LiteSpeed Technologies
Download Download     Blog Blog     Wiki Wiki     Forum Forum     Store     Contact Contact    

Go Back   LiteSpeed Support Forums > LiteSpeed Web Server > Bug Reports > [RESOLVED] "No Symlink" Bypass security bug

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 02-04-2010, 04:45 AM
IrPr IrPr is offline
Senior Member
  
Join Date: Jul 2008
Posts: 147
Default [RESOLVED] "No Symlink" Bypass security bug
Hi there

Today i found that "Follow Symbolic Link" set to "No" or "If Owner Match"
its not disabling Symlink as its expected to disable whole symlinks

For example the symlink2 linked to fakesymlink/../../../../../../../../../../../../../../..//home/user/public_html/ which fakesymlink is a regular directory, when i request symlink2 through litespeed it responses 403 no permission error

but when i request for http://woot/symlink2/file.ext it will response the /home/user/public_html/file.ext file with no error!

It seems if we create a symlink to a directory, then the files in that directory are reachable through the lsws

George, Please take a look in it and update to it me ASAP

Thanks
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -7. The time now is 01:18 AM.



- Archive - Top
© Copyright 2003-2011 LiteSpeed Technologies, Inc. All rights reserved. Privacy Policy.