3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted

Information

When the Apache webserver includes application software such as PHP, Java and many others, it is common for the application to require a writable directory. The writable directory may be needed for file uploads, application data, user session state information or many other purposes. It is important such directories have a single purpose, and have access properly secured to prevent a variety of possible exploits. The directory should be:

- Single Purpose Directory
- Outside the Configured Web DocumentRoot
- Owned by the root User or an Administrator Account
- Not writable by Other

Rationale:

The following provides the rationale for each requirement on the application writable directory:

- **Single Purpose Directory** - Each writable application directory should have a single purpose. For example, mixing file uploads in the same directory with session tracking information would be an obvious vulnerability, as users could create session information, to hijack or manufacturer authenticated sessions.

- **Outside the Configured Web DocumentRoot** - The directory should NOT be under the configured DocumentRoot directory as such directories are browsable by default, and might allow unintentional web read access. With web read access an attacker could upload malicious content, and then references the content in a URL exploiting the trust that users have in the website.

- **Owned by the root User or an Administrator Account** - The directory should be owned by root or a designated administrator to prevent unintended changes to the permissions.

- **Not Writable by Other** - The write access can be provided through the group permissions to the configured Apache group rather than allow write access to Other / all users. The group write access should implement the least privileges necessary in order prevent unintended access to the directory. If the application requires more complex write access, such as to specific accounts or for multiple groups, usage of an access control lists (ACL) is recommended. ACL's are supported by most Linux file systems, and can be enabled when the file system is mounted.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following:

1. **Single Purpose Directory** - Create separate directories of the multipurpose directory, and adjust the application configuration and directory ownership and permissions appropriately.

2. **Outside the Configured Web DocumentRoot** - Move the writable directory to a more suitable location NOT under the DocumentRoot directory. A location within the /var/ filesystem may be a good choice for changeable data.

3. **Owned by the root User or an Administrator Account** - Change the ownership to root or an administrator.

chown root $WR_DIR

4. **Not writable by Other** - Remove the other write permissions, use group write or ACLs to provide the least privileges necessary.

chmod o-w $WR_DIR

See Also

https://workbench.cisecurity.org/files/2378