Apache implementation directory traversal and sensitive file disclosure in Shared Hosting environment.
Chris Dixon and David Ibarra of the Hostgator.com Support Team discovered a severe vulnerability exists specifically in several large
scale "pre-packaged" Apache implementations such as cPanel which allows a user to traverse directories and view any file which has readable
access by the webserver. Our proof of concept demonstrates exploitation via a symlink in a chrooted jailed shell. This can be disabled by enabling the
SymLinksIfOwnerMatch option in Apache however you must also change the AllowOverride default options as well. We also provide an Apache patch
which can be implemented directly via an easyapache hook in order to disallow symlinks followed by anyone other than their owners.
cPanel developers were notified of this vulnerability and given time to hotfix the issue.
This is cPanel's full response to David Collins:
> Hello and thank you again for reporting this security issue to
> cPanel. We appreciate your interest in helping secure the shared
> hosting environment.
>
> cPanel attempts to deliver a default configuration that suits the
> majority of our customers. cPanel makes every attempt to provide
> straight forward interfaces that allow server administrators to
> configure their hosting platform to serve the needs of their end
Sounds like you can fix this also with the Apache configuration directives you list in the report. So, it seems that you simply need to update your httpd.conf to proper settings for shared hosting and that there is no vulnerability, except that your configuration is vulnerable.
VI. BUSINESS IMPACT
-------------------------
The Local PHP File Inclusion vulnerability can be especially dangerous
in a
shared hosting environment. Even if server has been configured to
prevent
users from reading each other's document roots (web server/PHP process
running in a context of the site's owner), an attacker that has an
account on
the same server as the targeted site could use the vulnerability to
Versions Affected:
- - Tomcat 7.0.0 to 7.0.21
Description:
This issue only affects environments running web applications that are
not trusted (e.g. shared hosting environments). The Servlets that
implement the functionality of the Manager application that ships with
Apache Tomcat should only be available to Contexts (web applications)
that are marked as privileged. However, this check was not being made.
This allowed an untrusted web application to use the functionality of
the Manager application. This could be used to obtain information on
By exploiting this vulnerability, it is possible for an application
running with Partial Trust permissions to to break from the CLR sandbox
[10] (CAS) and run arbitrary code with Full Trust permissions. Examples
of Partial Trusted applications include, ClickOnce, XAML Browser
Applications (XBAP), ASP.NET (eg, shared hosting) & SilverLight. It
must be noted that the affected class is not available for SilverLight
applications.
------------------------------------------------------------------------
Limitations
