Page 1 of 3 123 LastLast
Results 1 to 40 of 109
  1. #1
    Join Date
    Mar 2006
    Posts
    34

    * Dreamhost is COMPLETELY INSECURE

    I was just playing with dreamhost and you can browse into other people's directories!

    I just went back a level in the structure, picked an NSF mount (they start with periods, as if that hides them or something), browsed into someone's directory, went into logs (which is world viewable and tells me the name of their domain name), checked out their access log (which would show me any password sent via GET), browsed into their web directory since now I know its name, and explored their files, including finding out their wordpress mysql password. As far as I can tell, this works for EVERY user, and you can't secure it because if any of those directories are set with non-world-readable permissions, the hosting won't work.

    Wow.

    Time for me to find a new host. Any recommendations on a host with similarly large quantities of storage and bandwidth, but that is secure?

  2. #2
    Join Date
    Feb 2002
    Location
    Australia
    Posts
    24,009
    Have you informed them of this possible security concern?
    AussieHost.com Aussie Bob, host since 2001
    Host Multiple Domains on Fast Australian Servers!!

  3. #3
    Join Date
    Mar 2006
    Posts
    34
    Informed who? I'm fairly sure that DreamHost knows their setup is insecure.

  4. #4
    Still, you should e-mail them about it...

  5. #5
    WoW I have only heard bad things about dreamhost mostly saying they have so much downtime etc. Now this well that is really bad I never liked them because they oversell so much. But yea try and find a new host if you see fit and or inform them.

  6. #6
    Join Date
    Mar 2006
    Location
    Australia
    Posts
    771
    I'd contact them before moving..

    If you don't wanna email them, i'd try browsing the hosting offers section or just typing "web host" in google which should bring up some hosts with large quantites of space and transfer.. since they get more traffic than anyone else..

  7. #7
    Join Date
    Mar 2006
    Posts
    34
    I'm emailing them.
    Last edited by iterationlab; 02-08-2007 at 03:38 AM.

  8. #8
    Join Date
    Nov 2006
    Posts
    263
    This is quite possibly the stupidest way you could have gone about fixing this.

    A. You shouldn't have viewed other peoples files
    B. You shouldn't have admitted to doing so. I'm sure this is a violation of your AUP.
    C. You should have contacted Dreamhost before telling the thousands of people who view this board

  9. #9
    Join Date
    May 2005
    Location
    Behind a linux box
    Posts
    687
    Quote Originally Posted by tectonic
    I will send them a link to this thread.
    Already done.
    P.S: when I try to get in someone else's directory I get a permission denied.
    Got Fused?

  10. #10
    Join Date
    Mar 2006
    Posts
    34
    You cannot view their home directory, but you can go directly into logs.

    Look, I would never abuse this, I just want to know how to secure my own directory, and I want to let other people know that there is a real issue here.

    Email sent, BTW. I did not intend to air dirty laundry on this thread. I genuinely feel like I should tell people about what I think is a real issue. If moderators disagree, feel free to delete the thread.
    Last edited by iterationlab; 02-08-2007 at 03:55 AM.

  11. #11
    Join Date
    Sep 2003
    Location
    Washington, USA
    Posts
    3,219
    I'm surprised they allow full bash SSH access. If I were Dreamhost, I'd immediately yank everyone's SSH access till they get these access issues resolved.
    SHAW NETWORKS Simple. Professional. Reliable. Web Hosting Done Right.
    Low Cost & Award-Winning: cPanel Reseller Plans 24/7/365 Live Technical Support
    Website: www.shawnetworks.com Fast Response E-mail: sales @ shawnetworks.com
    Sick of downtime? Fed up with excuses? Drop your host! Switch to Shaw Networks.

  12. #12
    Join Date
    Mar 2006
    Posts
    34
    I found this thread and it answers some of my questions. I'm sorry for the ruckus here. I still think dreamhost is pretty insecure, and their default file permissions don't help, but any admin, feel free to delete this thread.

