<<< Date Index >>>     <<< Thread Index >>>

Re: Apache directory traversal on shared hosting environment.



This is cPanel's full response to David Collins:

Hello and thank you again for reporting this security issue to cPanel. We appreciate your interest in helping secure the shared hosting environment.

cPanel attempts to deliver a default configuration that suits the majority of our customers. cPanel makes every attempt to provide straight forward interfaces that allow server administrators to configure their hosting platform to serve the needs of their end users. cPanel provides no guarantee of complete security under the default configuration as our product is tailored to suit the majority of hosting providers' needs. cPanel provides every reasonable means known by us to configure a relatively secure shared hosting platform. We encourage our customers to explore their servers' settings in order to deliver a hosting product that best suits their unique customers.

After thoroughly investigating your report, we have come to the conclusion that this does not represent any deviation from the intended and documented behavior of Apache. As noted in your report, Apache's behavior with regard to symlinks is easily configurable via the FollowSymlinks and SymLinksIfOwnerMatch options. These settings can be changed inside WHM via Service Configuration -> Apache Configuration -> Global Configuration. Simply uncheck "FollowSymLinks" in the "Directory / Options" section, save your settings and rebuild the configuration and restart Apache. Disabling "Options" overrides can be done via the Apache include editor by specifying an AllowOverride setting for the /home directory.

We do not recommend using your attached patch. The change will break the intended functionality of FollowSymLinks and will ultimately confuse users and administrators who are accustomed to the documented behavior. Additionally, the patch will require a recompilation of Apache and would be difficult to deploy on a large scale. It should also be pointed out that Apache makes no attempt to prevent any type of symlink race condition attacks.

    http://httpd.apache.org/docs/2.2/mod/core.html#options

"Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable."

In reality it is trivial to trick Apache into processing a symlink as if it was a regular file regardless of the configuration settings. In terms of security, administrators should assume that any file that is readable by the 'nobody' user is potentially readable by other accounts.

The desired result can best be achieved through a conscientious configuration of Apache and PHP. In our opinion, the best method to secure sensitive files is to configure all accounts to use mod_suphp and suexec, and that all such files have restrictive permissions so that only the user who owns them may read them.

   http://www.cpanel.net/support/docs/ea/ea3/ea3php_hardening_php.html

We hope this information will help you make an informed decision in your pursuit of securing the shared hosting environment. Please let us know if you have any remaining questions or concerns.



On Feb 18, 2009, at 11:48 PM, davec@xxxxxxxxxxxxx wrote:

Apache implementation directory traversal and sensitive file disclosure in Shared Hosting environment.

-----------------------
Ben M. Thomas
cPanel, Inc.