Yes. Despite the wording, this patch does nothing to prevent Apache following symlinks when the target is owned by another user. This patch only closes a race condition. You will still need to use 3rd party patches / software or totally disable FollowSymLinks and remove it from AllowOverride in order to protect your servers.Having CL with cagefs and securelinks on this still needed ?
Pete,We attempted to add this patch via EasyApache and compile failed with mod_sec errors.
"Syntax error on line 306 of /usr/local/apache/conf/modsec/10_asl_rules.conf:
SecRule takes two or three arguments, rule target, operator and optional action list"
The rules were adjusted and the patch then applied sucessfuly.
Unfortunately my server Shared SSL certificate then stopped working (.css and .js files giving 404 errors when using shared ssl links like https://sslcertsite.com/~accountname/index.php). Which caused havok with my webstore customers till discovered and rectified.
Patch was then removed, except we had even more problems with mod_sec. So removed mod_sec profile completely and were then able to uninstall the patch.
A disaster of a weekend.
Can somebody confirm this Symlink patch does/does not stop Shared SSL certificates from working?
And it would be very much appreciated if somebody would bullet point list all the necessary actions to perform on a CentOS cPanel server running suPHP to stop the symlink exploit as best as possible at the moment? We have already done the "config files to chmod 600 (and 400 sometimes)" and I am running cxswatch to help protect the server.
You sure about that? I removed the 3rd party patch (Steven's patch) that I was using, and compiled apache 2.2.24 with the new "Symlink Race Condition Protection." Trying to abuse it, I get errors like this:Yes. Despite the wording, this patch does nothing to prevent Apache following symlinks when the target is owned by another user. This patch only closes a race condition. You will still need to use 3rd party patches / software or totally disable FollowSymLinks and remove it from AllowOverride in order to protect your servers.
I checked with cPanel support and they advised that this only closes the race condition.You sure about that?
Can cPanel please confirm what this patch ACTUALLY does? It seems that the changelog says 1 thing, support says another and someone's experience says yet another.cPanel Support said:I have been researching this issue for you. In going over the internal notes for 63676 and this patch only applies the fix for the race condition. It does not force the usage of SymLinksIfOwnerMatch nor does it disable the usage of FollowSymLinks. I ran this in my build in my test environment to ensure that this was the case.
I would agree that the wording in the EA changelog may be viewed as misleading, and am submitting this to our documentation team for further review.
It's an either or per cPanel's documentation at Symlink Race Condition ProtectionHi
We are also curious about how this works with rack911 's Steven 's patch please?
maybe this post is on wrong forum? not much involvements~
Warning: If you already use a custom patch for the race condition (for example: FollowSymLinks_twnerMatch.patch), you will need to either remove your custom patch or not enable the Symlink Race Condition Protection option in EasyApache.
|Thread starter||Similar threads||Forum||Replies||Date|
|U||Severe attack case via POST /admin/ HTTP/1.1||Security||6|
|7||Fixed case CPANEL-37048: Remove support for legacy mod security 2 configuration.||Security||7|
|just incase anyone having issues with auto SSL Currently, there are some known issues with Sectigo's certificate Issuing platform.||Security||1|
|J||SOLVED AutoSSL Proxy Subdomain Validation [case CPANEL-18074]||Security||3|
|A||Problem starting APF:lsmod: QM_MODULES: Function not implemented||Security||5|
|Severe attack case via POST /admin/ HTTP/1.1|
|Fixed case CPANEL-37048: Remove support for legacy mod security 2 configuration.|
|just incase anyone having issues with auto SSL Currently, there are some known issues with Sectigo's certificate Issuing platform.|
|SOLVED AutoSSL Proxy Subdomain Validation [case CPANEL-18074]|
|Problem starting APF:lsmod: QM_MODULES: Function not implemented|