Tag Archives: FollowSymLinks

SymLinks Attacks and prevention !

The vulnerability with Symlinks and Apache is a known cause of attack.

Initially, the attacker will find a compromised ‘single’ website or domain which has got any vulnerable scripts or 3rd party applications or any themes used in it and try to get access to the files.

Once he get access to a single domain, he moves forward by creating the symlinks to other websites or even he can symlink to / (root).

For eg, if you have the following symlink set in any domain,

link -> /root , using the directory ‘link’ anyone can actually access /root and can access any sensitive file.

Rather than manually creating this sort of symlinks, the hacker can even use any perl/cgi script to create a symlink to other users of the server.

As a basic solution for this, you can ensure that Apache is configured in a way so as not to following symlinks (Options -FollowSymLinks)

— To disable the ability for Apache to allow users to follow symbolic links in their requests, remove the FollowSymLinks directive on your Directory commands.

For example, if the below was the configuration then,

<Directory "/usr/local/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

Remove the FollowSymLinks reference so that this reads:

<Directory "/usr/local/apache/htdocs">
Options Indexes
AllowOverrride None
Order allow,deny
Allow from all

If you really need symlinks, you can use the“SymLinksIfOwnerMatch” option to only allow links from within the same user.

To prevent PHP from accessing any file outside of their directory, you need to specify the ‘open_basedir’ setting ( in PHP configuration file ) to only have access to their directory.

This option can be enabled from WHM. You might face the following error :

This security tweak uses Apache DSO style directives. If PHP is configured to run as a CGI, SuPHP or FastCGI process, the open_basedir setting must be manually specified in the relevant php.ini file. See the EasyApache documentation for more information.

– If the PHP handler is set as CGI or SuPHP, then tweak settings seen in WHM cannot be used to set the openbase_dir option.

– You need to manually specify the openbase_dir option in the global
PHP configuration file ( use php -i |grep php.ini to find the php.ini location )

Keep in mind, the root cause for this attack or vulnerability is due any unsecured scripts/plugins/applications which might be employed in any of the domains. So, keep you server free from it, in the first place 😀