Re: Apache directory traversal on shared hosting environment.
This is cPanel's full response to David Collins:
Hello and thank you again for reporting this security issue to
cPanel. We appreciate your interest in helping secure the shared
hosting environment.
cPanel attempts to deliver a default configuration that suits the
majority of our customers. cPanel makes every attempt to provide
straight forward interfaces that allow server administrators to
configure their hosting platform to serve the needs of their end
users. cPanel provides no guarantee of complete security under the
default configuration as our product is tailored to suit the
majority of hosting providers' needs. cPanel provides every
reasonable means known by us to configure a relatively secure shared
hosting platform. We encourage our customers to explore their
servers' settings in order to deliver a hosting product that best
suits their unique customers.
After thoroughly investigating your report, we have come to the
conclusion that this does not represent any deviation from the
intended and documented behavior of Apache. As noted in your report,
Apache's behavior with regard to symlinks is easily configurable via
the FollowSymlinks and SymLinksIfOwnerMatch options. These settings
can be changed inside WHM via Service Configuration -> Apache
Configuration -> Global Configuration. Simply uncheck
"FollowSymLinks" in the "Directory / Options" section, save your
settings and rebuild the configuration and restart Apache. Disabling
"Options" overrides can be done via the Apache include editor by
specifying an AllowOverride setting for the /home directory.
We do not recommend using your attached patch. The change will break
the intended functionality of FollowSymLinks and will ultimately
confuse users and administrators who are accustomed to the
documented behavior. Additionally, the patch will require a
recompilation of Apache and would be difficult to deploy on a large
scale. It should also be pointed out that Apache makes no attempt to
prevent any type of symlink race condition attacks.
http://httpd.apache.org/docs/2.2/mod/core.html#options
"Omitting this option should not be considered a security
restriction, since symlink testing is subject to race conditions
that make it circumventable."
In reality it is trivial to trick Apache into processing a symlink
as if it was a regular file regardless of the configuration
settings. In terms of security, administrators should assume that
any file that is readable by the 'nobody' user is potentially
readable by other accounts.
The desired result can best be achieved through a conscientious
configuration of Apache and PHP. In our opinion, the best method to
secure sensitive files is to configure all accounts to use mod_suphp
and suexec, and that all such files have restrictive permissions so
that only the user who owns them may read them.
http://www.cpanel.net/support/docs/ea/ea3/ea3php_hardening_php.html
We hope this information will help you make an informed decision in
your pursuit of securing the shared hosting environment. Please let
us know if you have any remaining questions or concerns.
On Feb 18, 2009, at 11:48 PM, davec@xxxxxxxxxxxxx wrote:
Apache implementation directory traversal and sensitive file
disclosure in Shared Hosting environment.
-----------------------
Ben M. Thomas
cPanel, Inc.