1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Resolved] Solutions for handling symlink attacks

Discussion in 'Security' started by HostingH, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. HostingH

    HostingH Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
  2. lbeachmike

    lbeachmike Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this.

    Any advice would be much appreciated.

    Thanks.
     
  3. HostingH

    HostingH Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Hi lbeachmike,

    We can disable it in httpd.conf but hacker is enabling it under .htaccess as follows. So we can not disable it in Apache configuration. Also chmoded 700 to ln.
    -----------
    Options +FollowSymLinks
    -----------

    Please advise us.
     
  4. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

    Code:
    <Directory "/">
        Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    <Directory "/usr/local/apache/htdocs">
        Options Includes Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    
    </Directory>
    The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.
     
  5. IBZ

    IBZ New Member

    Joined:
    Apr 10, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1

    FollowSymLinks still can be enabled by .htaccess .
    Im also looking for solution for this issue .
     
  6. majidnt

    majidnt Member

    Joined:
    Nov 15, 2004
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
    But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink :)

     
  7. lbeachmike

    lbeachmike Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    Excellent point - bringing my question back to -

    Is there a way to ensure that a user would in no way have access to files outside of their home directory? I realize the symlink looks and feels like part of the home directory, but there certainly must be some viable solution to this otherwise any hacker can fully exploit any server with the very same recipe.

    mrk
     
  8. HostingH

    HostingH Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    Can we set Sticky bit for / or /home so only owner can delete/modify the files like /tmp?
     
  9. KhensU

    KhensU New Member

    Joined:
    Oct 1, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    So other than disabling FollowSymlinks all together are their any other solutions to this? We just got hit as well.
     
  10. neutro

    neutro New Member

    Joined:
    Apr 11, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    0
    Got hit like this as well. how to prevent -if we disable follow symlinks any impact on web sites?
     
  11. DomineauX

    DomineauX Member

    Joined:
    Apr 12, 2003
    Messages:
    404
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Seeing more of these attacks as well lately.
     
  12. astopy

    astopy Member

    Joined:
    Apr 3, 2003
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    Wait... creating a symlink to / won't give the user write access to anything they didn't already have write access to -- symlinks don't give the user any extra privileges. What exactly is the problem here?

    I'm aware of the problems of Apache following symlinks to other users' files, but as someone already pointed out all you need to do to stop that is disable FollowSymlinks, turn on SymLinksIfOwnerMatch and make sure FollowSymlinks isn't in AllowOverride. (And also be prepared to deal with all the support requests from people who try to install scripts with "Options +FollowSymlinks" in their default .htaccess files. Joomla, I'm looking at you :p)
     
  13. BigLebowski

    BigLebowski Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.
     
  14. astopy

    astopy Member

    Joined:
    Apr 3, 2003
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    Again, surely disabling FollowSymlinks and only allowing SymLinksIfOwnerMatch would prevent that?
     
  15. BigLebowski

    BigLebowski Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.

    Best
    Dude
     
  16. astopy

    astopy Member

    Joined:
    Apr 3, 2003
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    Joomla will show an internal server error with its default .htaccess file, because it includes Options +FollowSymlinks. Wordpress won't have any problems, and I haven't come across any major app other than Joomla that specifically tries to enable FollowSymlinks. Fixing the error is just a case of deleting (or commenting out) the FollowSymlinks line.

    Since disabling FollowSymlinks we do occasionally get questions from customers who can't get Joomla to work, but we've decided that it's worth the extra support overhead to improve security.
     
  17. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,318
    Likes Received:
    7
    Trophy Points:
    38
    Please keep in mind that SymLInksIfOwnerMatch is in no way a security restriction. See the Apache Group's own words on this here core - Apache HTTP Server
     
  18. astopy

    astopy Member

    Joined:
    Apr 3, 2003
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    Interesting. So, an attacker could request a regular file and then delete the file and replace it with a symlink after Apache checks what kind of file it is and before it reads the file. Correct?

    I guess this would at least make the attack much harder, even if it doesn't guarantee that it would be prevented.
     
  19. ServerMascot

    ServerMascot New Member

    Joined:
    Jan 17, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Change the permission of ln. Usually it will be located in /bin/ln (find it out by " which ln ")

    do

    Code:
    chmod 760 /bin/ln
    This is remove the execute permission of 'ln' command for other users.
     
  20. lbeachmike

    lbeachmike Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    This is an interesting suggestion. Can you better explain what negative impact this could have? Wouldn't it prevent all users from using symlinks?
     
Thread Status:
Not open for further replies.

Share This Page