSymLinks
3.) Enable (check) SymLinksIfOwnerMatch
4.) Click Save to finalize changes.

It is dependent upon the server administrator or business to decide how they wish to configure their systems; in certain cases, such as in a non-shared environment, it may not be desirable to apply the same configuration as what may be preferred in a shared hosting environment.

[s1y]

Any customization of apache configuration file is useless because simple .htaccess file with one row "+FollowSymLinks" in it, make the hack possible again. Some other suggestions?

May be "AllowOverride Options" instead "AllowOverride All" ?

[cPanelDon]

Any customization of apache configuration file is useless because simple .htaccess file with one row "+FollowSymLinks" in it, make the hack possible again. Some other suggestions?

May be "AllowOverride Options" instead "AllowOverride All" ?

I may consider using an Apache configuration include file to add further customizations depending on your specific requirements; here is a basic example:

Code:

<Directory "/home">
        Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
        AllowOverride Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

Here is an example path to one of the stock-default include files that could be used:

Code:

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

Apache configuration includes may be setup and modified using WebHost Manager via the following menu path:

• WHM: Main >> Service Configuration >> Apache Configuration >> Include Editor

To determine what Apache configuration directives and values may be used, please refer to the following official Apache/httpd documentation:

• Apache HTTP Server Version 2.2 Documentation
• Apache HTTP Server Version 2.0 Documentation
• Apache HTTP Server Version 1.3 Documentation

[s1y]

exactly what I was thinking about. My bad, I forgot to mention that everything is defined in the pre_virtualhost_*.conf file and nothing from this:

<Directory "/">
Options All
Options -FollowSymLinks
Options +SymLinksIfOwnerMatch
AllowOverride All
</Directory>

was actually in the main httpd configuration file.

[Bahram0110]

Hello cPanelDon
I use this according your post :

Code:

<Directory "/home">
    Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride Options=Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

But about all sites on the server are dealing with Error 500

some .htaccess that make Error 500 after doing this change and restart apache:

.htaccess1:

Code:

#IndexIgnore *
AddDefaultCharset utf-8
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript
RewriteEngine on
RewriteRule ^buy-sell.php ?page=buy-sell [nc]
RewriteRule ^contact.php ?page=contact [nc]
RewriteRule ^aboutus.php ?page=aboutus [nc]

.htaccess2:

Code:

RewriteEngine on
# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName sitename.tld
AuthUserFile /home/user/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/user/public_html/_vti_pvt/service.grp
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/?$ "http\:\/\/sitename\.com" [R=301,L]

.
.
.


Please help me.
Thank you

[panayot]

Hello cPanelDon
I use this according your post :

Code:

<Directory "/home">
    Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride Options=Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

But about all sites on the server are dealing with Error 500

some .htaccess that make Error 500 after doing this change and restart apache:

.htaccess1:

Code:

#IndexIgnore *
AddDefaultCharset utf-8
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript
RewriteEngine on
RewriteRule ^buy-sell.php ?page=buy-sell [nc]
RewriteRule ^contact.php ?page=contact [nc]
RewriteRule ^aboutus.php ?page=aboutus [nc]

.htaccess2:

Code:

RewriteEngine on
# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName sitename.tld
AuthUserFile /home/user/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/user/public_html/_vti_pvt/service.grp
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/?$ "http\:\/\/sitename\.com" [R=301,L]

.
.
.


Please help me.
Thank you

Try this:

Code:

<Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks                                         
</Directory>

[Bahram0110]

Hello panayot,
I,m using this flowing your example:

Code:

<Directory "/home">
    Options All
    Options -FollowSymLinks
    Options -ExecCGI
    Options +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,MultiViews,FollowSymLinks                                         
</Directory>

I want to permanently disable execCGI and FollowSymLinks

But when I test it, I can enable ExecCGI simply with adding this line in .htaccess

Code:

Options +ExecCGI

How Can I use AllowOverride to disable the effect of htaccess for that two options?

[panayot]

Hello panayot,
I,m using this flowing your example:

Code:

<Directory "/home">
    Options All
    Options -FollowSymLinks
    Options -ExecCGI
    Options +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,MultiViews,FollowSymLinks                                         
</Directory>

I want to permanently disable execCGI and FollowSymLinks

But when I test it, I can enable ExecCGI simply with adding this line in .htaccess

Code:

Options +ExecCGI

How Can I use AllowOverride to disable the effect of htaccess for that two options?

In your case, you can put this in /usr/local/apache/conf/includes/pre_virtualhost_2.conf:

Code:

<Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    Options -ExecCGI
    AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks                                         
</Directory>

[Bahram0110]

AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks

Hi,
what the bold section do?
it Limit change of Includes,IncludesNOEXEC,... Or allow them to be changed?

thank you very much

[panayot]

Limit has nothing to do with Options.

Code:

AuthConfig FileInfo Indexes Limit Options

These are configuration groups

Code:

Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks

This specifies which members of the group Options can be overriden

[cPanelDon]

Hello cPanelDon
I use this according your post :
[...]

But about all sites on the server are dealing with Error 500

some .htaccess that make Error 500 after doing this change and restart apache:
[...]

Depending on the contents of individual Apache .htaccess files it may be expected that the combination could result in an HTTP status code 500 ("Internal Server Error"); this is because the htaccess files may contain one or more Apache directives that are not permitted by the custom setting of your AllowOverride directive. Upon my testing of the provided basic example I did not experience an error; however, I am also not using FrontPage Extensions. Individual results can vary as server configurations may differ and site-specific Apache .htaccess files may have unique customizations.

Please refer to the official Apache/httpd documentation to determine all configuration options available:

• Apache Core Features - mod_core - Apache HTTP Server
• AllowOverride Directive - mod_core - Apache HTTP Server

[cPanelDon]

[...] here is a basic example:

Code:

<Directory "/home">
        Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
        AllowOverride Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

Here is an alternative to the initial example I provided; the following specifies you may override All but still retains the narrowed set of Options that excludes FollowSymLinks; the only difference is that of adding "All" to the beginning of the list specified by AllowOverride:

Code:

<Directory "/home">
        Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

Adding "All" should allow other directives to be used without having to explicitly them in AllowOverride.

Upon testing the above (revised) example I found it successfully prevented the "FollowSymLinks" Option from being re-enabled -- and instead of allowing "FollowSymLinks" the access attempt triggered HTTP status code 500 ("Internal Server Error") and logged the following detail:

Code:

# tail -fvn0 /usr/local/apache/logs/error_log
==> /usr/local/apache/logs/error_log <==
[Mon Aug 30 18:25:13 2010] [alert] [client $IP] /home/$USER/public_html/.htaccess: Option FollowSymLinks not allowed here

[panayot]

Because many cms systems (Joomla for example) have FollowSymLinks in .htaccess, I was wondering if instead of disableing it, we could just add SymLinksIfOwnerMatch.

If both are enabled then I guess SymLinksIfOwnerMatch will enforce owner checking.

Then we can tell apache to not allow turning off SymLinksIfOwnerMatch while allowing FollowSymLinks and not causeing 500 errors.

Code:

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks

Of course this reasoning is based on the assumption that SymLinksIfOwnerMatch is almost not used anywhare.

[CoolMike]

Hi

Sorry for opening such an old posting, but I have exactly the same problem and I guess nearly everybody here has the same problem. Hacker can create symlinks to config files of other users and get mysql login details like this. Did someone find a solution for this security problem without loosing the functionality of Joomla and other cms systems?