[RESOLVED] "No Symlink" Bypass security bug

[IrPr]

Hi there

Today i found that "Follow Symbolic Link" set to "No" or "If Owner Match"
its not disabling Symlink as its expected to disable whole symlinks

For example the symlink2 linked to fakesymlink/../../../../../../../../../../../../../../..//home/user/public_html/ which fakesymlink is a regular directory, when i request symlink2 through litespeed it responses 403 no permission error

but when i request for http://woot/symlink2/file.ext it will response the /home/user/public_html/file.ext file with no error!

It seems if we create a symlink to a directory, then the files in that directory are reachable through the lsws

George, Please take a look in it and update to it me ASAP

Thanks

 

[mistwang]

Are you using LiteSpeed with Apache httpd.conf? or configure everything natively.
If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.

 

[IrPr]

Are you using LiteSpeed with Apache httpd.conf? or configure everything natively.
If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.

Using cPanel and httpd.conf
All of Options directives in httpd.conf have -FollowSymlinks parameters, using LSWS 4.0.6 and 4.0.12

Would you please check it in your labs also?

 

[mistwang]

Please do a force reinstall of 4.0.12 from web console or manually update it, it should have been fixed with latest build.

 

[IrPr]

Please do a force reinstall of 4.0.12 from web console or manually update it, it should have been fixed with latest build.

Dear George,
Thanks for your awesome support

The bug has been fixed in the latest 4.0.12 build

Regards

 

[IrPr]

There is still a minor bug with the symlinks

Lets assume we creare a symlink for /home/user2/public_html ( source ) directory to /home/user1/public_html/w00t (dest )

If any RewriteRule matched the request is placed in a .htaccess file in the symlink source path, it will be handled for the request

For example in the /home/user2/public_html/ path there is a htaccess to redirect all requests to https instead of http, or any hotlink protection which redirects to another url, requests for http://user2/w00t they will be redirected in order of RewriteRule located there, instead of 403 no permission

My apologize for my bad english and very bad explanation.

 

[nehaasen22]

Are you using LiteSpeed with Apache httpd.conf? or configure everything natively. If you use httpd.conf, you need to use "Options" directive. otherwise, you need to set the corresponding option at vhost level as well.