This does work for us. Thank you.I hate cpanels stance on this so we have created a patch and have been using for some time. It turns FollowSymLinks into SymLinksIfOwnerMatch at the apache source code level.
We currently are working on rewriting the patch, and part of apache to take care of some possible race conditions. But given the rare race condition possibility, this is by far a better option than causing everyone to have to reconfigure their .htaccess files or allowing your server to be wide open to attack.
How to install our patch (apache 2.2 only):
If you have any issues, let us know, we would be interested in hearing it.
If you want to thank us, your free to do that aswell.
When trying to access a file located in another account via a symlink, you will see this in the error log:
Also, find out if your already a victim:
How to remove?:
What is however unfortunate is that by having this public, it may further re-enforce the false notion that this has nothing to do with cpanel and that they should not be concerned about this. (I hope this isn't the case)
At this point in time, tens of thousands of servers are currently vulnerable. cPanel is getting paid a monthly premium to provide a secure management experience for the administrators of those servers. And in this case, greatly failing to do so.
To cPanel - Here is a simple analogy which may better describe why I feel you should at least be notifying your customers. If you were a grocery store and you sold meat, then a customer came in and said that meat over there killed my son because it has E coli. Would you sit there and say, well, that's not our meat - it comes from the so and so farm. We just package it and sell it. Go talk to the farm?!?
This sort of behavior, when this issue has been repeatedly brought up to Cpanel, is exactly whats expected of Parallels not cPanel...