Hi, it's been a long time since I posted for the last time.

Anyway, I've got a question to those who run the hosting company,
or who has got any idea.

There's some script which is written in perl , and it's
been developed originally in order to maintain the website remotely
without logging into FTP account.
It can treat webspace as a normal harddisk in PC like Windows Explorer.
It can change the permission of the files , delete, upload, download, edit.

Okay, here's problem, this software can browse beyond its personal folder
and browse upper folders. Say, if your account is:"user01" , if you go
out from your folder , you can see other user's folders like "user02" or
"user99" or every user in the same level. Even it can go up to upper folder.
I didn't try to enter other user's folder or, see the inside of it because
it could be violating TOS and of course I don't want to do that.
Possibly it can't read any files in the folder unless the permission is 666 or
777. But it can easily imagine that somebody normally sets the permission like that.

My question is, is this a problem of the configuration of the server...or,
can't it be congfigured to avoid this kind of problem?
..I'm anxious if somebody try to read my folder and then understand what kind
of name I'm using for the data or log files and what kind of constructure I've
got in it..or even try to modify, delete it.

Somebody would say " why don't you discuss it with your hosting company".
At the moment I hesitate to do it because . . . .
I've got some accounts in some hosting companies and I found 2 companies's
configuration allowed me to "surf" the server. It couldn't surf in 1 company who's
reputation is quite good. Once I had tried to sort this out with 1 company but
they couldn't and I was told that the problem is in RAQ itself and
not their configuration. Even they changed the server's configration not to
run perl for the specific period...over a week. I would try again and it depends
on how the hosting company can sort it out without disabling cgi facility.
. . . That's why.

I didn't reveal the name of the script but I believe you can find
it easily.

If you've got any idea, please let me know.

Cheers,
GVC

It sounds to me, like you're referring to a file manager script (which can be written in any language and use a variety of interfaces).

This is a valid concern and there are a few solutions the web host can take. Firstly, the script in question can be very easily modifed to ensure that the user can not leave their home directory structure (and furthermore, to ensure it doesn't follow symbolic links -- which someone could use to link to another user's account and surf in that way).

However, the problem is not the script in question. It's the settings, the ownership and permissions of the files and directories that are at hand. This can be resolved in a few ways, but the host has to have the know-how to be able to do it, an if they do, they can successfully limit user's access, so no user can use FTP, shell (telnet/SSH, etc.) or use any script (or write any script) in any language to be able to snoop around.

The problem exists, because of default configurations and settings. This can be resolved by using different user's and groups, as well as different permissions and control how things are ran. However, that also depends on the system and the administrators. I'd contact them and see how concerned they are and what actions they might or are already planning to take -- and if they are able to or not. This is a common issue that few people seem attentive to, and it's good to see you are concerned and educated about it, but the problem exists because yourself and other's are -- and not everyone has the moral's you do -- and there's a lot to risk, potentially anyway.

Unfortunately, I can't offer any step by step guide right here and now, but I've posted solutions to this previously (more than a few times) here on this site -- which will be in the forums archives somewhere. Basically, it's just about what options and modules the web host offers, what OS they are running, what software they are running, etc. Then the rest is to control what can be done and then set certain permissions and ownership -- again, depending on their set up and OS, etc.

Thank you for prompt reply, Tim_Greer. :)

Yes, the script has got some parameter not to go beyond their home directory but, in other words, that's user's choise and the script can prevent users from leaving/surfing their home folders...physically ... as you wrote.

As one of the users hosted in some companies, all I can do seems just to ask the hosting company whether they can manage this issue or not. If they couldn't, I will need to look for another hosting company since I feel very insecure about my site that somebody could read my data files. And on top of that, I haven't got clue nor specific idea they should have been dealt with.

I'm wondering why this issue didn't bring up the security problem so many times. But at least you'd posted the solution in here... :confused:
I'm going to have a look.

Cheers,
GVC