Results 1 to 25 of 109
Thread: Dreamhost is COMPLETELY INSECURE
-
02-08-2007, 03:13 AM #1Junior Guru Wannabe
- Join Date
- Mar 2006
- Posts
- 34
Dreamhost is COMPLETELY INSECURE
I was just playing with dreamhost and you can browse into other people's directories!
I just went back a level in the structure, picked an NSF mount (they start with periods, as if that hides them or something), browsed into someone's directory, went into logs (which is world viewable and tells me the name of their domain name), checked out their access log (which would show me any password sent via GET), browsed into their web directory since now I know its name, and explored their files, including finding out their wordpress mysql password. As far as I can tell, this works for EVERY user, and you can't secure it because if any of those directories are set with non-world-readable permissions, the hosting won't work.
Wow.
Time for me to find a new host. Any recommendations on a host with similarly large quantities of storage and bandwidth, but that is secure?
-
02-08-2007, 03:17 AM #2Web Hosting Master
- Join Date
- Feb 2002
- Location
- Australia
- Posts
- 24,027
Have you informed them of this possible security concern?
• WLVPN.com • NetProtect owned White Label VPN provider •
• Increase your hosting profits by adding VPN to your product line up •
-
02-08-2007, 03:19 AM #3Junior Guru Wannabe
- Join Date
- Mar 2006
- Posts
- 34
Informed who? I'm fairly sure that DreamHost knows their setup is insecure.
-
02-08-2007, 03:27 AM #4Custom Hosting Master
- Join Date
- Jan 2007
- Posts
- 2,602
Still, you should e-mail them about it...
-
02-08-2007, 03:30 AM #5Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 30
WoW I have only heard bad things about dreamhost mostly saying they have so much downtime etc. Now this well that is really bad I never liked them because they oversell so much. But yea try and find a new host if you see fit and or inform them.
-
02-08-2007, 03:31 AM #6Web Hosting Master
- Join Date
- Mar 2006
- Location
- Australia
- Posts
- 771
I'd contact them before moving..
If you don't wanna email them, i'd try browsing the hosting offers section or just typing "web host" in google which should bring up some hosts with large quantites of space and transfer.. since they get more traffic than anyone else..
-
02-08-2007, 03:31 AM #7Junior Guru Wannabe
- Join Date
- Mar 2006
- Posts
- 34
I'm emailing them.
Last edited by iterationlab; 02-08-2007 at 03:38 AM.
-
02-08-2007, 03:33 AM #8Web Hosting Guru
- Join Date
- Nov 2006
- Posts
- 263
This is quite possibly the stupidest way you could have gone about fixing this.
A. You shouldn't have viewed other peoples files
B. You shouldn't have admitted to doing so. I'm sure this is a violation of your AUP.
C. You should have contacted Dreamhost before telling the thousands of people who view this board
-
02-08-2007, 03:33 AM #9Web Hosting Master
- Join Date
- May 2005
- Location
- Behind a linux box
- Posts
- 687
Originally Posted by tectonic
P.S: when I try to get in someone else's directory I get a permission denied.Got Fused?
-
02-08-2007, 03:40 AM #10Junior Guru Wannabe
- Join Date
- Mar 2006
- Posts
- 34
You cannot view their home directory, but you can go directly into logs.
Look, I would never abuse this, I just want to know how to secure my own directory, and I want to let other people know that there is a real issue here.
Email sent, BTW. I did not intend to air dirty laundry on this thread. I genuinely feel like I should tell people about what I think is a real issue. If moderators disagree, feel free to delete the thread.Last edited by iterationlab; 02-08-2007 at 03:55 AM.
-
02-08-2007, 03:47 AM #11Hosting Specialist
- Join Date
- Sep 2003
- Location
- Washington, USA
- Posts
- 3,262
I'm surprised they allow full bash SSH access. If I were Dreamhost, I'd immediately yank everyone's SSH access till they get these access issues resolved.
█ ‹‹SHAW NETWORKS›› Simple. Professional. Reliable. Web Hosting Done Right.
█ Low Cost & Award-Winning: cPanel Reseller Plans ›› 24/7/365 Live Technical Support ‹‹
█ Website: www.shawnetworks.com Fast Response E-mail: sales @ shawnetworks.com
█ Sick of downtime? Fed up with excuses? Drop your host! Switch to Shaw Networks.
-
02-08-2007, 04:16 AM #12Junior Guru Wannabe
- Join Date
- Mar 2006
- Posts
- 34
I found this thread and it answers some of my questions. I'm sorry for the ruckus here. I still think dreamhost is pretty insecure, and their default file permissions don't help, but any admin, feel free to delete this thread.
