Who is responsible for script security on a Linux server?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

battered
Forum Newbie
Posts: 2
Joined: Sun Aug 20, 2006 11:36 am

Who is responsible for script security on a Linux server?

Post by battered »

Hello everyone. I just joined the forum. I am new to Linux, although I have many years experience with Windows servers. I have a small website that I bought from a guy on eBay that includes PHP scripts that apparently can send email. I also have a provider (Midphase.com) on the West Coast who is hosting this site on a shared server. While I know ASP very well, I don't know PHP nearly as well. I can read it, but I'm not skilled in writing it.

On a Windows server, if a way is found to put up a script that a spammer can easily use to send spam, the Windows administrator takes steps to insure that that vulnerability can't be exploited. According to Midphase, it's the script writer who is responsible for preventing vulnerabilities of this kind. It took some serious tooth-pulling, but I finally got Midphase to show me how any spammer could use the script on my site to send spam. Sure enough, I was able to send a "spam" to myself using this vulnerability. However, they claim that their server is secure and that it's my responsbility to make sure that the script isn't spammable, not their responsibility.

My question is this: in Linux with PHP, who is responsible for securing the server against such script vulnerabilities: the script writer, or the server administrator? The reason I ask is that on a Windows server, there would be no question about it. The Windows server administrator would insure that no such script could ever be hijacked to send emails from outside the provider's network by an unwanted third party. The idea of blaming the script writer for such a vulnerability would be considered absurd.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

This really depends on your site setup. If you have a server admin then the server admin can do that. Keep in mind that hosting companies are not server administrators. They are merely hosting space renters. They are going to protect their servers, but not your business. If there is a potential for you system to get hijacked orused for spamming purposes within a script, then the app developer should try to the best of their ability to prevent that sort of activity from happening.
battered
Forum Newbie
Posts: 2
Joined: Sun Aug 20, 2006 11:36 am

Post by battered »

Well, I guess you've answered my question. Linux is definitely handled differently from Windows. However, I think that this demonstrates a fatally serious deficiency in Linux's open-source model.

With ASP and Windows, the hosting provider IS the server administrator. Apparently, not so in Linux. This necessarily means that if a relative newbie looks up some company on the web that offers website hosting, he's going to be in for the shock of his life when he signs up with a "cheaper" Linux company and puts up a script from something he found at php.net or a similar location. Then he finds that someone has hijacked his script and he is accused of being a spammer.

So let me get this straight....this state of affairs is supposed to attract newbies to Linux? It strikes me that it's more likely to send them screaming into the night. I've got quite a lot of years experience with computers (not Linux), and this experience nearly sent ME screaming into the night!

If the open source model is nothing more than a gigantic poster child for "caveat emptor," I doubt very much that Linux is going to ever catch on with more than a small minority of the population. Most people don't have my level of patience with computers. Expecting them to become website security experts before they put up websites with simple PHP scripts that they learned or copied from a PHP resource website such as php.net strikes me as being the height of foolishness and a clear formula for failure for the Linux movement.

I guess the moral of the story where newbies to PHP and Linux are concerned is: "Be Afraid. Be Very Afraid."
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

why should a server admin have to fix some coders bad code?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Someone is confused here. Are you trying to tell me that a Windows web site host is going to look through all the scripts and secure them? Are you trying to say that Linux is less secure than Windows?
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

If I was the admin of a windows hosting server, hosting hundreds of websites, I would make damn sure that the server was rock solid against attack, but I'll be damned if i'm going to audit the (possible) thousands of script files that my clients are hosted on my box.

The same thing applies to linux, take 1and1 for example. I don't know exact figures, but based on the size of their hdd's (1+ tb per box) and their performance, they're hosting thousands of web sites per server. Go ahead and audit that code.... I dare you.

It's the administrators job to secure the server, it's YOUR script, it's YOUR responsibility.

The manufacturer of "The Club" makes sure that their device is secure against attack, but it's not their responsibility to ensure that you've installed it and are using it correctly.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Flawed scripts are the programmer's responsibility, not the server company's. This is true in any environment and server operating system, no exceptions. If a provider is providing security checks for the scripts that's an added benefit of that provider. Their job is only the security of the server from intrusion on things they own and control. You own your code, it is your responsibility. Even if my host offered such security auditing, I would still go through the code myself too; probably even have friends go through it as well.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Lively crowd, aren't we?

@battered: Which Windows hosts do you know of that will secure your asp scripts for you? I'd like in on that because I am pretty new to .NET and I would love a host that managed by mcode for me so I wasn't worried about putting out something dangerous in my early days as a .NET developer?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

~battered I strongly suggest you read up on Linux 8O Linux is far more secure than windows in terms of ownership. Ever heard of the "root" user? That's the administrator, and the hosting company will have access to that account.

The flaw in your script has absolutely nothing to do with the environment it's hosted in. I'm going to guess that it's either a header-injection, or a register_globals security hole.... either way, the enviroment used cannot fix that since the issue lies with the coder.

Could you explain how you'd prevent this on windows? I'd love to hear about this magical secure system.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

You know those Persits things that you have to install in IIS to use? Maybe he is talking about those?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

My question is this: in Linux with PHP, who is responsible for securing the server against such script vulnerabilities: the script writer, or the server administrator? The reason I ask is that on a Windows server, there would be no question about it. The Windows server administrator would insure that no such script could ever be hijacked to send emails from outside the provider's network by an unwanted third party. The idea of blaming the script writer for such a vulnerability would be considered absurd.
As Everah mentions, I would be interested as well in were I can find these windows hosts. I would sleep a lot better if I could experiment a bit with some scripts, letting my host debug and securing them. Would save me a lot of time as well ..
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Sarcasm in the lowest form of wit.. and there is a lot of it in this thread :/
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Just to clarify, I wasn't being sarcastic. I am new to .NET and would be seriously interested in a host that could protect me from newbie issues with my code. I was asking that from a sincere position.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Everah wrote:Just to clarify, I wasn't being sarcastic. I am new to .NET and would be seriously interested in a host that could protect me from newbie issues with my code. I was asking that from a sincere position.
I really doubt they exist unless you're willing to pay for the support... I certainly don't believe it has anything to do with the OS the server is running ;)
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

yes, I think the original poster is confused. (No offense)
Post Reply