[Solved] Symbolic link check does not work

Discussion in 'Install/Configuration' started by DoM, Jan 11, 2011.

  1. DoM

    DoM New Member

    Hi,
    we use LST 4.1RC4

    We set check symbolic link on litespeed and on apache configuration we setup symbolic link only if owner match.

    Under security on lst we have:

    File Access
    Follow Symbolic Link Yes
    Check Symbolic Link Yes
    Required Permission Mask 000
    Restricted Permission Mask 000

    and under Access Denied Directories:

    /
    /etc/*
    /dev/*
    $SERVER_ROOT/conf/*
    $SERVER_ROOT/admin/conf/*

    One website was hacked and was created a symbolic link point to /

    It works and show all content of /

    I think this is a big security problem.

    We also setup under Access Denied Directories value /* but nothing works and all dir and files under / are visibile.


    Waiting for your reply

    Regards
  2. mistwang

    mistwang LiteSpeed Staff

    How does it work?
    If it served by LiteSpeed web server directly as static file, we will look into this. If it is served via a PHP shell or other script, it has nothing to do with this feature, the script runs in its own process, not controlled by LiteSpeed security.
    Just want to make sure you have a correct understanding of this feature before we dive in investigating.
  3. DoM

    DoM New Member

    Hi,
    i am sure it's served by lst as static file cause we simply see that url symlinked.


    Waiting for your reply

    Regards
  4. mistwang

    mistwang LiteSpeed Staff

    The autoindex script will index the symlinked directory, it was not protected, but user cannot access any file under the symlinked directory.
    This is issue will be addressed in 4.0.19 release. 4.0.19 build has been uploaded, if you want to give it a try, just change the version number in the download link to get it.
  5. DoM

    DoM New Member

    So do i need to change version from 4.1RC4 to 4.0.19 ?


    Waiting for your reply

    Regards
  6. mistwang

    mistwang LiteSpeed Staff

    You can upgrade to the latest build of 4.1RC4, just download again.
  7. DoM

    DoM New Member

    Thanks fixed.

Share This Page