  13. #13
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    838
    Previous host I was using had similar problem, and I insisted about it in their forum for a few weeks to change the setting (change the ownership of the files/dirs).
    Fortunately, they made the change.

    Similarly, if DreamHost change the owner of the directory, we can change the setting.
    Judging from the fact that logs directory and it's contents are owned by the root,
    I think they can be chowned and chmoded without causing any problem.

    So, if they change the owner to each user and chmod 700 on all dirs and files in logs, it should be secure enough for a shared hosting, IMO.
    It shouldn't be difficult to do these.

    I was wrongly thinking that they were using grsec or pax or something to secure all our directories .....

  14. #14
    Join Date
    Oct 2003
    Posts
    566
    Quote Originally Posted by tectonic
    I'm sorry for the ruckus here. I still think dreamhost is pretty insecure, and their default file permissions don't help, but any admin, feel free to delete this thread.
    Why should you? Nobody who didn't even understand the basic concept of *NIX file system permissions should be providing hosting services to the public. The proper way of setting this kind of environment up would be assigning all user accounts to the same group and withdrawing group access permissions from home directories, not to simply assign them world execute permissions without world read permissions, which only forbids directory listings, but not accessing the actual contents. Also, revoking SSH access does not make any difference, if script execution is allowed.

  15. #15
    I do not think any host offer shell access is secure!

  16. #16
    Join Date
    Jan 2005
    Location
    Richmond, VA
    Posts
    3,102
    tectonic, it's rather irresponsible to post that here and not tell Dreamhost. You have just put thousands of accounts in danger. Please contact them at once.
    Daniel B., CEO - Bezoka.com and Ungigs.com
    Hosting Solutions Optimized for: WordPress Joomla OpenCart Moodle
    Data Centers in: Chicago (US), London (UK), Sydney (AU), Sofia (BG), Pori (FI)
    Email Daniel directly: ceo [at] bezoka.com

  17. #17
    daniel be responsible and actually read the thread, ...they have been notified.
    AHFBWEB Less customers per server, more power for you!

    Business Class Shared Hosting

  18. #18
    Join Date
    Jan 2005
    Location
    Richmond, VA
    Posts
    3,102
    Dave, posting what one thinks is a security hole before alerting those who can fix it is irresponsible. If I was a bit late in replying to the thread, I apologize that that has offended you. However, I still maintain my stance that it was irresponsible to post it here first.
    Daniel B., CEO - Bezoka.com and Ungigs.com
    Hosting Solutions Optimized for: WordPress Joomla OpenCart Moodle
    Data Centers in: Chicago (US), London (UK), Sydney (AU), Sofia (BG), Pori (FI)
    Email Daniel directly: ceo [at] bezoka.com

  19. #19
    just as posting he should notify when he already has.
    AHFBWEB Less customers per server, more power for you!

    Business Class Shared Hosting

  20. #20
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,976
    Quote Originally Posted by 2Mhost
    I do not think any host offer shell access is secure!
    Why?
    Offering any file execution (php included) is the equivalent of shell.
    David
    Fused.com web hosting for businesses that don't want to think about web hosting.
    Follow me on twitter @davidandgoliath

  21. #21
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,321
    Why?
    Offering any file execution (php included) is the equivalent of shell.
    Not if php does not allow exec and similar functions.

  22. #22
    Join Date
    Oct 2003
    Posts
    566
    Quote Originally Posted by 2Mhost
    I do not think any host offer shell access is secure!
    If providing shell access compromises your system's security, there is something else wrong with your setup.
    Quote Originally Posted by unity100
    Not if php does not allow exec and similar functions.
    Relying on PHP's built-in "security" measures is a very bad idea (as far as I see, Dreamhost don't do that, at least). This concept is inherently flawed, system level security does not belong on the level of a scripting language interpreter. PHP is the only scripting language that offers such a false sense of security (although most of that will change in PHP 6, finally).
    Last edited by aldee; 02-08-2007 at 10:54 AM.

