Rule ID
SV-221462r961863_rule
Version
V2R3
CCIs
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive.
2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes.
3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;).
4. If any symbolic links are found, this is a finding.1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive.
2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes.
3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;).
4. Remove any symbolic links found in the "DocumentRoot" directory tree.