1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fix access to other users files from Apache - FollowSymLinks vs. SymLinksIfOwnerMatch

Discussion in 'EasyApache' started by panayot, Feb 16, 2010.

  1. panayot

    panayot Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    There exists an easy method to read any file with permissions 644 from a user's home directory by creating a symbolic link to the file.

    We have confirmed this on a server running php as mod_fcgid. All user homedirs and files are owned by the appropriate user, and all php scripts are executed under this user. The same breach can be accomplished on a mod_php server as well.

    This is important because any user on a cpanel server can easily read other user config files and acquire database passwords and other sensitive data.

    One possible fix is to make file permissions in each user homedir 600.

    A better way would be to add

    Code:
    <Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>
    
    to /usr/local/apache/conf/includes/pre_virtualhost_2.conf

    How to test if your server is vulnerable

    Lets have two accounts: attack account and victim account.

    1. In attack account create directory public_html/fakesymlink with appropriate permissions

    2. In attack account save /http://seo.r1servers.com/symlink.txt as public_html/symlink.php

    3. find out what other users are on server by reading /etc/passwd (can be done by opening file from any php script) and choose victim account

    4. In symlink.php enter path to victim index.php:
    /home/victim-account/public_html/index.php

    5. Now read the file in apache.
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    Within cPanel/WHM it is already possible to customize the specified Apache Options directive via the following menu path:
    WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration

    On the aforementioned page in WHM simply perform the following steps:
    1.) Look for the section labeled Directory '/' Options
    2.) Disable (uncheck) FollowSymLinks
    3.) Enable (check) SymLinksIfOwnerMatch
    4.) Click Save to finalize changes.

    It is dependent upon the server administrator or business to decide how they wish to configure their systems; in certain cases, such as in a non-shared environment, it may not be desirable to apply the same configuration as what may be preferred in a shared hosting environment.
     
  3. s1y

    s1y New Member

    Joined:
    Jun 27, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Any customization of apache configuration file is useless because simple .htaccess file with one row "+FollowSymLinks" in it, make the hack possible again. Some other suggestions?

    May be "AllowOverride Options" instead "AllowOverride All" ?
     
    #3 s1y, Aug 27, 2010
    Last edited: Aug 27, 2010
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    I may consider using an Apache configuration include file to add further customizations depending on your specific requirements; here is a basic example:
    Code:
    <Directory "/home">
            Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
            AllowOverride Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    Here is an example path to one of the stock-default include files that could be used:
    Code:
    /usr/local/apache/conf/includes/pre_virtualhost_global.conf
    Apache configuration includes may be setup and modified using WebHost Manager via the following menu path:

    To determine what Apache configuration directives and values may be used, please refer to the following official Apache/httpd documentation:
     
  5. s1y

    s1y New Member

    Joined:
    Jun 27, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    exactly what I was thinking about. My bad, I forgot to mention that everything is defined in the pre_virtualhost_*.conf file and nothing from this:

    <Directory "/">
    Options All
    Options -FollowSymLinks
    Options +SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>

    was actually in the main httpd configuration file.
     
  6. Bahram0110

    Bahram0110 Member

    Joined:
    Dec 12, 2007
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hello cPanelDon
    I use this according your post :
    Code:
    <Directory "/home">
        Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
        AllowOverride Options=Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    But about all sites on the server are dealing with Error 500

    some .htaccess that make Error 500 after doing this change and restart apache:

    .htaccess1:
    Code:
    #IndexIgnore *
    AddDefaultCharset utf-8
    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript
    RewriteEngine on
    RewriteRule ^buy-sell.php ?page=buy-sell [nc]
    RewriteRule ^contact.php ?page=contact [nc]
    RewriteRule ^aboutus.php ?page=aboutus [nc]



    .htaccess2:
    Code:
    RewriteEngine on
    # -FrontPage-
    
    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
    
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName sitename.tld
    AuthUserFile /home/user/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/user/public_html/_vti_pvt/service.grp
    RewriteCond %{HTTP_HOST} ^.*$
    RewriteRule ^/?$ "http\:\/\/sitename\.com" [R=301,L]
    .
    .
    .


    Please help me.
    Thank you
     
    #6 Bahram0110, Aug 28, 2010
    Last edited: Aug 28, 2010
  7. panayot

    panayot Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Try this:

    Code:
    <Directory "/">
        Options All
        Options -FollowSymLinks
        Options +SymLinksIfOwnerMatch
        AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks                                         
    </Directory>
     
    #7 panayot, Aug 29, 2010
    Last edited: Aug 29, 2010
  8. Bahram0110

    Bahram0110 Member

    Joined:
    Dec 12, 2007
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hello panayot,
    I,m using this flowing your example:
    Code:
    <Directory "/home">
        Options All
        Options -FollowSymLinks
        Options -ExecCGI
        Options +SymLinksIfOwnerMatch
        AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,MultiViews,FollowSymLinks                                         
    </Directory>
    
    I want to permanently disable execCGI and FollowSymLinks

    But when I test it, I can enable ExecCGI simply with adding this line in .htaccess

    Code:
    Options +ExecCGI
    How Can I use AllowOverride to disable the effect of htaccess for that two options?
     
