[RESOLVED] "No Symlink" Bypass security bug

Discussion in 'Bug Reports' started by IrPr, Feb 4, 2010.

  1. IrPr

    IrPr New Member

    Hi there

    Today i found that "Follow Symbolic Link" set to "No" or "If Owner Match"
    its not disabling Symlink as its expected to disable whole symlinks

    For example the symlink2 linked to fakesymlink/../../../../../../../../../../../../../../..//home/user/public_html/ which fakesymlink is a regular directory, when i request symlink2 through litespeed it responses 403 no permission error

    but when i request for http://woot/symlink2/file.ext it will response the /home/user/public_html/file.ext file with no error!

    It seems if we create a symlink to a directory, then the files in that directory are reachable through the lsws

    George, Please take a look in it and update to it me ASAP

    Thanks
  2. mistwang

    mistwang LiteSpeed Staff

    Are you using LiteSpeed with Apache httpd.conf? or configure everything natively.
    If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.
  3. IrPr

    IrPr New Member

    Using cPanel and httpd.conf
    All of Options directives in httpd.conf have -FollowSymlinks parameters, using LSWS 4.0.6 and 4.0.12

    Would you please check it in your labs also?
  4. mistwang

    mistwang LiteSpeed Staff

    Please do a force reinstall of 4.0.12 from web console or manually update it, it should have been fixed with latest build.
  5. IrPr

    IrPr New Member

    Dear George,
    Thanks for your awesome support

    The bug has been fixed in the latest 4.0.12 build

    Regards
  6. IrPr

    IrPr New Member

    There is still a minor bug with the symlinks

    Lets assume we creare a symlink for /home/user2/public_html ( source ) directory to /home/user1/public_html/w00t (dest )

    If any RewriteRule matched the request is placed in a .htaccess file in the symlink source path, it will be handled for the request

    For example in the /home/user2/public_html/ path there is a htaccess to redirect all requests to https instead of http, or any hotlink protection which redirects to another url, requests for http://user2/w00t they will be redirected in order of RewriteRule located there, instead of 403 no permission

    My apologize for my bad english and very bad explanation.
  7. nehaasen22

    nehaasen22 New Member

    Are you using LiteSpeed with Apache httpd.conf? or configure everything natively. If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.

Share This Page