http://aletiaforums.com/showthread.php?s=&threadid=3260

posted by someone else:

Despite the ample warnings about a MAJOR security hole, the security hole on the starfish machine (and probably all others as well) still exists!

Here are two posts made about this issue which seem to be completly ignored by Aletia:

http://www.aletiaforums.com/showthr...=&threadid=3000
http://www.aletiaforums.com/showthr...=&threadid=3239

I also wrote aletia support and told them about the WebTv "Telnets" and how we can edit, create, delete, chmod, and about anything we want to do to someone ELES'S files on our server from our own accounts there. I recieved a reply saying "You cannot do anything to someone else's files with that script."

So I proceded to install the very same script I sent to support in my account, and created a directory in my OTHER account on starfish (I have two accounts on the starfish machine) without having to log in or access a filemanager or anything. SIMPLE UNIX commands are all it takes to hack someone else's account!

I even told them exactly how I did it, and provided the script and commands so they could try to do it themself.

I still have not recieved a reply from them after I told them they were mistaken.

I am on webtv, and I can hack into ANYONE's account on starfish, and do whatever I want with their files! How secure is that?
Good thing I'm not a malicious hacker! But...SOMEONE is, and they have been up to their dirty work for quite some time now, and aletia still says "You cannot do anything with that script!"

I'm sure the hackers that are experienced with this type of script can do a LOT more than what I can do, since I am NOT a good "hacker!"

I sure wish Aletia would take us seriously and DO SOMETHING!

I guess they have to admit to themself that there even IS a problem first!

Well, I even gave them PROOF!
Let's see if they do anything....

So how is this problem fixed?

Snake i am wondering if you could test this security hole and pacth it on my server if my server does have the problem. You can contact me at inc@synatix.com Thankyou for your time as i do care that my customers files are safe.

After reading the discussion in above mentioned thread, it does not seem like a security hole :) Only wrong permissions on directories.

If you give someone shell access and have every other directory set to 777 what do you expect? :D

Originally posted by SYNATIX
Snake i am wondering if you could test this security hole and pacth it on my server if my server does have the problem. You can contact me at inc@synatix.com Thankyou for your time as i do care that my customers files are safe.

as i posted, i didn't write that. click on the link to the thread and you'll see who started it. maybe they can help you?

Originally posted by jayglate
So how is this problem fixed?

it's probably not fixed.

Originally posted by masood
After reading the discussion in above mentioned thread, it does not seem like a security hole :) Only wrong permissions on directories.

If you give someone shell access and have every other directory set to 777 what do you expect? :D

From where I'm sitting, wrong permissions can definitely cause a security hole.

Originally posted by bitserve
From where I'm sitting, wrong permissions can definitely cause a security hole.

:o wrong permissions is an open door :)

Who owns the directories? Can't you just fix it yourself by typing 'chmod 711 .' in your ~ directory and then continue to tighten permissions with your files?

True, most probably don't know how, but if you post it in their forums how to fix their errors, you'll make many people happy.

http://aletiaforums.com/showthread.php?s=&threadid=3260
http://www.aletiaforums.com/showthr...=&threadid=3000 http://www.aletiaforums.com/showthr...=&threadid=3239




Those links are going to invalid threads. You have to replace ... with ead.php?s in the last 2 links. Are they deleted?

Or could someone say in which forum these threads are supposed to be?

Just have SuEXEC enabled and permissions set to 700, or 755 and everything is safe... :)

Originally posted by gwh




Those links are going to invalid threads. You have to replace ... with ead.php?s in the last 2 links. Are they deleted?

Or could someone say in which forum these threads are supposed to be?

http://aletiaforums.com/showthread.php?s=&threadid=3000

http://aletiaforums.com/showthread.php?s=&threadid=3239

Hello everyone.

I would be the person who started that thread at aletia forums. The main problem I think is I am on webtv, and for some reason aletia does not recognize me as a "trusted" user.

All I know is that in order for me to edit my files with my filemanager script, to ftp, and pretty much anything besides view a static .html file, the directory it is in has to be set to 777!

The security hole I was talking about was that I could access other people's accounts from mine with a simple command line script.
This was probably because I tried other webtv user's accounts, and THEY had to have their directories set to 777 as well.
But I could also list the files in random accounts too, so I think it was a server security problem. I should NOT have been able to wander above my root directory, but I could!

So, anyone know how to make a server recognize me as a user besides with suEXEC?
I was told that that was not available on the machine my accounts are on.

I am going to be online with a PC by the end of the week, so hopefully I can stop having these problems soon. Aletia was not very helpful with this problem at all!

Thanks!

~^B3ch^~

B3ch -

hey, fancy meeting you here :wavey:

You pay Aletia, they're not doing their job. Ditch em!!!

Originally posted by Snakebite
[B]http://aletiaforums.com/showthread.php?s=&threadid=3260

posted by someone else:

Despite the ample warnings about a MAJOR security hole, the security hole on the starfish machine (and probably all others as well) still exists!




Y have warned the support about some patch then they tell me they will do in the next round of update ... May be in 2 years i guess...


Go away from here ! I'm still down again over 6 hours now ... then fortunately i'm have a new host but have to wait for nameserver transfert ...

Then over 8 hour last week , then lot of small downtime
(i monitor my site so i know when they go down..)





:angry:

Originally posted by Snakebite


http://aletiaforums.com/showthread.php?s=&threadid=3000

http://aletiaforums.com/showthread.php?s=&threadid=3239


haha!!! I just see couple minute ago that aletia delete my complaint tread in the forum :-))


So may be deleted....

:blush:

Hey, Zorbs and Snakebite!

It so happens when my girlfreind and I were both working, aletia was doing just fine. After I lost my job, and money became tight, THAT's when aletia turned to ****!

I am considering that place you recommened to me zorbs...but the "great deal" was why I chose aletia in the first place.

I must confess, I'm kind of wary about places that offer so much for so little now.

Do you know anyone who is hosted at that place now? Also, if they are so great, why aren't you hosted there right now? Or are you?

Aletia has surely made me wonder about those "too good to be true" hosting packages!

:angry:

~^B3ch^~

Very strange, NOW I'm banned from aletiaforums again! :eek:

I haven't even posted there for a while now!

They sure don't like people telling the truth about them there....do they?

:scatter:

I guess I'm going to have to go in as my other username again!

~^B3ch^~

There's so many good deals out there that I came across cyberpixels after I signed up with site5. I would recommend site5 very highly, since I now have personal experience with them.

Originally posted by B3ch
Very strange, NOW I'm banned from aletiaforums again! :eek:

I haven't even posted there for a while now!

They sure don't like people telling the truth about them there....do they?

:scatter:

I guess I'm going to have to go in as my other username again!

~^B3ch^~

they're going down.