3.97gpl Security Updates

I have installed 3.97gpl and saw two warnings, the FollowSymLink and the mod_php one.

I haven’t yet FIXed mod_php one, but I applied the fix for FollowSymLink. It broke all Magento sites , so I reverted the changes.

Question 1: If anyone could suggest how to get SymLinksIfOwnerMatch to work with Magento I would appreciate it.

Question 2: How do I reset the alert so it shows up again? I would like to be reminded of the problem and eventually I want to get Magento to work with SymLinksIfOwnerMatch.

Question 3: I am now weary to apply the other fix (mod_php). Which files will it change? Will it let me know which ones before modifying them?

Feedback: it would be nice to give a rollback option of the changes if they break any sites. At least list on screen the changed files and warn the user to make a backup of them before applying the fix.

Thanks!

Howdy,

Question 1: If anyone could suggest how to get SymLinksIfOwnerMatch to work with Magento I would appreciate it.

Can you post the errors that showed up in your logs while those problems were occurring? That would be in $HOME/logs/error_log.

Question 2: How do I reset the alert so it shows up again? I would like to be reminded of the problem and eventually I want to get Magento to work with SymLinksIfOwnerMatch.

Can you describe how you reverted the changes?

Question 3: I am now weary to apply the other fix (mod_php). Which files will it change? Will it let me know which ones before modifying them?

It shouldn’t matter, unless the configuration in use has the web apps using both FCGID/CGI along with mod_php, which is rare.

All it does is add “php_admin_value engine Off” to the Apache VirtualHost line for each domain, which disables mod_php when FCGID or CGI is in use.

-Eric

Hello there,

I ran into problems with my Magento store too, the only problem I had though was that none of the product images were showing. I fixed it by going into /media/.htaccess and commenting out:

Options All -Indexes

At the top of the file, I hope this won’t break anything else.

Please let me know what magento problems you ran into. I also applied the mod_php fix as well and everything seems to be fine.

Hello Andrey!

  1. The error was “Option FollowSymLinks not allowed here”, and the result was no CSS/images in the entire site. Some Magento skins (maybe all 3rd party ones?) use a symlink “/public_html/app/design/frontend/skin_symlink”. It should have worked. as the entire site is under the same owner, but it didn’t.

  2. (Re)added allow FollowSymLinks to httpd.conf and htaccess (on / and media/ folders).

  3. Correct. I enabled it and no sites were broken (AFAIK & so far). Weirdly though it only found said problem on the magento sites.

Let me know if I can help with anything else or if you would like to take a look at my server.

Thank you.

Some folks had posted that they found multiple .htaccess files within Magento that needed updated.

If you run this command, what output do you receive:

find /home/USERNAME/public_html -name .htaccess | xargs grep FollowSymLinks

Whatever htaccess files it finds, you’d need to update those to use “SymLinksIfOwnerMatch” instead.

-Eric

All Magento installations will have at LEAST one htaccess in root and another one in media.

Also, how do I reset the alert so it shows up again? FollowSymLinks is present in the htaccess and httpd.conf now.

The problem I had was only no CSS/images in the entire site and “Option FollowSymLinks not allowed here” was the error in the logs.

I have not tried the option you suggested, but I will next time I run this fix.

Thanks

Sentient, were you using a third party or built in skin?

I’m using the “Modern” built in skin.

That’s why you didn’t have problems with SymLinks. Most (if not all) 3rd party skins use symlinks, at least on 1.4 and 1.5

Thanks

I have this issue too. with new ‘security’ fix. they actually broke many websites.

well done