security issue with error_log files

[elleryjh]

The error_log files that are created (I believe that's only with phpsuexec enabled) in each directory are accessable by apache (http://domain.com/error_log)

Although this problem is not urgent, it can create a security issue by possibly exposing inner workings of php scripts and exposing names of scripts that are being developed in that directory.

Recommendation to cpanel/phpsuexec/apache (I'm not sure who would be relavent here): chmod 600 these error_logs so they cannot be retreived by apache

Recommendation to users:

In httpd.conf (usually /usr/local/apache/conf/httpd.conf), find this section:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

under it, ADD (DO NOT CHANGE):

<Files ~ "^error_log$">
Order allow,deny
Deny from all
Satisfy All
</Files>

This will create a 403 error on any file named error_log for any site

[sawbuck]

Not sure what version of WHM/cPanel you are talking about but I receive a 403 error currently when accessing the example you provide (with phpsuexec enabled).

[elleryjh]

On a new RHE server with phpsuexec enabled, this the behavior that I've seen several times for a while now, but just realised the security hole here.

[Myacen]

I can confirm this problem

[chirpy]

So, have you logged a bugzilla report?

[elleryjh]

No. The reason I haven't is because I don't think this is a bug in cPanel. I think it is actually apache's or phpsuexec's, and I'm not sure how to find out. Would you recommend that I submit a bug report to cPanel anyway?

[Myacen]

Yes include the code to fix it to otherwise you will be waiting a while for a response.