Friday, 12 July 2013

How to prevent cPanel apache Symlink security vulnerability

First of all, it is not an issue with cPanel but with Apache. But cPanel doesn't take it serious. When I contacted cPanel regarding this, they pointed us to their doc which has a patch. But when I asked them whether the patch is default in newer versions, they simply pointed me to http://features.cpanel.net/ and request for this. If they get enough requests, they will include this "symlink race condition protection" by default in future versions of cPanel.

You can find the feature request here. So please vote for it to make it default in cPanel.

The recommended solution by cPanel is mod_ruid + jailshell



It is very easy to enable. Just re-complile apache using mod_ruid2 and then enable "Jail Apache Virtual Hosts" in Tweak settings.

But it is not recommended for Centos 5 series as kernel doesn't fully support it.

Other option is to use Cloud Linux which is very popular due to the use of its own CageFS which act like a container to each users in cPanel on its own environment.

So below are some of the recommendations which I found while searching for this issue:

cPanel suggested solution
===========================
We recently made a 3rd party patch available in EasyApache for the Apache Symlink Race Condition that you have described. It is in the 'Exhaustive Options List' in EasyApache and is called 'Symlink Race Condition Protection'. If you do not have any other patches or methods to combat this vulnerability, please try recompiling Apache with this patch included - it should fix you right up.

We have documentation on the patch, what it does, and what it protects against here:

http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SymlinkPatch

Symlink Protect cPanel EasyApache module:
=========================================

1. First download this files /http://spasov.us/patch/Apache.zip

Login as root and go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

upload SymlinkProtection.pm and SymlinkProtection.pm.tar.gz on this directory:

/var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list .

Other security measures:
==========================

-1 do not allow users to change php settings through php.ini or .htaccess file

2- Enable Apache mod_userdir Tweak but do not exclude any of the hostname as through http://domain.com/~username php.ini global settings can be overridden.

-2 Disable symlink for all users.

-3 disable following functions globally in php.ini (disable_functions)

show_source,system,shell_exec,passthru,exec,proc_open,allow_url_fopen,symlink,exec,proc_close,dl,escap,eshellarg,escapeshellcmd,popen

4- Enable safe_mode

5-run maldet a malware detection tool which is very effective to catch most of roothsell.

Script to find symlink hack:
====================                       

find /home*/*/public_html -type l >> /root/symlinks.txt

This script will find if there is any symlinks in the users home directory and save the output to /root/symlinks.txt

This will be very helpful in finding the issue before hand. You may run it as cron job.


4 comments:

  1. Why did you stop blogging??? Just one post? Done?

    ReplyDelete
  2. Fantastic article, thank you.

    ReplyDelete

  3. I am more than sure that if your work and business processes you perform through the cloud virtual data room , your personal data will always be in safe hands

    ReplyDelete
  4. However what's a cPanel web hosting company, and why should you be trying for one of these over another reasonably internet hosting provider.
    cheap web hosting

    ReplyDelete