Friday 28 March 2014

symlink security issue - cPanel

cPanel symlink exploit


There is a serious security hole in the way that Apache handles symlinks on servers.


This allows an exploited account on a server to view .php files owned by other accounts, thus a single-account potentially exploits many accounts on the server.


The exploit, in general terms, is to create a symbolic link file (eg public_html/fred.txt) pointing to a wp-config.php file (eg /home/otheracct/public_html/wp-config.php) which contains database user and password which will occasionally be the cpanel username/password. The file is then readable via a web browser. If the user has been unwise enough to use their cpanel username/password for the database.


This script will find if there is any symlinks in the users home directory and save the output to /root/symlinks.txt


root@server1 [~]# find /home*/*/public_html -type l >> /root/symlinks.txt


Solution :-


Rack911 has published an easyapache patch which adds the file /scripts/before-apache-make to force SymLinksIfOwnerMatch to be always on.


root@server1 [~]# wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make

root@server1 [~]# chmod 700 /scripts/before_apache_make


Rebuild apache after.
root@server1 [~]# /scripts/easyapache


Enable Symlink Race Condition Protection from Exhaustive Options list during the EasyApache build process.



symlink security issue - cPanel

No comments:

Post a Comment