-
02-08-2007, 04:48 AM #13Web Hosting Master
- Join Date
- Aug 2005
- Location
- Canada
- Posts
- 862
Previous host I was using had similar problem, and I insisted about it in their forum for a few weeks to change the setting (change the ownership of the files/dirs).
Fortunately, they made the change.
Similarly, if DreamHost change the owner of the directory, we can change the setting.
Judging from the fact that logs directory and it's contents are owned by the root,
I think they can be chowned and chmoded without causing any problem.
So, if they change the owner to each user and chmod 700 on all dirs and files in logs, it should be secure enough for a shared hosting, IMO.
It shouldn't be difficult to do these.
I was wrongly thinking that they were using grsec or pax or something to secure all our directories .....
-
02-08-2007, 05:13 AM #14Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 570
Originally Posted by tectonic
-
02-08-2007, 06:34 AM #15Web Hosting Master
- Join Date
- Aug 2001
- Posts
- 673
I do not think any host offer shell access is secure!
https://www.2mhost.com
Since 2001
-
02-08-2007, 08:47 AM #16Web Hosting Master
- Join Date
- Jan 2005
- Location
- Richmond, VA
- Posts
- 3,119
tectonic, it's rather irresponsible to post that here and not tell Dreamhost. You have just put thousands of accounts in danger. Please contact them at once.
Daniel B., CEO - Bezoka.com and Ungigs.com
Hosting Solutions Optimized for: WordPress • Joomla • OpenCart • Moodle
Data Centers in: Chicago (US), London (UK), Sydney (AU), Sofia (BG), Pori (FI)
Email Daniel directly: ceo [at] bezoka.com
-
02-08-2007, 08:54 AM #17Web Hosting Master
- Join Date
- Apr 2003
- Posts
- 2,407
daniel be responsible and actually read the thread, ...they have been notified.
Technical Advisor for new A&E Series The Killing Season
There are no random acts of violence
Starts November 5th!
-
02-08-2007, 08:56 AM #18Web Hosting Master
- Join Date
- Jan 2005
- Location
- Richmond, VA
- Posts
- 3,119
Dave, posting what one thinks is a security hole before alerting those who can fix it is irresponsible. If I was a bit late in replying to the thread, I apologize that that has offended you. However, I still maintain my stance that it was irresponsible to post it here first.
Daniel B., CEO - Bezoka.com and Ungigs.com
Hosting Solutions Optimized for: WordPress • Joomla • OpenCart • Moodle
Data Centers in: Chicago (US), London (UK), Sydney (AU), Sofia (BG), Pori (FI)
Email Daniel directly: ceo [at] bezoka.com
-
02-08-2007, 09:07 AM #19Web Hosting Master
- Join Date
- Apr 2003
- Posts
- 2,407
just as posting he should notify when he already has.
Technical Advisor for new A&E Series The Killing Season
There are no random acts of violence
Starts November 5th!
-
02-08-2007, 09:55 AM #20Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
Originally Posted by 2Mhost
Offering any file execution (php included) is the equivalent of shell.
-
02-08-2007, 10:14 AM #21Disabled
- Join Date
- Nov 2003
- Location
- Amidst several dimensions
- Posts
- 4,324
Why?
Offering any file execution (php included) is the equivalent of shell.
-
02-08-2007, 10:48 AM #22Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 570
Originally Posted by 2MhostOriginally Posted by unity100Last edited by aldee; 02-08-2007 at 10:54 AM.
-
02-08-2007, 11:38 AM #23Web Hosting Master
- Join Date
- Sep 2001
- Posts
- 771
You can offer jailshell without comprising security. Offering full bash shell access is going to cause problems at times on a shared server.
-
02-08-2007, 11:56 AM #24Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 570
You should never, ever allow anything but jailed services. That includes apache / FTP / SSH and so on and the entire user directory structure (no harm in putting them all into the same changeroot environment). Obviously, a few security related kernel patches will be a good idea as well (grsecurity, for instance). I stand by my statement.
Last edited by aldee; 02-08-2007 at 12:02 PM.
-
02-08-2007, 12:27 PM #25Web Hosting Master
- Join Date
- Aug 2005
- Location
- Canada
- Posts
- 862
In this particular problem, SSH or script, jailed or not, it doesn't matter.
The directory is in the user's directory, and any CGI script (or PHP if it's not using obsolete safe_mode + open_basedir) can possbily read it.
It has nothing to do with the availability of full SSH.
My previous host didn't offer SSH at all, and it had the exactly same type of problem.
Servage doesn't offer SSH, and it had much worse situation when I was using them (and possibly it's still unchanged).
And at many hosts, I think we can see other user's processes with their environments.
http://www.webhostingtalk.com/showthread.php?t=573049