I configured my server as cPanel, CloudLinux, LiteSpeed, CWAF, CageFS, CXS.
All my services are running smoothly.
However, I can create a cronjob from one user and access other users' files symbolically.
For example, I can read the config.php file in user2's public_html folder by adding a cron to user1 as follows.
ln -s /home/user2/public_html/config.php config.txt
When cron runs in this way, a shortcut in the form of config.txt occurs on user1. When we view this config.txt file, the contents of the config.php file on user2 appear.
This is a very large vulnerability, how can I prevent this?
My English is not good. Forgive me.
thanks
How exactly are you reading this file after the symlink has been created? Because it doesn't work on any of the cPanel servers I've tested.
Additionally, the cronjob is executed as the user, so I'm not sure how this would allow an escalation to happen, because it would be similar to executing it in a shell anyway.
If you're within the
user1's jail (su - user1), add a cronjob such as:Whenever the symlink is actually created, and you then do a
cat /home/user1/config.txtasuser1, you'll end up with a 'No such file or directory':Why? Because you're creating a symlink that points to a file that doesn't exist (within CageFS).
But if you're absolutely sure that it's possible (despite not being able to replicate it), then report it to CloudLinux, because it would clearly be something they'd have to fix.
Heck, I'm surprised you didn't create a ticket with them in the first place, and instead decide to go to Stackoverflow to bring up your issue.