  23. #23
    You can offer jailshell without comprising security. Offering full bash shell access is going to cause problems at times on a shared server.

  24. #24
    Join Date
    Oct 2003
    Posts
    566
    You should never, ever allow anything but jailed services. That includes apache / FTP / SSH and so on and the entire user directory structure (no harm in putting them all into the same changeroot environment). Obviously, a few security related kernel patches will be a good idea as well (grsecurity, for instance). I stand by my statement.
    Last edited by aldee; 02-08-2007 at 12:02 PM.

  25. #25
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    838
    In this particular problem, SSH or script, jailed or not, it doesn't matter.
    The directory is in the user's directory, and any CGI script (or PHP if it's not using obsolete safe_mode + open_basedir) can possbily read it.

    It has nothing to do with the availability of full SSH.

    My previous host didn't offer SSH at all, and it had the exactly same type of problem.

    Servage doesn't offer SSH, and it had much worse situation when I was using them (and possibly it's still unchanged).

    And at many hosts, I think we can see other user's processes with their environments.
    http://www.webhostingtalk.com/showthread.php?t=573049

  26. #26
    Join Date
    Oct 2003
    Posts
    566
    Quote Originally Posted by extras
    In this particular problem, SSH or script, jailed or not, it doesn't matter.
    The directory is in the user's directory, and any CGI script (or PHP if it's not using obsolete safe_mode + open_basedir) can possbily read it.

    It has nothing to do with the availability of full SSH.
    True.
    Quote Originally Posted by extras
    And at many hosts, I think we can see other user's processes with their environments.
    http://www.webhostingtalk.com/showthread.php?t=573049
    That's where the aforementioned kernel hardening patches should come into play (for /proc that is).
    Last edited by aldee; 02-08-2007 at 12:59 PM.

  27. #27
    Join Date
    May 2001
    Posts
    348
    has Dreamhost replied to you guys notice? please post it here if possible.

  28. #28
    You just admittted hacking into dreamhost.

  29. #29
    Join Date
    May 2005
    Location
    Behind a linux box
    Posts
    687
    Hello,


    Thank you for informing us about this, I have sent this to our admins in
    charge of security and they will look into this. Thanks again for letting
    us know


    Javier,
    So we would probably find out soon
    Got Fused?

  30. #30
    Join Date
    Jul 2005
    Location
    Buffalo, NY
    Posts
    2,626
    Quote Originally Posted by Ecko
    You just admittted hacking into dreamhost.
    Do you even know what hacking is? The user changed directories via SSH, that's most certainly not considered hacking.

  31. #31
    Quote Originally Posted by Ecko
    You just admittted hacking into dreamhost.

    As in "I clicked a directory and the security wasn't working" hacking? Thats not called hacking. Thats negligance on the part of the host.

  32. #32
    Join Date
    Jan 2006
    Location
    Sydney, Australia
    Posts
    251
    Quote Originally Posted by eric418
    has Dreamhost replied to you guys notice? please post it here if possible.
    I actually asked DreamHost about it when I signed up with them back in 2005, and they were definitely aware of the issue. I've got a response from "Jordan". Just let me dig out the response -- I think it should be fine posting them here because it was from all the way back.

    The reason for this is that the user dhapache (webserver) needs to be able to read this directory, so it has o+r , Making this directory more secure is something we have looked into for the future but at this time there is no ETA on when it will be completed. These are shared hosting servers so they will not always be as secure as dedicated machines but I do understand your concern and I will look into implementing some kind of fix for the problem.
    Well. That was Nov 18 2005. Not much has been done.

    I've always chmod 600 all my sensitive PHP files anyway, and have since moved away most my dynamic sites to my own VPS.

    Scott

  33. #33
    Quote Originally Posted by Archbob
    As in "I clicked a directory and the security wasn't working" hacking? Thats not called hacking. Thats negligance on the part of the host.

    ok........whatever you say.
    Last edited by Beauty1on1; 02-09-2007 at 02:01 AM.

