Tag Archives: symlink hack

Issue with Apache and SymLinks

The vulnerability with Symlinks and Apache is a known issue
in a shared hosting environment.

1st step employed by the attacker in order to carry out this attack it to find a compromised ‘single’ website or domain which has got any vulnerable scripts or 3rd party applications or any themes used in it. Once he get access to a single domain, he moves forward by creating the symlinks to other websites or even he can symlink to / (root).

For eg, if you have the following symlink set in any domain,

link -> /root , using the directory ‘link’ anyone can actually access
/root and can access any sensitive file.

Rather than manually creating this sort of symlinks, the hacker can even use any
perl/cgi script to create a symlink to other users of the server.

As a basic soultion for this, you can ensure that Apache is configured in a
way so as not to following symlinks (Options -FollowSymLinks)

================

To disable the ability for Apache to allow users to follow symbolic links in their requests, remove the FollowSymLinks directive on your Directory commands.

For example, if the below was the configuration then,

<Directory "/usr/local/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

Remove the FollowSymLinks reference so that this reads:

<Directory "/usr/local/apache/htdocs">
Options Indexes
AllowOverrride None
Order allow,deny
Allow from all

================

If you really need symlinks, you can use the “SymLinksIfOwnerMatch” option to only
allow links from within the same user.

To prevent PHP from accessing any file outside of their directory, you need to specify the ‘open_basedir’ setting ( in PHP configuration file ) to only have access to their directory.

This option can be enabled from WHM, but :

==========

This security tweak uses Apache DSO style directives. If PHP is
configured to run as a CGI, SuPHP or
FastCGI process, the open_basedir setting must be manually specified
in the relevant php.ini file.
See the EasyApache documentation for more information.

==========

If the PHP handler is set as CGI or SuPHP, then tweak settings seen in WHM
cannot be used to set the openbase_dir option.

You need to manually specify the openbase_dir option in the global
PHP configuration file ( use php -i |grep php.ini to find the php.ini location )

In addition to prevent this SymLinks attack, there are various patches too :

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.html#post996441

To be kept in mind is :: the root cause for this attack or vulernablity is due any
unsecured scripts/plugins/applications which might be employed in any of the domains.