Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solutions for handling symlink attacks

Discussion in 'Security' started by HostingH, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Yes, and that's why I said change the mode of the PHP files, not the .html files/ The .html files need to be readable by user nobody, but on a suphp or similar server, where PHP runs under the user's userid, it's fine for the .php files to be mode 600.

    And yes, the users will change the mode of the files, which is why you should put the modes back periodically. They're not going to check very often, if at all, so long as the site continues to run and they can access their files, which they can.

    Security is made up of layers - the symlink protection, and then not being able to read the files - one being broken and you're still safe.

    Ultimately this is a hole in Apache for which cPanel should take greater responsibility - it's very serious, and needs to be treated as such and not just palmed off to Apache who don't necessarily completely understand all the uses that their software is put to.
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Just tested - PHP files at mode 600 works perfectly on at least one of our servers, I'll come back and comment if there's an issue.
     
  3. kevinlevin

    kevinlevin Member

    Joined:
    Oct 27, 2011
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Thanks, keep us posted.
     
  4. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    130
    Likes Received:
    1
    Trophy Points:
    168
    We've been battling with this across 150+ servers for months.

    After reading this post -

    Is the only thing that remotely helps. Of course, if you are hosting 100+ people per server, then you either need to go in and chmod their config files for them or let them know that they need to do it.

    Regardless, its not perfect. The hackers will eventually add a .htaccess upload as part of their hack.

    This is becoming very widespread and if I were cpanel I would at least pay a little bit more attention to it because the common user with 1-2 servers is going to blame cPanel if they see that this is being done across all of their servers as well as their friends' servers. Pretty much every wordpress/joomla/[insert popular php software] on the same system can be hacked through this.
     
  5. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    130
    Likes Received:
    1
    Trophy Points:
    168
    Here is what I found as part of a refined uploaded set of files which does include a .htaccess -

    #[D]eveloped l3y Me dont ask who im ...
    Options +FollowSymLinks
    DirectoryIndex Index.html
    Options +Indexes
    AddType text/plain .php
    AddHandler server-parsed .php

    SymLinksIfOwnerMatch still protects against this. They just need to get a little bit smarter...
     
  6. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    421
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    A good method we have found is setting the following in Apache pre_virtualhost_global includes:

    <Directory "/home">
    Options +All +ExecCGI -FollowSymLinks +Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>

    This requires all .htaccess files containing "FollowSymLinks" to be changed to "SymLinksIfOwnerMatch" and any future change by clients or installing new applications will result in 500 errors when using "FollowSymLinks" so inform your users that they must use "SymLinksIfOwnerMatch" instead.
     
  7. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    130
    Likes Received:
    1
    Trophy Points:
    168
    You are going to break Joomla. Every single Joomla customer will need to go inside their .htaccess and comment out Options +FollowSymLinks . (Including any new customers that install Joomla)

    You may have magical customers. But most of ours won't know what that means.

    I really wish something like this would have worked -

    But looks like when they set the FollowSymLinks, the SymLinksIfOwnerMatch is ignored...
     
    #47 Arvand, Nov 2, 2011
    Last edited: Nov 2, 2011
  8. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    421
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Yes Joomla and many other scripts indeed are broken by this which is why I said you have to change existing .htaccess files and inform customers of the required change for new scripts they install and to avoid them changing it themselves. I guess I should add that you also need to be able to support users who find this beyond them.

    But the symlink based compromising of data is prevented, so it is really your choice.
     
  9. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    130
    Likes Received:
    1
    Trophy Points:
    168
    Are you guys actively doing this?
     
  10. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    421
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    One thing nobody seems to have thought of is that this mischief is only possible if a symlink is to a file, not a directory. I really can't think of many valid reasons for symlinking to an actual file.

    Secondly, the other option that could be used in an apache patch to detect this is when a file extension is changed by the symlink. Obviously a link from a .txt extension to a .php extension is dodgy but there may be others.

    cpanel: this is serious mojo, equivalent in danger to cpanel servers getting hacked prior to suexec. Remember cPanel once had a rep for being insecure? Let's ensure cPanel retains it's present much better reputation by being proactive. We're talking server-wide hacks here.
     
