Project

General

Profile

[Solved] Security problem with symbolic link in dir listing

Added by molyland over 5 years ago

I use lighttpd 1.4.35 on a linux embedded device and I must run it as root user, I've a portion of filesystem available on web server by dir-listing option.

Now I've a serious security problem, if someone create a symbolic link to root folder (es. ln -s / sym_root) and
save it in the portion of filesystem available on web server a simple click on the symbolic link permit user to show entire filsystem, download files, etc.

I can't use "server.follow-symlink" option because I use symlink for some use.

I try to insert this option only in dir.listing "url" but not work:

$HTTP["cookie"] =~ "sess-dir-listing" {

url.redirect = ( "^/mnt/$" => "$1/mnt/storage" )
$HTTP["url"] =~ "^/mnt/storage($|/)" {
server.follow-symlink = "disable"
dir-listing.activate = "enable"
dir-listing.external-css = "/dir-listing.css"
dir-listing.encoding = "utf-8"
dir-listing.hide-dotfiles = "enable"
#dir-listing.exclude = ""
}
}

Can you help me ? I also protect access by a cookie but is a weakly protection, can you suggest me some hard solution ?
Thanks


Replies (2)

RE: Security problem with symbolic link in dir listing - Added by gstrauss over 5 years ago

I can not overstate this: You have a number of security issues if you're running lighttpd 1.4.35, released over 4 1/2 years ago. The latest lighttpd release is lighttpd 1.4.51 and over 1000 commits since lighttpd 1.4.35, a few of which are security-related.

.

That said, if you can have one lighttpd instance (running as root) proxy back to a second lighttpd instance (not running as root) and handling the portion of the url-path on which mod_dirlisting is enabled.

You might be able to prevent the creation of symlinks, if you control how the mechanism by which they might be created. You might have a script which identifies and removes symlinks outside the web root, and then you can follow up with banning the uploader.

You might replace the use of mod_dirlisting with your own custom CGI script which implements directory listings and which validates the file location with realpath() before serving it to the client, or simply drops root privileges before attempting to serve the directory listing. Then again, if you have an exposure through mod_dirlisting because untrusted people control part of the web root, you might have an exposure accessible through other modules as well. symlinks can be created to files as easily as they can be created to directories.

RE: Security problem with symbolic link in dir listing - Added by molyland over 5 years ago

Thanks for response, I already built latest release for my embedded device and test it,
now I work for solution about a custom CGI for listing only I want.

    (1-2/2)