Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

security issue with error_log files

Discussion in 'Security' started by elleryjh, Sep 5, 2004.

  1. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    166
    The error_log files that are created (I believe that's only with phpsuexec enabled) in each directory are accessable by apache (http://domain.com/error_log)

    Although this problem is not urgent, it can create a security issue by possibly exposing inner workings of php scripts and exposing names of scripts that are being developed in that directory.

    Recommendation to cpanel/phpsuexec/apache (I'm not sure who would be relavent here): chmod 600 these error_logs so they cannot be retreived by apache

    Recommendation to users:

    In httpd.conf (usually /usr/local/apache/conf/httpd.conf), find this section:

    <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>

    under it, ADD (DO NOT CHANGE):

    <Files ~ "^error_log$">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>

    This will create a 403 error on any file named error_log for any site
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Not sure what version of WHM/cPanel you are talking about but I receive a 403 error currently when accessing the example you provide (with phpsuexec enabled).
     
  3. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    166
    On a new RHE server with phpsuexec enabled, this the behavior that I've seen several times for a while now, but just realised the security hole here.
     
  4. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    316
    I can confirm this problem
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    So, have you logged a bugzilla report?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    166
    No. The reason I haven't is because I don't think this is a bug in cPanel. I think it is actually apache's or phpsuexec's, and I'm not sure how to find out. Would you recommend that I submit a bug report to cPanel anyway?
     
  7. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    316
    Yes include the code to fix it to otherwise you will be waiting a while for a response.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice