The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security issue with error_log files

Discussion in 'Security' started by elleryjh, Sep 5, 2004.

  1. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    The error_log files that are created (I believe that's only with phpsuexec enabled) in each directory are accessable by apache (http://domain.com/error_log)

    Although this problem is not urgent, it can create a security issue by possibly exposing inner workings of php scripts and exposing names of scripts that are being developed in that directory.

    Recommendation to cpanel/phpsuexec/apache (I'm not sure who would be relavent here): chmod 600 these error_logs so they cannot be retreived by apache

    Recommendation to users:

    In httpd.conf (usually /usr/local/apache/conf/httpd.conf), find this section:

    <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>

    under it, ADD (DO NOT CHANGE):

    <Files ~ "^error_log$">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>

    This will create a 403 error on any file named error_log for any site
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Not sure what version of WHM/cPanel you are talking about but I receive a 403 error currently when accessing the example you provide (with phpsuexec enabled).
     
  3. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    On a new RHE server with phpsuexec enabled, this the behavior that I've seen several times for a while now, but just realised the security hole here.
     
  4. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    I can confirm this problem
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    So, have you logged a bugzilla report?
     
  6. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    No. The reason I haven't is because I don't think this is a bug in cPanel. I think it is actually apache's or phpsuexec's, and I'm not sure how to find out. Would you recommend that I submit a bug report to cPanel anyway?
     
  7. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    Yes include the code to fix it to otherwise you will be waiting a while for a response.
     
Loading...

Share This Page