Page 1 of 2
Who is responsible for script security on a Linux server?
Posted: Sun Aug 20, 2006 11:40 am
by battered
Hello everyone. I just joined the forum. I am new to Linux, although I have many years experience with Windows servers. I have a small website that I bought from a guy on eBay that includes PHP scripts that apparently can send email. I also have a provider (Midphase.com) on the West Coast who is hosting this site on a shared server. While I know ASP very well, I don't know PHP nearly as well. I can read it, but I'm not skilled in writing it.
On a Windows server, if a way is found to put up a script that a spammer can easily use to send spam, the Windows administrator takes steps to insure that that vulnerability can't be exploited. According to Midphase, it's the script writer who is responsible for preventing vulnerabilities of this kind. It took some serious tooth-pulling, but I finally got Midphase to show me how any spammer could use the script on my site to send spam. Sure enough, I was able to send a "spam" to myself using this vulnerability. However, they claim that their server is secure and that it's my responsbility to make sure that the script isn't spammable, not their responsibility.
My question is this: in Linux with PHP, who is responsible for securing the server against such script vulnerabilities: the script writer, or the server administrator? The reason I ask is that on a Windows server, there would be no question about it. The Windows server administrator would insure that no such script could ever be hijacked to send emails from outside the provider's network by an unwanted third party. The idea of blaming the script writer for such a vulnerability would be considered absurd.
Posted: Sun Aug 20, 2006 11:47 am
by RobertGonzalez
This really depends on your site setup. If you have a server admin then the server admin can do that. Keep in mind that hosting companies are not server administrators. They are merely hosting space renters. They are going to protect their servers, but not your business. If there is a potential for you system to get hijacked orused for spamming purposes within a script, then the app developer should try to the best of their ability to prevent that sort of activity from happening.
Posted: Sun Aug 20, 2006 12:05 pm
by battered
Well, I guess you've answered my question. Linux is definitely handled differently from Windows. However, I think that this demonstrates a fatally serious deficiency in Linux's open-source model.
With ASP and Windows, the hosting provider IS the server administrator. Apparently, not so in Linux. This necessarily means that if a relative newbie looks up some company on the web that offers website hosting, he's going to be in for the shock of his life when he signs up with a "cheaper" Linux company and puts up a script from something he found at php.net or a similar location. Then he finds that someone has hijacked his script and he is accused of being a spammer.
So let me get this straight....this state of affairs is supposed to attract newbies to Linux? It strikes me that it's more likely to send them screaming into the night. I've got quite a lot of years experience with computers (not Linux), and this experience nearly sent ME screaming into the night!
If the open source model is nothing more than a gigantic poster child for "caveat emptor," I doubt very much that Linux is going to ever catch on with more than a small minority of the population. Most people don't have my level of patience with computers. Expecting them to become website security experts before they put up websites with simple PHP scripts that they learned or copied from a PHP resource website such as php.net strikes me as being the height of foolishness and a clear formula for failure for the Linux movement.
I guess the moral of the story where newbies to PHP and Linux are concerned is: "Be Afraid. Be Very Afraid."
Posted: Sun Aug 20, 2006 12:46 pm
by Charles256
why should a server admin have to fix some coders bad code?
Posted: Sun Aug 20, 2006 1:22 pm
by Benjamin
Someone is confused here. Are you trying to tell me that a Windows web site host is going to look through all the scripts and secure them? Are you trying to say that Linux is less secure than Windows?
Posted: Sun Aug 20, 2006 1:44 pm
by nickvd
If I was the admin of a windows hosting server, hosting hundreds of websites, I would make damn sure that the server was rock solid against attack, but I'll be damned if i'm going to audit the (possible) thousands of script files that my clients are hosted on my box.
The same thing applies to linux, take 1and1 for example. I don't know exact figures, but based on the size of their hdd's (1+ tb per box) and their performance, they're hosting thousands of web sites per server. Go ahead and audit that code.... I dare you.
It's the administrators job to secure the server, it's YOUR script, it's YOUR responsibility.
The manufacturer of "The Club" makes sure that their device is secure against attack, but it's not their responsibility to ensure that you've installed it and are using it correctly.
Posted: Sun Aug 20, 2006 2:41 pm
by feyd
Flawed scripts are the programmer's responsibility, not the server company's. This is true in any environment and server operating system, no exceptions. If a provider is providing security checks for the scripts that's an added benefit of that provider. Their job is only the security of the server from intrusion on things they own and control. You own your code, it is your responsibility. Even if my host offered such security auditing, I would still go through the code myself too; probably even have friends go through it as well.
Posted: Sun Aug 20, 2006 5:43 pm
by RobertGonzalez
Lively crowd, aren't we?
@battered: Which Windows hosts do you know of that will secure your asp scripts for you? I'd like in on that because I am pretty new to .NET and I would love a host that managed by mcode for me so I wasn't worried about putting out something dangerous in my early days as a .NET developer?
Posted: Sun Aug 20, 2006 5:58 pm
by Chris Corbyn
~battered I strongly suggest you read up on Linux

Linux is far more secure than windows in terms of ownership. Ever heard of the "root" user? That's the administrator, and the hosting company will have access to that account.
The flaw in your script has absolutely nothing to do with the environment it's hosted in. I'm going to guess that it's either a header-injection, or a register_globals security hole.... either way, the enviroment used cannot fix that since the issue lies with the coder.
Could you explain how you'd prevent this on windows? I'd love to hear about this magical secure system.
Posted: Sun Aug 20, 2006 6:36 pm
by daedalus__
You know those Persits things that you have to install in IIS to use? Maybe he is talking about those?
Posted: Mon Aug 21, 2006 12:30 am
by matthijs
My question is this: in Linux with PHP, who is responsible for securing the server against such script vulnerabilities: the script writer, or the server administrator? The reason I ask is that on a Windows server, there would be no question about it. The Windows server administrator would insure that no such script could ever be hijacked to send emails from outside the provider's network by an unwanted third party. The idea of blaming the script writer for such a vulnerability would be considered absurd.
As Everah mentions, I would be interested as well in were I can find these windows hosts. I would sleep a lot better if I could experiment a bit with some scripts, letting my host debug and securing them. Would save me a lot of time as well ..
Posted: Mon Aug 21, 2006 2:39 am
by Jenk
Sarcasm in the lowest form of wit.. and there is a lot of it in this thread :/
Posted: Mon Aug 21, 2006 8:34 am
by RobertGonzalez
Just to clarify, I wasn't being sarcastic. I am new to .NET and would be seriously interested in a host that could protect me from newbie issues with my code. I was asking that from a sincere position.
Posted: Mon Aug 21, 2006 9:05 am
by Chris Corbyn
Everah wrote:Just to clarify, I wasn't being sarcastic. I am new to .NET and would be seriously interested in a host that could protect me from newbie issues with my code. I was asking that from a sincere position.
I really doubt they exist unless you're willing to pay for the support... I certainly don't believe it has anything to do with the OS the server is running

Posted: Mon Aug 21, 2006 10:02 am
by Luke
yes, I think the original poster is confused. (No offense)