symlink security issue in cPanel

Posted: 2p in cPanel

cPanel symlink exploit

There is a serious security hole in the way that Apache handles symlinks on servers.

This allows an exploited account on a server to view .php files owned by other accounts, thus a single-account potentially exploits many accounts on the server.

The exploit, in general terms, is to create a symbolic link file (eg public_html/fred.txt) pointing to a wp-config.php file (eg /home/otheracct/public_html/wp-config.php) which contains database user and password which will occasionally be the cpanel username/password. The file is then readable via a web browser. If the user has been unwise enough to use their cpanel username/password for the database.

This script will find if there is any symlinks in the users home directory and save the output to /root/symlinks.txt

find /home*/*/public_html -type l >> /root/symlinks.txt

Solution :-

Rack911 has published an easyapache patch which adds the file /scripts/before-apache-make to force SymLinksIfOwnerMatch to be always on.

wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make
chmod 700 /scripts/before_apache_make

Rebuild apache after.
/scripts/easyapache

Enable Symlink Race Condition Protection from Exhaustive Options list during the EasyApache build process.

Done 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s