Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : If you found a massive security hole with your webhost, what would you do?

[iambuddylee]

Well, right off the bat, of course you would tell them right? Well, what if they panicked and the easiest fix broke your site(s)?

Without going into too many details, one of the hosting companies I use has a vulnerability where I can see any of the other user's files, passwords, etc, even if they're password protected resources. I'm talking source files, everything.

This is a pretty big deal, and I need to tell them, I want to tell them in a way that they won't freak out and shut down my account. I found this out very accidentally, but again, the way I have things setup on my site now, if they fix this bug, it could very possibly break one of my sites.

Any suggestions?

[seodevhead]

I'm not sure how it could "break" your site if your site is properly coded and designed. If they are password protected resources... I'm not sure how you can so easily see the secure files... if you could, then it wouldn't be "password protected". I'm at a loss.

[iambuddylee]

Well, a little more detail:

My site reads and writes files, creates directories, does all kinds of things on the fly. So, the processes it runs under needs write privledges on the file server. I've had some problems with webhosts tightening their security and when they do, my site breaks because it doesn't have the ability to create files & folders.

So, along those lines, I found out that through my site, I can not only read and write files in my own directorys, but any user's directory (and potentially any directory) on the server. So, what I was saying was, even if the user password protected a directory on their site from a website point of view, I could still see and download any file I wanted to from anywhere on the server...

That's the security problem

[365YearsFree.com]

This sounds reminicent of old dedicated servers, where you could freely browse around anyone's directories via FTP. You couldn't write to them, but you could view/download/other bad stuff any file anywhere on the server.

If you can actually read and write to other people's sites, then you should definitely alert your host, because something is horribly wrong. If you can only view other files, then something may not technically be broken. They just may not have that extra security measure in place.

Though, no matter how tight your hosting company's "security" is (or lack there of), it seems a little strange to me that they'd worry more about users creating directories as the Apache user in their own directories, thus breaking your site, and would overlook the fact that you can read and write manually to any other directory.....

My advice -- get a new host

[ergo]

Quote:

Originally Posted by iambuddylee

Well, a little more detail:

My site reads and writes files, creates directories, does all kinds of things on the fly. So, the processes it runs under needs write privledges on the file server. I've had some problems with webhosts tightening their security and when they do, my site breaks because it doesn't have the ability to create files & folders.
That's the security problem

so it means you have badly coded your site probably, ( open_basedir problems ?? ).
its like you'd be using $var instead of $_POST['var'] and blamed your hosting company for being hacked because they left register_globals=on ;-)

if you can do something what isnt meant to be done in a shared environment it means you should rewrite your code . What would happen if you needed to change your hosting company ? your site dies, this should not be an option.
my way of solving this is to recode the parts of your site to work as they should be and then inform your host of the vulnerability.
and one more thing....
arent you scared thaf if u can do it someone else can do it too ? and read your data ?

[iambuddylee]

Quote:

Originally Posted by ergo

so it means you have badly coded your site probably, ( open_basedir problems ?? ).
its like you'd be using $var instead of $_POST['var'] and blamed your hosting company for being hacked because they left register_globals=on ;-)

if you can do something what isnt meant to be done in a shared environment it means you should rewrite your code . What would happen if you needed to change your hosting company ? your site dies, this should not be an option.
my way of solving this is to recode the parts of your site to work as they should be and then inform your host of the vulnerability.

actually, it's asp.net, not php so I don't really understand your example, but I see what you're saying. I don't think that anything is coded incorrectly on my end, there are just a few weird settings that webhosts sometimes miss. It is possible to allow my site to read and write within it's little sandbox and not let it out of it's cage, but in the past when a host needs to fix what they consider an immediate flaw, they overreact and take away everyone's permissions, creating a problem...

I will try and verify that I can indeed write to other user's folders, if I can, then yeah, it's a big problem. Even if I can just read, there are lots of passwords and other things out there that I shouldn't be able to get to that I can.

Anyways, I'll start talking with them about this and see what they say.

[ergo]

if you are unconfortable with informing them directly create some free emailbox and email them.
i didnt know it was asp.net :-)

[innova]

Sell your web hosting account to the highest bidder. Some local IRC kiddies will be most appreciative.

Just kidding.. Make a backup and get the heck out!