security issue with error_log files

elleryjh

Well-Known Member
Apr 12, 2003
479
0
166
The error_log files that are created (I believe that's only with phpsuexec enabled) in each directory are accessable by apache (http://domain.com/error_log)

Although this problem is not urgent, it can create a security issue by possibly exposing inner workings of php scripts and exposing names of scripts that are being developed in that directory.

Recommendation to cpanel/phpsuexec/apache (I'm not sure who would be relavent here): chmod 600 these error_logs so they cannot be retreived by apache

Recommendation to users:

In httpd.conf (usually /usr/local/apache/conf/httpd.conf), find this section:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

under it, ADD (DO NOT CHANGE):

<Files ~ "^error_log$">
Order allow,deny
Deny from all
Satisfy All
</Files>

This will create a 403 error on any file named error_log for any site
 

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
Not sure what version of WHM/cPanel you are talking about but I receive a 403 error currently when accessing the example you provide (with phpsuexec enabled).
 

elleryjh

Well-Known Member
Apr 12, 2003
479
0
166
On a new RHE server with phpsuexec enabled, this the behavior that I've seen several times for a while now, but just realised the security hole here.
 

elleryjh

Well-Known Member
Apr 12, 2003
479
0
166
No. The reason I haven't is because I don't think this is a bug in cPanel. I think it is actually apache's or phpsuexec's, and I'm not sure how to find out. Would you recommend that I submit a bug report to cPanel anyway?