Re: Apache directory traversal on shared hosting environment.

["Ben M. Thomas" <ben@xxxxxxxxxx>]

This is cPanel's full response to David Collins:

> Hello and thank you again for reporting this security issue to  
> cPanel. We appreciate your interest in helping secure the shared  
> hosting environment.
>
> cPanel attempts to deliver a default configuration that suits the  
> majority of our customers. cPanel makes every attempt to provide  
> straight forward interfaces that allow server administrators to  
> configure their hosting platform to serve the needs of their end  
> users. cPanel provides no guarantee of complete security under the  
> default configuration as our product is tailored to suit the  
> majority of hosting providers' needs. cPanel provides every  
> reasonable means known by us to configure a relatively secure shared  
> hosting platform. We encourage our customers to explore their  
> servers' settings in order to deliver a hosting product that best  
> suits their unique customers.
>
> After thoroughly investigating your report, we have come to the  
> conclusion that this does not represent any deviation from the  
> intended and documented behavior of Apache. As noted in your report,  
> Apache's behavior with regard to symlinks is easily configurable via  
> the FollowSymlinks and SymLinksIfOwnerMatch options. These settings  
> can be changed inside WHM via Service Configuration -> Apache  
> Configuration -> Global Configuration.  Simply uncheck  
> "FollowSymLinks" in the "Directory / Options" section, save your  
> settings and rebuild the configuration and restart Apache. Disabling  
> "Options" overrides can be done via the Apache include editor by  
> specifying an AllowOverride setting for the /home directory.
>
> We do not recommend using your attached patch. The change will break  
> the intended functionality of FollowSymLinks and will ultimately  
> confuse users and administrators who are accustomed to the  
> documented behavior. Additionally, the patch will require a  
> recompilation of Apache and would be difficult to deploy on a large  
> scale. It should also be pointed out that Apache makes no attempt to  
> prevent any type of symlink race condition attacks.
>
>     http://httpd.apache.org/docs/2.2/mod/core.html#options
>
>     "Omitting this option should not be considered a security  
> restriction, since symlink testing is subject to race conditions  
> that make it circumventable."
>
> In reality it is trivial to trick Apache into processing a symlink  
> as if it was a regular file regardless of the configuration  
> settings. In terms of security, administrators should assume that  
> any file that is readable by the 'nobody' user is potentially  
> readable by other accounts.
>
> The desired result can best be achieved through a conscientious  
> configuration of Apache and PHP. In our opinion, the best method to  
> secure sensitive files is to configure all accounts to use mod_suphp  
> and suexec, and that all such files have restrictive permissions so  
> that only the user who owns them may read them.
>
>    http://www.cpanel.net/support/docs/ea/ea3/ea3php_hardening_php.html
>
> We hope this information will help you make an informed decision in  
> your pursuit of securing the shared hosting environment. Please let  
> us know if you have any remaining questions or concerns.



On Feb 18, 2009, at 11:48 PM, davec@xxxxxxxxxxxxx wrote:

> Apache implementation directory traversal and sensitive file  
> disclosure in Shared Hosting environment.

-----------------------
Ben M. Thomas
cPanel, Inc.