When Apache or nginx serve static files, they follow symbolic links even if a link points to a file
owned by another system user (for example, one corresponding to a different subscription).
This allows an attacker with access to a subscription to read files from another subscription,
including files containing passwords and settings for WordPress and other CMSes.
Mitigating the vulnerability
File system permissions
If you are using WP Toolkit, the easiest way to mitigate the vulnerability for your WordPress instances
is to use the Toolkit:
- Go to WP Toolkit.
- Select all WordPress instances and click Check Security.
- Verify that “Permissions for files and directories” is marked as OK.
- If it is not, click Secure.
If you are not using WP Toolkit or if you need to secure some CMS other than WordPress,
you need to manually correct the permissions on all files you want to protect
by denying all permissions to the “Other” group by running the following command:
chmod o-rwx <file_name>
Note: There is no “one size fits all” list of files to be secured in this way that fits any web application or CMS.
The exact files that must have their permissions changed to secure a web application depend on the application in question.
Apache configuration
This way of mitigating the vulnerability is suitable for subscriptions that use Apache as their web server
(a subscription uses Apache if “Proxy mode” is on in Hosting & DNS > Apache & nginx settings).
To mitigate the vulnerability, do the following:
- Go to Service Plans > your plan > the “Web Server” tab
(or your subscription > Websites & Domains > Hosting & DNS > Apache & nginx Settings). - Select the “Restrict the ability to follow symbolic links” checkbox.
Doing this for a service plan mitigates the vulnerability for all subscriptions
based on that service plan (that is, an attacker gaining access to a subscription
will not be able to carry out attacks against other subscriptions).
Doing this for a subscription mitigates the vulnerability for that subscription only.
Note: A website that uses symlinks to its own files will keep working
if it does not use the “FollowSymLinks” option in the <…