| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1E66F3A4-7AE8-440C-BE41-262F1667113F@cpanel.net> Date: Thu, 19 Feb 2009 11:42:19 -0600 From: "Ben M. Thomas" <ben@...nel.net> To: bugtraq@...urityfocus.com Subject: Re: Apache directory traversal on shared hosting environment. This is cPanel's full response to David Collins: > Hello and thank you again for reporting this security issue to > cPanel. We appreciate your interest in helping secure the shared > hosting environment. > > cPanel attempts to deliver a default configuration that suits the > majority of our customers. cPanel makes every attempt to provide > straight forward interfaces that allow server administrators to > configure their hosting platform to serve the needs of their end > users. cPanel provides no guarantee of complete security under the > default configuration as our product is tailored to suit the > majority of hosting providers' needs. cPanel provides every > reasonable means known by us to configure a relatively secure shared > hosting platform. We encourage our customers to explore their > servers' settings in order to deliver a hosting product that best > suits their unique customers. > > After thoroughly investigating your report, we have come to the > conclusion that this does not represent any deviation from the > intended and documented behavior of Apache. As noted in your report, > Apache's behavior with regard to symlinks is easily configurable via > the FollowSymlinks and SymLinksIfOwnerMatch options. These settings > can be changed inside WHM via Service Configuration -> Apache > Configuration -> Global Configuration. Simply uncheck > "FollowSymLinks" in the "Directory / Options" section, save your > settings and rebuild the configuration and restart Apache. Disabling > "Options" overrides can be done via the Apache include editor by > specifying an AllowOverride setting for the /home directory. > > We do not recommend using your attached patch. The change will break > the intended functionality of FollowSymLinks and will ultimately > confuse users and administrators who are accustomed to the > documented behavior. Additionally, the patch will require a > recompilation of Apache and would be difficult to deploy on a large > scale. It should also be pointed out that Apache makes no attempt to > prevent any type of symlink race condition attacks. > > http://httpd.apache.org/docs/2.2/mod/core.html#options > > "Omitting this option should not be considered a security > restriction, since symlink testing is subject to race conditions > that make it circumventable." > > In reality it is trivial to trick Apache into processing a symlink > as if it was a regular file regardless of the configuration > settings. In terms of security, administrators should assume that > any file that is readable by the 'nobody' user is potentially > readable by other accounts. > > The desired result can best be achieved through a conscientious > configuration of Apache and PHP. In our opinion, the best method to > secure sensitive files is to configure all accounts to use mod_suphp > and suexec, and that all such files have restrictive permissions so > that only the user who owns them may read them. > > http://www.cpanel.net/support/docs/ea/ea3/ea3php_hardening_php.html > > We hope this information will help you make an informed decision in > your pursuit of securing the shared hosting environment. Please let > us know if you have any remaining questions or concerns. On Feb 18, 2009, at 11:48 PM, davec@...tgator.com wrote: > Apache implementation directory traversal and sensitive file > disclosure in Shared Hosting environment. ----------------------- Ben M. Thomas cPanel, Inc.
Powered by blists - more mailing lists