  34. #34
    Join Date
    May 2001
    Posts
    348
    Quote Originally Posted by ylsy
    I actually asked DreamHost about it when I signed up with them back in 2005, and they were definitely aware of the issue. I've got a response from "Jordan". Just let me dig out the response -- I think it should be fine posting them here because it was from all the way back.


    Well. That was Nov 18 2005. Not much has been done.

    I've always chmod 600 all my sensitive PHP files anyway, and have since moved away most my dynamic sites to my own VPS.

    Scott
    Can i understand it as "everyone on the same server will be able to read everyone else's PHP source with 755"?

    If so, I think i have some work to do immediately.

  35. #35
    Join Date
    Jan 2006
    Location
    Sydney, Australia
    Posts
    251
    Quote Originally Posted by eric418
    Can i understand it as "everyone on the same server will be able to read everyone else's PHP source with 755"?

    If so, I think i have some work to do immediately.
    I can confirm that your understanding is correct, and you definitely should do some work immediately. At least protect those PHP files that contain sensitive information like password and crypto keys, etc. Change them to 600.

    Scott

  36. #36
    Hi,
    Just a question for you guys who deal alot with security. Say on file upload script where you are uploading and creatin thumbnails in the directory. The PHP file that creates the thumbnail is in a folder with permissions set to the regular settings (755 I believe). But for the thumbnail folder itself, the folder that has to be written into, the permissions I've set to 777.

    What dangers are there to setting a folder to 777 permission. It has no files in it except images.

  37. #37
    Join Date
    May 2001
    Posts
    348
    Quote Originally Posted by Archbob
    Hi,
    Just a question for you guys who deal alot with security. Say on file upload script where you are uploading and creatin thumbnails in the directory. The PHP file that creates the thumbnail is in a folder with permissions set to the regular settings (755 I believe). But for the thumbnail folder itself, the folder that has to be written into, the permissions I've set to 777.

    What dangers are there to setting a folder to 777 permission. It has no files in it except images.
    of course there is no risk, if you don't mind everyone reading your file.

  38. #38
    Join Date
    Apr 2004
    Location
    UK
    Posts
    1,331
    Quote Originally Posted by PE-Steve
    Do you even know what hacking is? The user changed directories via SSH, that's most certainly not considered hacking.
    Quote Originally Posted by Archbob
    As in "I clicked a directory and the security wasn't working" hacking? Thats not called hacking. Thats negligance on the part of the host.
    Actually, it is hacking under EU and US law (among others).

    The definition of the term "hacking" in this respect simply means gaining access to a resource of which [you] are not explicitly authorised.

    There was a news story I read from a couple of months ago where a user used a web site to donate to a Tsunami Disaster cause. After completing the donation, he began wondering if the site was in fact legit (it was, but it was poorly designed, poorly laid out and there was no confirmation of payment etc.).

    So, he took it upon himself to try and browse up directories to see if the web server was properly secured. This triggered an intruder prevention system, he was logged, reported and prosecuted:

    http://www.theregister.co.uk/2005/10/05/dec_case/
    http://www.theregister.co.uk/2005/10...ker_convicted/
    .
    @jmedwards
    - find me on Twitter!
    Kayako help desk software - we help our customers help their customers

  39. #39
    Quote Originally Posted by eric418
    of course there is no risk, if you don't mind everyone reading your file.
    But they can't do anything malicious in that folder can they? I mean the thumbnails were ment to be seen.

  40. #40
    Quote Originally Posted by IllustriousCube
    This is quite possibly the stupidest way you could have gone about fixing this.

    A. You shouldn't have viewed other peoples files
    B. You shouldn't have admitted to doing so. I'm sure this is a violation of your AUP.
    C. You should have contacted Dreamhost before telling the thousands of people who view this board
    This guy has it 100%

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •