Symbolic links must not be used in the web content directory tree.

From APACHE 2.2 Site for UNIX Security Technical Implementation Guide

Part of WG360

SV-30576r1_rule Symbolic links must not be used in the web content directory tree.

Vulnerability discussion

A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area.When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.

Check content

Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs). Use ls –al. An entry, such as the following, would indicate the presence and use of symbolic links: lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file: Options FollowSymLinks AllowOverride None The above configuration is incorrect and is a finding. The correct configuration is: Options SymLinksIfOwnerMatch AllowOverride None Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content.

Fix text

Disable symbolic links.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.