  9. panayot

    panayot Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    In your case, you can put this in /usr/local/apache/conf/includes/pre_virtualhost_2.conf:

    Code:
    <Directory "/">
        Options All
        Options -FollowSymLinks
        Options +SymLinksIfOwnerMatch
        Options -ExecCGI
        AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks                                         
    </Directory>
     
  10. Bahram0110

    Bahram0110 Member

    Joined:
    Dec 12, 2007
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hi,
    what the bold section do?
    it Limit change of Includes,IncludesNOEXEC,... Or allow them to be changed?

    thank you very much :)
     
    #10 Bahram0110, Aug 30, 2010
    Last edited: Aug 30, 2010
  11. panayot

    panayot Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Limit has nothing to do with Options.

    Code:
    AuthConfig FileInfo Indexes Limit Options
    These are configuration groups

    Code:
    Options=Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    This specifies which members of the group Options can be overriden
     
  12. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    Depending on the contents of individual Apache .htaccess files it may be expected that the combination could result in an HTTP status code 500 ("Internal Server Error"); this is because the htaccess files may contain one or more Apache directives that are not permitted by the custom setting of your AllowOverride directive. Upon my testing of the provided basic example I did not experience an error; however, I am also not using FrontPage Extensions. Individual results can vary as server configurations may differ and site-specific Apache .htaccess files may have unique customizations.

    Please refer to the official Apache/httpd documentation to determine all configuration options available:
     
  13. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    Here is an alternative to the initial example I provided; the following specifies you may override All but still retains the narrowed set of Options that excludes FollowSymLinks; the only difference is that of adding "All" to the beginning of the list specified by AllowOverride:
    Code:
    <Directory "/home">
            Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
            AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    Adding "All" should allow other directives to be used without having to explicitly them in AllowOverride.

    Upon testing the above (revised) example I found it successfully prevented the "FollowSymLinks" Option from being re-enabled -- and instead of allowing "FollowSymLinks" the access attempt triggered HTTP status code 500 ("Internal Server Error") and logged the following detail:
    Code:
    # tail -fvn0 /usr/local/apache/logs/error_log
    ==> /usr/local/apache/logs/error_log <==
    [Mon Aug 30 18:25:13 2010] [alert] [client $IP] /home/$USER/public_html/.htaccess: Option FollowSymLinks not allowed here
     
  14. panayot

    panayot Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Because many cms systems (Joomla for example) have FollowSymLinks in .htaccess, I was wondering if instead of disableing it, we could just add SymLinksIfOwnerMatch.

    If both are enabled then I guess SymLinksIfOwnerMatch will enforce owner checking.

    Then we can tell apache to not allow turning off SymLinksIfOwnerMatch while allowing FollowSymLinks and not causeing 500 errors.

    Code:
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    Of course this reasoning is based on the assumption that SymLinksIfOwnerMatch is almost not used anywhare.
     
  15. CoolMike

    CoolMike Member

    Joined:
    Sep 6, 2001
    Messages:
    315
    Likes Received:
    0
    Trophy Points:
    16
    Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Hi

    Sorry for opening such an old posting, but I have exactly the same problem and I guess nearly everybody here has the same problem. Hacker can create symlinks to config files of other users and get mysql login details like this. Did someone find a solution for this security problem without loosing the functionality of Joomla and other cms systems?
     
  16. Jay M

    Jay M Member

    Joined:
    Oct 10, 2011
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Install this - http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p4.html#post996441
     
  17. brianoz

    brianoz Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,152
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    The link posted above is the solution. It forces all FollowSymLink settings to be SymLinkIfOwnerMatches. The patch is to EasyApache so that the setting change is compiled into Apache and can't be overridden from .htaccess.

    As someone else says in that thread, this is becoming really widespread; cPanel hope you don't mind me saying that it's time you took notice and came up with a decent solution.
     
  18. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Hello brianoz,

    Please post a feature request if you feel that this is something that needs to be revised or added. You can use Feature Requests for cPanel/WHM to post your own feature request.

    Thanks!
     
  19. rs-freddo

    rs-freddo Member

    Joined:
    May 13, 2003
    Messages:
    857
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Have to bump this, on a server with suphp this should not be happening. Now I have to go change mysql passwords for a bunch of accounts
     
  20. SoftDux

    SoftDux Member

    Joined:
    May 27, 2006
    Messages:
    986
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Why do you need to change the MySQL passwords?
     

Share This Page