    #51 brianoz, Nov 4, 2011
    Last edited: Nov 4, 2011
  12. Arvand

    Arvand Well-Known Member
    PartnerNOC

    Joined:
    Jul 26, 2003
    Messages:
    130
    Likes Received:
    1
    Trophy Points:
    168
    Thanks for that.

    I've done searches across all our servers for .htaccess files that have Options FollowSymlinks and we are talking about ~10,000 websites affected. Clearly, that is not an option.

    I've discussed this with Igor from CloudLinux who has been trying to communicate with cPanel in this regard.

    I also had a ticket into cPanel 4 or 5 months ago which was simply dismissed as not having to do anything with them.

    I think based on your response, any one of the following Apache patches would help/work -

    1) Apache doesn't follow symlinks which have different extensions than the files they are linking to.
    2) Apache doesn't follow symlinks to files.
    3) Apache doesn't throw a 500 error if a .htaccess attempts to include an Option which is disallowed in the main httpd.conf .
     
  13. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Athens Greece
    what exact changes you made to htacess since not only joomla and phphox sites are crashing
    get as an example if you want
     
  14. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    I hate cpanels stance on this so we have created a patch and have been using for some time. It turns FollowSymLinks into SymLinksIfOwnerMatch at the apache source code level.

    We currently are working on rewriting the patch, and part of apache to take care of some possible race conditions. But given the rare race condition possibility, this is by far a better option than causing everyone to have to reconfigure their .htaccess files or allowing your server to be wide open to attack.

    How to install our patch (apache 2.2 only):


    If you have any issues, let us know, we would be interested in hearing it.
    If you want to thank us, your free to do that aswell.

    When trying to access a file located in another account via a symlink, you will see this in the error log:

    Also, find out if your already a victim:

    ---

    How to remove?:

    Enjoy.
     
    #54 StevenC, Nov 5, 2011
    Last edited: Nov 6, 2011
  15. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Athens Greece
    thanks for the suggestion i appreciate this
    one thing to ask
    Server version: Apache/2.2.21 (Unix)
    should be working on Apache/2.2.21?
    if you build later on a new patch for this issue is there any way to learn it?
     
  16. hostnex

    hostnex Well-Known Member

    Joined:
    May 2, 2008
    Messages:
    77
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Islamabad, Pakistan, Pakistan
    cPanel Access Level:
    Root Administrator

    We tried to run the patch on our test machine and found the result below.

    root@root [/scripts]# /scripts/before_apache_make
    --2011-11-06 15:09:33-- http://layer1.rack911.com/harden-symlinks.patch
    Resolving layer1.rack911.com... 69.65.40.29
    Connecting to layer1.rack911.com|69.65.40.29|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1902 (1.9K) [text/plain]
    Saving to: âharden-symlinks.patchâ

    100%[==============================================================================================================================>] 1,902 --.-K/s in 0s

    2011-11-06 15:09:33 (181 MB/s) - âharden-symlinks.patchâ

    can't find file to patch at input line 3
    Perhaps you used the wrong -p or --strip option?
    The text leading up to this was:
    --------------------------
    |--- httpd-2.2.21.orig/include/http_core.h
    |+++ httpd-2.2.21/include/http_core.h
    --------------------------
    File to patch:
     
  17. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    You have to run easyapache after. That will incorporate the patch into apache.

     
  18. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Thanks Steven; that's extremely generous of you to share this with the community at no charge.

    Nice, simple, idea! Symlinks aren't usable by hackers without FollowSymLinks, and if it checks for an owner match always, there's no security issue. And the use of /scripts/before_apache_make means it's a few seconds work to install. Thanks again!
     
  19. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Indeed setting up SymLinksIfOwnerMatch in apache conf improve the symlink protection and hence server security but that affect server performance. However server security can not be compromised against server performance.
     
  20. hostnex

    hostnex Well-Known Member

    Joined:
    May 2, 2008
    Messages:
    77
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Islamabad, Pakistan, Pakistan
    cPanel Access Level:
    Root Administrator
    Atleast patch is not working for us. If someone need step by step guide to replicate please contact.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page