How major of a security flaw is this?

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
I administer several business and personal websites hosted with a large and reputable hosting company. Via FTP, I can access the the files of the other users on the server. No hacking, no trickery, just a few mouse clicks from the FTP client and I can see all files of the other users.

How severe would you consider this flaw?
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: spherrod
sounds very severe to me - I assume you access the FTP site with a username and password and once in you can access anything?

Yes, login with user name and password, navigate through a few directories, then boom... A full user listing, where clicking on each user name reveals the full content of what they have hosted on the site. Read only access, but still...
 

DaiShan

Diamond Member
Jul 5, 2001
9,617
1
0
Is this with a super user account? (root or uid 0) or just a normal user account? if it's a normal user account (not a reseller account with the hosting company or root or something) even read only access is bad as they can download any of your files, You should jail each user into their home directory, the ProFtpd directive for this is DefaultRoot ~
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: spherrod
sounds like quite a flaw - have you contacted the company about this yet?

Unlike other denizens of ATOT, I take action first, then post about it... So yes.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: DaiShan
Is this with a super user account? (root or uid 0) or just a normal user account? if it's a normal user account (not a reseller account with the hosting company or root or something) even read only access is bad as they can download any of your files, You should jail each user into their home directory, the ProFtpd directive for this is DefaultRoot ~

Normal user account. I have tested this with different accounts from different clients of mine. The flaw is prevalent across their servers apparently.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: spherrod
Originally posted by: TechnoPro
Originally posted by: spherrod
sounds like quite a flaw - have you contacted the company about this yet?

Unlike other denizens of ATOT, I take action first, then post about it... So yes.

:D good, be interesting to hear their response

3 hours later, nothing other than the immediate auto-reply.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: DaiShan
Are you not able to edit the conf files yourself?

No clue. I farm out all web-related projects. I was just checking on an automated backup that gets FTP'd to the client's site when I discovered the glitch.

What should I know about editing conf files?
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
What tech support wrote back to me...

Hello,

What you're seeing may look like a security problem, but is in fact a normal arrangement for a shared web hosting server. Put simply, you can look at other people's files, but you cannot touch them. The default settings in user accounts is that you can look at other users' files and directories, but you cannot modify them.

Many UNIX-based Web hosts set up their shared servers in this manner.
This configuration possesses many benefits for shared hosting customers and does not represent a security problem.

With our default settings and permissions, other users on your shared server cannot modify your files nor can they see your e-mail, which resides in an alternate location on the server.

The two main reasons we have choosen to configure our servers in this manner are:

1. To not give our customers a false sense of security. Even if these files are "hidden," individuals on the shared server can still view customers' files using simple scripts.

2. To optimize performance. One way to "hide" and protect your files is to remove "group" and "other" permissions and then use cgiwrap or php-cgiwrap so that they can still be executed by the server. However, if all files on a shared server used cgiwrap, then the performance of the server would be degraded.

To use an analogy, shared hosting is like living in a glass house in a secure, gated community where all of your neighbors also live in glass homes. Yes, these "neighbors" can see your files, but these files are files only in the public Web and Home directories and does not include your e-mail. In addition, these "neighbors" cannot modify or change your files if the default permissions are used.

If you wish, you can keep other users from even being able to look at your directories by changing your directory permissions. If you would like to do this, please let us know, and we can give you instructions on how.

Please know that as long as you are using the default settings for your account, your files are safe from modification by other users.

If you have any more questions or concerns, please feel free to contact us.
 

Hyperblaze

Lifer
May 31, 2001
10,027
1
81
I've worked at Unix based web hosting companies before....and we did not work like this at all.

Have fun with your hosting provider.
 

Rubycon

Madame President
Aug 10, 2005
17,768
485
126
I'm no network guru but it sounds like the host is cheap and only has one ip on the box!
 
Jun 4, 2005
19,723
1
0
So you mean I can read your php files and get your database username and password? Sweet.

:roll: This company sounds like a winner.
 

Rubycon

Madame President
Aug 10, 2005
17,768
485
126
Originally posted by: LoKe
So you mean I can read you php files and get your database username and password? Sweet.

:roll: This company sounds like a winner.


Yeah but do that and somebody's definitely telling! :laugh:
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: Hyperblaze
I've worked at Unix based web hosting companies before....and we did not work like this at all.

Have fun with your hosting provider.

Not my provider... I have several clients with them. Clients who will soon have a provider migration plan drafted up and marked urgent.
 

Hyperblaze

Lifer
May 31, 2001
10,027
1
81
Originally posted by: MS Dawn
Originally posted by: LoKe
So you mean I can read you php files and get your database username and password? Sweet.

:roll: This company sounds like a winner.


Yeah but do that and somebody's definitely telling! :laugh:

they might actually monitor the ftp activity.

if they notice an account is downloading files from another account...termination of service....

but even then, to make that even possible....

i feel sorry for the security.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.
 
Jun 4, 2005
19,723
1
0
Originally posted by: Hyperblaze
Originally posted by: MS Dawn
Originally posted by: LoKe
So you mean I can read you php files and get your database username and password? Sweet.

:roll: This company sounds like a winner.


Yeah but do that and somebody's definitely telling! :laugh:

they might actually monitor the ftp activity.

if they notice an account is downloading files from another account...termination of service....

but even then, to make that even possible....

i feel sorry for the security.

Terminate my service all you want. I've got the database information for everyonder under the host. :laugh:
 

Eos

Diamond Member
Jun 14, 2000
3,463
17
81
This happened to me once.

In 1996.

www.pond.net if anyone might recall them.

I remember loading some files via FTP and then double clicking the up arrow and being very surprised to see the other accounts. I don't recall if I tried to transfer files from their to mine.
 

Hyperblaze

Lifer
May 31, 2001
10,027
1
81
Originally posted by: TechnoPro
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.

it all depends on how the security is setup. mind you, all we can do is make assumptions in this case.

but if you can ftp through people's various accounts. you might not be able to modify squat, but it IS a reasonable assumption that you can download it to your own computer.

 

mugs

Lifer
Apr 29, 2003
48,920
46
91
Originally posted by: TechnoPro
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.

At very least you should not be able to view others' files via FTP. But if someone has shell access to the server, I'm not sure how they could prevent people from reading your files if you set the permissions to world readable. Someone please correct me if I'm wrong...

I imagine that's one of the reasons many shared web hosts don't give you shell access.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: Hyperblaze
Originally posted by: TechnoPro
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.

it all depends on how the security is setup. mind you, all we can do is make assumptions in this case.

but if you can ftp through people's various accounts. you might not be able to modify squat, but it IS a reasonable assumption that you can download it to your own computer.

In my case, I can browse and download from all other accounts on each server. Cannot rename or delete.
 

spherrod

Diamond Member
Mar 21, 2003
3,897
0
0
www.steveherrod.com
Originally posted by: TechnoPro
Originally posted by: Hyperblaze
Originally posted by: TechnoPro
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.

it all depends on how the security is setup. mind you, all we can do is make assumptions in this case.

but if you can ftp through people's various accounts. you might not be able to modify squat, but it IS a reasonable assumption that you can download it to your own computer.

In my case, I can browse and download from all other accounts on each server. Cannot rename or delete.

The fact that you can download from other accounts is a security flaw surely? Are you going to push this or just migrate your clients accounts?