cPanel & WHM Version 78 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
 
This object is in archive! 

As as server administrator I would like an option in EasyApache to patch Apache for the Apache Symlink exploit

Mike shared this idea 6 years ago
Completed

On servers that don't run CloudLinux Securelinks that allow .htaccess files a hacker that manages to hack a single account can then gain read access to any PHP scripts that

are readable by Apache's user "nobody".


Once a hacker gains read access to the script's configuration file (that contains the database password) he can then run SQL commands on that sites database (changing for

example Wordpress username and password).


Some big hosts have had all their Wordpress instances hacked because of this flaw and while Apache slowley descides to improve their symlink management we would like

cPanel to give us an option in EasyApache to patch the Apache core to replace the FollowSymLinks option with SymLinksIfOwnerMatch.


This patch will only be effective when there isn't a race condition as apache does not protect the SymLinksIfOwnerMatch option against this problem but it will provide the

most effective way currently available for hosts that don't have Coudlinux and need .htaccess support for their customers.


Here's some more information about this exploit :


http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242.html


http://www.cloudlinux.com/docs/securelinks.php


http://www.raidten.com/followsymlink-web-server-vulnerability/


http://mail-archives.apache.org/mod_mbox/httpd-dev/201210.mbox/%3C5090AD37.1070303@bluehost.com%3E

Comments (11)

photo
7

I believe this should be implemented as an urgent security improvement. The patch from Rack911 seems to have stopped the endless attacks across our servers, so even if its not full proof its certainly stopped attacks in our case, i guess because its made it much harder to exploit.. The patch from 911 is here: http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p4.html#post996441


I would strongly request cpanel to consider making this a standard part of the easyapache build process! It seems silly not to!

photo
2

This should have been done many months ago already. It is time that Cpanel stops pretending that the issue is not their problem.

photo
1

I've been bitten by this, and now I'm scanning the servers for symlinks with a cron. It's a huge security hole.

photo
1

Yes please!! ... I had a big trouble because of this, patched manually, but would be a VERY GOOD idea to have the patch in easyapache to build. I really NEVER figured this, until it happened that got a lot of hacked accounts on server ,and found the cause to be the fu**ing synlink!


Thanks!

photo
5

It's hard to understand how insecure your cPanel servers can be until you are hit by this. The fact that this is a kernel or Apache vulnerability is of ZERO interest to us. cPanel is built upon such free products. We are paying cPanel especially to take care of big problems (like this one) and only then smaller ones (interface, more functionality etc). It's very dissapointing that since 2011 when this problem surfaced it's still left without a solution AND an official guide from cPanel. Please shape up or all of us are going to lose from this.


PS: disabling FollowSymLinks from WHM -> ... proved to be 100% innefective.

photo
1

One of my cpanel server got hacked, I need a cron script to detect symlinks, please help!

photo
1

Marian Titieni wrote:

One of my cpanel server got hacked, I need a cron script to detect symlinks, please help!
This would effectively find symlinks under ./public_html for users:

  1. for i in `cat /etc/userdomains|awk '{print $2}'`; do find /home/$i/public_html -type l -exec ls -lad {} \; ; done

photo
1

this feature has been released now ; you can activated the symlink race conditions in easyapache .

photo
2

The Patch in EA leaves much to be desired. It would be better if they offered that one and the rack911 style patch. Obviously the options would have to be mutually exclusive. The one they offer will break things if you're not using SuPHP and sites have files owned by 'nobody.' See http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p20.html#post1341651 and the following posts.

photo
1

The patch in WHM is pointless and causes problems and affects performance.

cPanel should obtain permission from rack911 to use their patch or develop their own patch that does the same thing as rack911's patch.

photo
1

The patch is not pointless. At least in suPHP servers (the way most servers are compiled) it seems to really help. And I believe the setups that involve mod_php and files owned by nodoby were generally insecure even before the symlink attacks. I can't speak about the performance though.

Comments have been locked on this page!