symlink security issue - cPanel

cPanel symlink exploit

There is a serious security hole in the way that Apache handles symlinks on servers.

This allows an exploited account on a server to view .php files owned by other accounts, thus a single-account potentially exploits many accounts on the server.

The exploit, in general terms, is to create a symbolic link file (eg public_html/fred.txt) pointing to a wp-config.php file (eg /home/otheracct/public_html/wp-config.php) which contains database user and password which will occasionally be the cpanel username/password. The file is then readable via a web browser. If the user has been unwise enough to use their cpanel username/password for the database.

This script will find if there is any symlinks in the users home directory and save the output to /root/symlinks.txt

root@server1 [~]# find /home*/*/public_html -type l >> /root/symlinks.txt

Solution :-

Rack911 has published an easyapache patch which adds the file /scripts/before-apache-make to force SymLinksIfOwnerMatch to be always on.

root@server1 [~]# wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make

root@server1 [~]# chmod 700 /scripts/before_apache_make

Rebuild apache after.
root@server1 [~]# /scripts/easyapache

Enable Symlink Race Condition Protection from Exhaustive Options list during the EasyApache build process.

symlink security issue - cPanel