Bug#524474: apache2: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
Package: apache2
Version: 2.2.9-10+lenny2
Severity: grave
Tags: patch security lenny sid
1. BUG DESCRIPTION
The Options settings "FollowSymlinks" and "SymlinksIfOwnerMatch"
are ignored for files included using SSI when the files are symlinks
and located in the same directory.
Even when the "FollowSymlinks" and "SymlinksIfOwnerMatch"
are NOT set, symlinks are still followed, and ownership is not checked.
This means a user can set a symlink to any file on the system
readable by the Apache user, even outside the DocumentRoot,
and read it through HTTP, even if the administrator
disabled this by not setting "FollowSymlinks" and "SymlinksIfOwnerMatch".
The bug is present in all current 2.2.x versions, so both in
2.2.9 (lenny) and 2.2.11 (sid).
2. HOW TO REPRODUCE
Reproduce with:
* server settings
Options FollowSymlinks # usually the default
<VirtualHost testhost>
ServerName testhost.test.tld
<Directory /var/www/>
Options Indexes IncludesNoExec # note no FollowSymlinks
</VirtualHost>
* index.shtml file:
<Pre><!--#include file="foo.txt"--></Pre><P>
<Pre><!--#include file="root_link_to_foo.txt"--><Pre><P>
<Pre><!--#include file="user_link_to_foo.txt"--><Pre>
* data files / links:
-rw-r--r-- 1 root root 25 Sep 7 11:47 foo.txt
lrwxrwxrwx 1 root root 10 Sep 7 12:32 root_link_to_foo.txt -> foo.txt
lrwxrwxrwx 1 www www 7 Sep 7 15:09 user_link_to_foo.txt -> foo.txt
(the last link is used to check if SymlinksIfOwnerMatch works)
The index.shmtl files will now show the contents of 'foo.txt'
three times, even though it should error out on the symlinks.
3. PATCH
This issue has already been addressed by the Apache developers
and the fix will be included in the next 2.2.x and 2.3.x releases.
See:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45959
The patch applies cleanly to 2.2.9 and works. It's here:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/request.c?r1=733754&r2=733753&pathrev=733754&view=patch
Mike.
Reply to: