How to find and prevent symlink attack

Post Reply
a24uall
Site Admin
Posts: 166
Joined: Sun Jul 01, 2012 9:07 am

How to find and prevent symlink attack

Post by a24uall »

How to find if there is a symlink attack :
ls /var/cpanel/users | grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do find /home/$CPUSER -type l -not \( -lname "/home/$CPUSER/*" -o -lname "*rvsitebuilder*" -o -lname "[^/]*" -o -lname "/usr/local/apache/domlogs/*" -o -lname "/usr/local/urchin/*" \) ; done
Symlink attack can be prevented to an extend by editing the below lines in apache configuration file. Each server might have a different value depending on how apache was configured and you can change that to :
<Directory "/">
Options ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Limit Indexes Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,SymLinksIfOwnerMatch,MultiViews
</Directory>
Arun
WebhostingDevelopment.com
Post Reply

Return to “Symlink Attack”