LiteSpeed Support Forums

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   Bug Reports (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=9)
-   -   [RESOLVED] "No Symlink" Bypass security bug (http://www.litespeedtech.com/support/forum/showthread.php?t=3754)

IrPr 02-04-2010 04:45 AM
[RESOLVED] "No Symlink" Bypass security bug
 
Hi there

Today i found that "Follow Symbolic Link" set to "No" or "If Owner Match"
its not disabling Symlink as its expected to disable whole symlinks

For example the symlink2 linked to fakesymlink/../../../../../../../../../../../../../../..//home/user/public_html/ which fakesymlink is a regular directory, when i request symlink2 through litespeed it responses 403 no permission error

but when i request for http://woot/symlink2/file.ext it will response the /home/user/public_html/file.ext file with no error!

It seems if we create a symlink to a directory, then the files in that directory are reachable through the lsws

George, Please take a look in it and update to it me ASAP

Thanks

mistwang 02-04-2010 09:34 AM
Are you using LiteSpeed with Apache httpd.conf? or configure everything natively.
If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.

IrPr 02-04-2010 10:51 AM
Quote:
Originally Posted by mistwang (Post 18416)
Are you using LiteSpeed with Apache httpd.conf? or configure everything natively.
If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.
Using cPanel and httpd.conf
All of Options directives in httpd.conf have -FollowSymlinks parameters, using LSWS 4.0.6 and 4.0.12

Would you please check it in your labs also?

mistwang 02-04-2010 10:00 PM
Please do a force reinstall of 4.0.12 from web console or manually update it, it should have been fixed with latest build.

IrPr 02-05-2010 10:16 AM
Quote:
Originally Posted by mistwang (Post 18445)
Please do a force reinstall of 4.0.12 from web console or manually update it, it should have been fixed with latest build.
Dear George,
Thanks for your awesome support

The bug has been fixed in the latest 4.0.12 build

Regards

IrPr 03-09-2010 05:02 AM
There is still a minor bug with the symlinks

Lets assume we creare a symlink for /home/user2/public_html ( source ) directory to /home/user1/public_html/w00t (dest )

If any RewriteRule matched the request is placed in a .htaccess file in the symlink source path, it will be handled for the request

For example in the /home/user2/public_html/ path there is a htaccess to redirect all requests to https instead of http, or any hotlink protection which redirects to another url, requests for http://user2/w00t they will be redirected in order of RewriteRule located there, instead of 403 no permission

My apologize for my bad english and very bad explanation.

nehaasen22 03-15-2010 04:09 AM
Are you using LiteSpeed with Apache httpd.conf? or configure everything natively. If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.


All times are GMT -7. The time now is 12:33 PM.