hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Dreamhost is COMPLETELY INSECURE
Reply

Forum Jump

Dreamhost is COMPLETELY INSECURE

Reply Post New Thread In Web Hosting Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Mar 2006
Posts: 34
*

Dreamhost is COMPLETELY INSECURE


I was just playing with dreamhost and you can browse into other people's directories!

I just went back a level in the structure, picked an NSF mount (they start with periods, as if that hides them or something), browsed into someone's directory, went into logs (which is world viewable and tells me the name of their domain name), checked out their access log (which would show me any password sent via GET), browsed into their web directory since now I know its name, and explored their files, including finding out their wordpress mysql password. As far as I can tell, this works for EVERY user, and you can't secure it because if any of those directories are set with non-world-readable permissions, the hosting won't work.

Wow.

Time for me to find a new host. Any recommendations on a host with similarly large quantities of storage and bandwidth, but that is secure?



Sponsored Links
  #2  
Old
Older than the Internet
 
Join Date: Feb 2002
Location: Australia
Posts: 23,995
Have you informed them of this possible security concern?

__________________
AussieHost.com Aussie Bob, host since 2001
Host Multiple Domains on Fast Australian Servers!!

  #3  
Old
Junior Guru Wannabe
 
Join Date: Mar 2006
Posts: 34
Informed who? I'm fairly sure that DreamHost knows their setup is insecure.

Sponsored Links
  #4  
Old
Custom Hosting Master
 
Join Date: Jan 2007
Posts: 2,602
Still, you should e-mail them about it...

  #5  
Old
Junior Guru Wannabe
 
Join Date: May 2005
Posts: 30
WoW I have only heard bad things about dreamhost mostly saying they have so much downtime etc. Now this well that is really bad I never liked them because they oversell so much. But yea try and find a new host if you see fit and or inform them.

  #6  
Old
Web Hosting Master
 
Join Date: Mar 2006
Location: Australia
Posts: 770
I'd contact them before moving..

If you don't wanna email them, i'd try browsing the hosting offers section or just typing "web host" in google which should bring up some hosts with large quantites of space and transfer.. since they get more traffic than anyone else..

__________________
●● ExpManageIT - I can manage it! A great management experience
●● Quality server hardening and optimization services for your VPS or server
●● Get the most from your existing setup!

  #7  
Old
Junior Guru Wannabe
 
Join Date: Mar 2006
Posts: 34
I'm emailing them.


Last edited by iterationlab; 02-08-2007 at 03:38 AM.
  #8  
Old
Web Hosting Guru
 
Join Date: Nov 2006
Posts: 263
This is quite possibly the stupidest way you could have gone about fixing this.

A. You shouldn't have viewed other peoples files
B. You shouldn't have admitted to doing so. I'm sure this is a violation of your AUP.
C. You should have contacted Dreamhost before telling the thousands of people who view this board

  #9  
Old
Web Hosting Master
 
Join Date: May 2005
Location: Behind a linux box
Posts: 687
Quote:
Originally Posted by tectonic
I will send them a link to this thread.
Already done.
P.S: when I try to get in someone else's directory I get a permission denied.

__________________
Got Fused?

  #10  
Old
Junior Guru Wannabe
 
Join Date: Mar 2006
Posts: 34
You cannot view their home directory, but you can go directly into logs.

Look, I would never abuse this, I just want to know how to secure my own directory, and I want to let other people know that there is a real issue here.

Email sent, BTW. I did not intend to air dirty laundry on this thread. I genuinely feel like I should tell people about what I think is a real issue. If moderators disagree, feel free to delete the thread.


Last edited by iterationlab; 02-08-2007 at 03:55 AM.
  #11  
Old
Hosting Specialist
 
Join Date: Sep 2003
Location: Washington, USA
Posts: 3,219
I'm surprised they allow full bash SSH access. If I were Dreamhost, I'd immediately yank everyone's SSH access till they get these access issues resolved.

__________________
SHAW NETWORKS Simple. Professional. Reliable. Web Hosting Done Right.
Low Cost & Award-Winning: cPanel Reseller Plans 24/7/365 Live Technical Support
Website: www.shawnetworks.com Fast Response E-mail: sales @ shawnetworks.com
Sick of downtime? Fed up with excuses? Drop your host! Switch to Shaw Networks.

  #12  
Old
Junior Guru Wannabe
 
Join Date: Mar 2006
Posts: 34
I found this thread and it answers some of my questions. I'm sorry for the ruckus here. I still think dreamhost is pretty insecure, and their default file permissions don't help, but any admin, feel free to delete this thread.

  #13  
Old
Web Hosting Master
 
Join Date: Aug 2005
Location: Canada
Posts: 838
Previous host I was using had similar problem, and I insisted about it in their forum for a few weeks to change the setting (change the ownership of the files/dirs).
Fortunately, they made the change.

Similarly, if DreamHost change the owner of the directory, we can change the setting.
Judging from the fact that logs directory and it's contents are owned by the root,
I think they can be chowned and chmoded without causing any problem.

So, if they change the owner to each user and chmod 700 on all dirs and files in logs, it should be secure enough for a shared hosting, IMO.
It shouldn't be difficult to do these.

I was wrongly thinking that they were using grsec or pax or something to secure all our directories .....

  #14  
Old
Web Hosting Master
 
Join Date: Oct 2003
Posts: 566
Quote:
Originally Posted by tectonic
I'm sorry for the ruckus here. I still think dreamhost is pretty insecure, and their default file permissions don't help, but any admin, feel free to delete this thread.
Why should you? Nobody who didn't even understand the basic concept of *NIX file system permissions should be providing hosting services to the public. The proper way of setting this kind of environment up would be assigning all user accounts to the same group and withdrawing group access permissions from home directories, not to simply assign them world execute permissions without world read permissions, which only forbids directory listings, but not accessing the actual contents. Also, revoking SSH access does not make any difference, if script execution is allowed.

  #15  
Old
Web Hosting Master
 
Join Date: Aug 2001
Posts: 667
I do not think any host offer shell access is secure!

__________________
http://www.2mhost.com
since 2001

Reply

Related posts from TheWhir.com
Title Type Date Posted
DreamHost Listing 2013-12-09 19:28:42
DreamHost Listing 2013-12-09 19:28:41
DreamHost Listing 2013-12-09 19:28:41
DreamHost Listing 2013-12-09 19:28:40
DreamHost Listing 2013-12-09 19:28:39


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?