Apache – Why FollowSymlinks on Apache is a Security Risk

Often, you run actual web applications inside your webserver (php, perl, whatever). This web-apps typically have write-access to some directory inside the document root to upload stuff.

Now, there might be a bug inside your web-app which would allow an attacker to create arbitrary files inside your web-root (and then probably symlinks too). This might even be possible when you don't have an actual upload component, but just the bug. These bugs are not that uncommon that you should ignore them. Especially applications like wordpress have a rather long history of this kind of bugs.

Now that an attacker can create files and symlinks inside your web root, it can let those symlinks point to arbitrary files on your webserver (/etc/passwd, config files with clear text passwords, ...) which finally could mean that an attacker can download all these files and use the gathered information for further attacks, like dictionary attacks on SSH password, simple authorized access to your database, ...)

If you restrict your Apache to not follow symlinks, this attack vector is much harder to exploit. Another, equally important security measure is to restrict read-access to only absolutely necessary files for the webserver / web application user. You could also use external application server (common with python and ruby applications, but also with fcgi setups) and run this with another user than the core webserver user. If you restrict access to important files between this user and the webserver user, you can gain a rather high security level.

Another alternative would be to chroot your apache to the document root, in which case the operating system would ensure that the Apache processes can access no files outside the document root. Note that this is rather hard to achieve with the packages in common distributions.