3.97gpl Security Updates

11 posts / 0 new
Last post
#1 Thu, 12/13/2012 - 08:32
eddieb

3.97gpl Security Updates

I have installed 3.97gpl and saw two warnings, the FollowSymLink and the mod_php one.

I haven't yet FIXed mod_php one, but I applied the fix for FollowSymLink. It broke all Magento sites , so I reverted the changes.

Question 1: If anyone could suggest how to get SymLinksIfOwnerMatch to work with Magento I would appreciate it.

Question 2: How do I reset the alert so it shows up again? I would like to be reminded of the problem and eventually I want to get Magento to work with SymLinksIfOwnerMatch.

Question 3: I am now weary to apply the other fix (mod_php). Which files will it change? Will it let me know which ones before modifying them?

Feedback: it would be nice to give a rollback option of the changes if they break any sites. At least list on screen the changed files and warn the user to make a backup of them before applying the fix.

Thanks!

Thu, 12/13/2012 - 10:13
andreychek

Howdy,

Question 1: If anyone could suggest how to get SymLinksIfOwnerMatch to work with Magento I would appreciate it.

Can you post the errors that showed up in your logs while those problems were occurring? That would be in $HOME/logs/error_log.

Question 2: How do I reset the alert so it shows up again? I would like to be reminded of the problem and eventually I want to get Magento to work with SymLinksIfOwnerMatch.

Can you describe how you reverted the changes?

Question 3: I am now weary to apply the other fix (mod_php). Which files will it change? Will it let me know which ones before modifying them?

It shouldn't matter, unless the configuration in use has the web apps using both FCGID/CGI along with mod_php, which is rare.

All it does is add "php_admin_value engine Off" to the Apache VirtualHost line for each domain, which disables mod_php when FCGID or CGI is in use.

-Eric

Sun, 12/16/2012 - 16:05 (Reply to #2)
eddieb

Hello Andrey!

1) The error was "Option FollowSymLinks not allowed here", and the result was no CSS/images in the entire site. Some Magento skins (maybe all 3rd party ones?) use a symlink "/public_html/app/design/frontend/skin_symlink". It should have worked. as the entire site is under the same owner, but it didn't.

2) (Re)added allow FollowSymLinks to httpd.conf and htaccess (on / and media/ folders).

3) Correct. I enabled it and no sites were broken (AFAIK & so far). Weirdly though it only found said problem on the magento sites.

Let me know if I can help with anything else or if you would like to take a look at my server.

Thank you.

Sun, 12/16/2012 - 16:39 (Reply to #3)
andreychek

Some folks had posted that they found multiple .htaccess files within Magento that needed updated.

If you run this command, what output do you receive:

find /home/USERNAME/public_html -name .htaccess | xargs grep FollowSymLinks

Whatever htaccess files it finds, you'd need to update those to use "SymLinksIfOwnerMatch" instead.

-Eric

Sun, 12/16/2012 - 16:58 (Reply to #4)
eddieb

All Magento installations will have at LEAST one htaccess in root and another one in media.

Also, how do I reset the alert so it shows up again? FollowSymLinks is present in the htaccess and httpd.conf now.

Sat, 12/15/2012 - 01:43
sentient

Hello there,

I ran into problems with my Magento store too, the only problem I had though was that none of the product images were showing. I fixed it by going into /media/.htaccess and commenting out:

Options All -Indexes

At the top of the file, I hope this won't break anything else.

Please let me know what magento problems you ran into. I also applied the mod_php fix as well and everything seems to be fine.

Sun, 12/16/2012 - 17:00 (Reply to #6)
eddieb

The problem I had was only no CSS/images in the entire site and "Option FollowSymLinks not allowed here" was the error in the logs.

I have not tried the option you suggested, but I will next time I run this fix.

Thanks

Sun, 12/16/2012 - 17:01 (Reply to #7)
eddieb

Sentient, were you using a third party or built in skin?

Sun, 12/16/2012 - 17:55
sentient

I'm using the "Modern" built in skin.

Sun, 12/16/2012 - 19:01 (Reply to #9)
eddieb

That's why you didn't have problems with SymLinks. Most (if not all) 3rd party skins use symlinks, at least on 1.4 and 1.5

Thanks

Sat, 01/12/2013 - 17:44
Acamedium

I have this issue too. with new 'security' fix. they actually broke many websites.

well done