Jailed Shell User Can Create Symlinks to Other [Web] Directories Accessible by Apache
Summary
A jailed shell user can create a symlink to files outside the user's jail, including inside the web directory, so created symlinks are followed by Apache even if they link to another web directory of a different user and group. This could result in an infected site being used to access the files of other sites, wp-config.php for example, to then compromise them as well. I have tried setting the Options for Apache2 to -FollowSymLinks and other settings without success.
Steps to reproduce
- Create symlink as jailed shell user in web directory that links to a file in another web directory
- Try to access the file from website with symlink
Correct behaviour
I'm hoping there is a patch for this to prevent this behavior or perhaps I need to address this in my configuration manually and someone can point me in the right direction and/or to an article
Environment
Server OS + version: Ubuntu 20.04 ISPConfig version: 3.2.5
Software version of the related software: Server version: Apache/2.4.48 (Ubuntu)