hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : SymLink Vulnerability cPanel
Reply

Forum Jump

SymLink Vulnerability cPanel

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Web Hosting Master
 
Join Date: Jan 2011
Posts: 612
Question

SymLink Vulnerability cPanel


I have had lots of websites hacked on a shared cPanel server, and it appears that it is a Symlink vulnerability on the server. Can anyone advise how to protect against these attacks and how they are carried out?



Sponsored Links
  #2  
Old
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 776
Disable the symlink and shell functions in php.ini

Open /usr/lib/php.ini

Find this line:
Code:
disable_functions =
and modify it to

Code:
disable_functions = "symlink,shell_exec,exec,system,chmod"
then restart Apache
Code:
httpd restart
This will prevent the creation of symlinks and execution of shell commands by PHP scripts

__________________
Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
Fast servers in USA, Canada, UK, Germany, Netherlands, France


Last edited by NetworkPanda; 01-11-2013 at 08:50 AM.
  #3  
Old
Web Hosting Master
 
Join Date: Jan 2011
Posts: 612
Quote:
Originally Posted by NetworkPanda View Post
Disable the symlink and shell functions in php.ini

Open /usr/lib/php.ini

Find this line:
Code:
disable_functions =
and modify it to

Code:
disable_functions = "symlink,shell_exec,exec,system"
then restart Apache
Code:
httpd restart
This will prevent the creation of symlinks and execution of shell commands by PHP scripts

Thanks, any other change I can make, e.g. edit httpd conf file?

How about turning off symlinks completely on the server? or will this break cPanel?

Sponsored Links
  #4  
Old
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 776
Quote:
Originally Posted by kshazad86 View Post
Thanks, any other change I can make, e.g. edit httpd conf file?

How about turning off symlinks completely on the server? or will this break cPanel?
No, don't ever do this, symlinks are necessary for Linux and cPanel. Just disable their creation by PHP.

Regarding your other question, no, you do not need to edit httpd.conf

Some other security measures: Run EasyApache and install mod_security and suhosin (if now already done so)

__________________
Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
Fast servers in USA, Canada, UK, Germany, Netherlands, France

  #5  
Old
Web Hosting Master
 
Join Date: Jan 2011
Posts: 612
Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.

  #6  
Old
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 776
Quote:
Originally Posted by kshazad86 View Post
Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.
Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.

__________________
Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
Fast servers in USA, Canada, UK, Germany, Netherlands, France

  #7  
Old
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 974
You can use this SymLink patch for EasyApache:

Quote:
1. http://spasov.us/patch/Apache.zip

Login as root go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

upload this files SymlinkProtection.pm SymlinkProtection.pm.tar.gz on this directory /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list
Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #8  
Old
Web Hosting Master
 
Join Date: Jan 2011
Posts: 612
Quote:
Originally Posted by NetworkPanda View Post
Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.
Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?

  #9  
Old
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 974
Quote:
Originally Posted by kshazad86 View Post
Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
No, safemode is deprecated in recent PHP versions.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #10  
Old
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 776
Quote:
Originally Posted by kshazad86 View Post
Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.

__________________
Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
Fast servers in USA, Canada, UK, Germany, Netherlands, France

  #11  
Old
Web Hosting Master
 
Join Date: Jan 2011
Posts: 612
Quote:
Originally Posted by infinitnet View Post
You can use this SymLink patch for EasyApache:


Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security
Is this a custom patch? It wont break cPanel in anyway?

  #12  
Old
Web Hosting Master
 
Join Date: Nov 2009
Location: /etc/my.cnf
Posts: 9,473
Quote:
Originally Posted by NetworkPanda View Post
This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.
Safemode won't protect from anything in this instance since its deprecated as of PHP 5.3 and shall be removed as of PHP 5.4

http://php.net/manual/en/features.safe-mode.php

__________________
LeapHost High Performance Wordpress & Magento Hosting Powered By Litespeed
Fast Dedicated Servers | Uptime Cloud Monitoring | Proactive Server Management
24/7 Ticket > Phone > Live Chat Support | Fancy An Offer > Visit Our LH Specials


  #13  
Old
Quality Web Hosting Matters
 
Join Date: Sep 2006
Location: Servers
Posts: 1,527
Disabling all these PHP functions will kill the functionality. Also if there is some vulnerability attacker can upload own php.ini and override all these php.ini restrictions implemented by web hosting company.

__________________
QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
Linux and Windows RDP VPS - Locations UK, US, CA, FR, DE, NL, CH | OpenVPN/PPTP Enabled
Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, EgoPay, OKPay
█ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

  #14  
Old
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 974
Quote:
Originally Posted by kshazad86 View Post
Is this a custom patch? It wont break cPanel in anyway?
It's from the cPanel forums and written by Rack911 afaik.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #15  
Old
Web Hosting Master
 
Join Date: Jan 2011
Posts: 612
Quote:
Originally Posted by infinitnet View Post
It's from the cPanel forums and written by Rack911 afaik.
ok great, will give this a try thanks

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
cPanel Vulnerability? joecooper Web Hosting 6 02-22-2012 06:07 PM
Password Protect Symlink in cPanel w00ts!te Hosting Software and Control Panels 0 07-23-2009 02:17 PM
cPanel Horde Vulnerability Found - Please update your cPanel ASAP Virtuoso Host Hosting Security and Technology 14 03-09-2008 02:35 PM
SIM installer symlink attack + race condition local root vulnerability jpetersen Hosting Security and Technology 0 04-29-2007 01:54 PM
CPanel vulnerability aah-jim Hosting Software and Control Panels 1 02-19-2003 09:27 AM

Related posts from TheWhir.com
Title Type Date Posted
WPTouch WordPress Plugin Vulnerability Allows Non-Admins to Take Over Website Web Hosting News 2014-07-14 16:17:19
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
Heroku Works with Security Researcher to Fix Password Vulnerability Web Hosting News 2013-01-10 12:51:17
cPanel Security Updates Address Perl Module Vulnerabilities Web Hosting News 2012-12-06 12:55:54
Hosting Control Panel cPanel & WHM 11.34 Release Hits Stable Tier Web Hosting News 2012-11-12 17:04:57


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?