URGENT! - Huge security flaw with my webhost's setup? - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

URGENT! - Huge security flaw with my webhost's setup?

Rather urgent too!

Karma

8:59 am on Jul 29, 2010 (gmt 0)

Hi all,

I'm using a pretty well known and respected webhost, as is a colleague of mine.

We are both on the same webserver as are many others.

This morning he discovered that if you know...

- the account name
- filename + path
- variable name

...you can display the value, simply by including the file. So for WordPress it will most likely be...

<?php
include("/usr/www/users/USERNAME/SITENAME/wp-config.php");
echo DB_PASSWORD;
?>

In addition to this (which is more worrying to me) he was able to use the PHP implode function to display the PHP source of any of my pages...

<?php
$data = implode('',file('/usr/www/users/USERNAME/SITENAME/index.php'));
echo $data;
?>

...which could then be used to read through the entire site's code (get the database config/database username/password).

Tell me this isn't normal/right!? Is there anything that can/should be done?

Karma

10:01 am on Jul 29, 2010 (gmt 0)

The more I read in to this, the more I think this is the normal setup.

I never really gave this much thought - fail on my part.

encyclo

10:45 am on Jul 29, 2010 (gmt 0)

Normal setup or not, it's horribly insecure. But of course many shared hosts sacrifice security for ease of use, as this leads to lower support costs for them. I would not want to run any site on this kind of setup.

It's easy to say "don't use shared hosting", but there are some shared hosts who ensure much better isolation between sites on the same server. Otherwise, look for hosts offering a mini-VPS, often for not much more than old-style shared hosting. (VPS setups aren't a security panacea but they are leagues ahead of shared hosts).

(I just looked at the setup of a shared host I'm using, and their setup certainly doesn't allow for this kind of interference between member sites - however they aren't a cookie-cutter outsourced shared hosting overseller like the vast majority of providers out there.)

[edited by: encyclo at 11:05 am (utc) on Jul 29, 2010]

Karma

11:05 am on Jul 29, 2010 (gmt 0)

insecure doesn't seem to cover it! When I first signed up with said host, I was able to access everyone's folders by browsing up a directoty level from my account root.

If I'd have known this at the time, I could have (in theory) browsed any user's account and (very very) easily accessed any of their code/access their databases.

:o

Karma

10:45 am on Jul 30, 2010 (gmt 0)

Just an update, and I'm finding more and more security holes.

Using an FTP client, I log in to the following remote folder:

/usr/www/users/MYUSERNAME

From here, I am able to change the username and access any other user's account:

/usr/www/users/OTHERUSERNAME

Providing their directories at this level are not set to 705 (705 is not default) I am able to access their folders and download whatever files I like, such as wordpress configs etc.

Help!?

encyclo

11:34 am on Jul 30, 2010 (gmt 0)

Be careful, if they're logging FTP access and check out your usage (for example if you lodge a complaint or go public), they could accuse you of "hacking". It depends on their attitude, so don't take risks.

Help!?

Well, the ability to restrict a user to his own directory (chroot) is a one-line change in the FTPD config, so they are either clueless morons, or they are leaving the security wide open to avoid hassles from customers complaining about restrictions.

The only help I can suggest is to get your site off that server and away from that hosting company. This is easy if your domain name is not registered via the same company (you should avoid such a situation anyway), otherwise move your domain to an independent registrar first.

bmimatt

7:03 pm on Aug 4, 2010 (gmt 0)

Any host that allows their clients to log in via FTP is insecure right off the bat. FTP hostname/username/password fly over the wire in clear text and rather easy to sniff. Responsible hosts do not run FTP server at all, SFTP or SCP are a much more secure alternative. For a client you'd use something like WinSCP (free, for Windoze).

On another note, there is a secure way to set up a shared environment where people cannot see each other's files. At least on Linux/*NIX.