1

I found a vulnerability in one of my managed website where I can give any name to the symlink file name source link. I cannot control the target directory link though. Also I can create as many symlinks in that directory with different source names but pointing to same target directory. My questions are:

  1. Can it be exploited in any way? What worse could happen it left it like as it is?
  2. How many symlinks creation are allowed in linux in any particular directory?

Thanks

MagExt
  • 147
  • 4

1 Answers1

2

  1. TL;DR Fix it. Don't leave it like that.

    It depends heavily on your file system permissions. Assuming the (Linux-)user that creates the symlink has write permissions to other directories in the filesystem, they can create symlinks anywhere that is writable on the file system e.g. "../unexpected_sym_link". Any operation that follows symlinks (e.g. bash: find -L ...) would now include the TARGET file in its results. Although there is no real value that an attacker can get from using this exploit as is, they might assist this to obtain something in combination with other exploits or routines in your website.

  2. There is no specific limit on the number of symlinks created in a directory, but rather on the number of files in a directory, which you can find here.

Community
  • 1
Gal Menash Ofri
  • 36
  • 1
  • Thanks, sure I won't leave it like that forever. But wanted to know whether it is considered security bug, if yes then how can it be abused? dot-dot-slash is not allowed – MagExt Jul 24 '17 at 18:12
  • If navigating outside the directory is forbidden then the attack surface is very limited. As I mentioned before it's all up to your website code and server routines: Attempting to create a new file in the directory might fail due to an existing file with the same name; In case you search for a file inside the directory according to user input and react differently whether the file exists or not, and so on... – Gal Menash Ofri Jul 24 '17 at 18:31
  • i can control the symlink name though, any character is allowed. does that pose any security risk? – MagExt Jul 24 '17 at 18:37
  • See this for a full answer: https://stackoverflow.com/q/457994/3810168 – Gal Menash Ofri Jul 24 '17 at 18:40
  • Just curious, what could be worse if navigating outside the directory for placing symlink is allowed? – MagExt Jul 24 '17 at 19:12