[Solved] Symbolic link check does not work

[DoM]

Hi,
we use LST 4.1RC4

We set check symbolic link on litespeed and on apache configuration we setup symbolic link only if owner match.

Under security on lst we have:

File Access
Follow Symbolic Link Yes
Check Symbolic Link Yes
Required Permission Mask 000
Restricted Permission Mask 000

and under Access Denied Directories:

/
/etc/*
/dev/*
$SERVER_ROOT/conf/*
$SERVER_ROOT/admin/conf/*

One website was hacked and was created a symbolic link point to /

It works and show all content of /

I think this is a big security problem.

We also setup under Access Denied Directories value /* but nothing works and all dir and files under / are visibile.


Waiting for your reply

Regards

 

[mistwang]

It works and show all content of /

How does it work?
If it served by LiteSpeed web server directly as static file, we will look into this. If it is served via a PHP shell or other script, it has nothing to do with this feature, the script runs in its own process, not controlled by LiteSpeed security.
Just want to make sure you have a correct understanding of this feature before we dive in investigating.

 

[DoM]

Hi,
i am sure it's served by lst as static file cause we simply see that url symlinked.


Waiting for your reply

Regards

 

[mistwang]

The autoindex script will index the symlinked directory, it was not protected, but user cannot access any file under the symlinked directory.
This is issue will be addressed in 4.0.19 release. 4.0.19 build has been uploaded, if you want to give it a try, just change the version number in the download link to get it.

 

[DoM]

So do i need to change version from 4.1RC4 to 4.0.19 ?


Waiting for your reply

Regards

 

[mistwang]

You can upgrade to the latest build of 4.1RC4, just download again.

 

[DoM]

Thanks fixed.