How major of a security flaw is this?

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: spherrod
Originally posted by: TechnoPro
Originally posted by: Hyperblaze
Originally posted by: TechnoPro
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.

it all depends on how the security is setup. mind you, all we can do is make assumptions in this case.

but if you can ftp through people's various accounts. you might not be able to modify squat, but it IS a reasonable assumption that you can download it to your own computer.

In my case, I can browse and download from all other accounts on each server. Cannot rename or delete.

The fact that you can download from other accounts is a security flaw surely? Are you going to push this or just migrate your clients accounts?

First, I go on vacation and forget all of this nonsense for a while.

After that, I plan on researching the validity of the providers above statement, while I push to migrate several client accounts. If, in fact, all shared hosting platforms allow access to others files (either directly or with scripts), I will be shocked.

I don't want to hurt the providers name or reputation without having first researched the underlying technology more closely, which is why I am choosing not to name names. Needless to say, though, they are a big, well-established and well-known company.
 

razor2025

Diamond Member
May 24, 2002
3,010
0
71
Obviously your provider is incompetent morons. It sounds like they were too dumb to configure permissions and manage them properly. I wouldn't trust the provider if they can't even get simple task like these in order. Being able to view other people's file is already a huge security risk, especially with PHP files that stores passwords to DB and what not. If I was in your position, I would drop the host AND the vacation and immediately try to move your client's site to another one.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: razor2025
Obviously your provider is incompetent morons. It sounds like they were too dumb to configure permissions and manage them properly. I wouldn't trust the provider if they can't even get simple task like these in order. Being able to view other people's file is already a huge security risk, especially with PHP files that stores passwords to DB and what not. If I was in your position, I would drop the host AND the vacation and immediately try to move your client's site to another one.

Drop the vacation? That's crazy talk.

All sensitive files have been removed. Plans are underway to switch.
 

Zach

Diamond Member
Oct 11, 1999
3,400
1
81
It used to be common to have every user using the same group, but leave the user directories group readable. They must be old school and not bothering to catch up.
 

mugs

Lifer
Apr 29, 2003
48,920
46
91
Originally posted by: TechnoPro

First, I go on vacation and forget all of this nonsense for a while.

After that, I plan on researching the validity of the providers above statement, while I push to migrate several client accounts. If, in fact, all shared hosting platforms allow access to others files (either directly or with scripts), I will be shocked.

I don't want to hurt the providers name or reputation without having first researched the underlying technology more closely, which is why I am choosing not to name names. Needless to say, though, they are a big, well-established and well-known company.

Well, now that you mentioned scripts you got me thinking - IF I knew the usernames of other users on the system, I could do something like this in php:

(note: the root directory of one of my websites would be ~username/public_html/)

fopen("../../otheruser/public_html/index.php")

And since that file is probably world readable, it would let me open it and read the contents. I'll try that on my shared hosting account tonight.

The difference in this case is that you don't have to know the other users' usernames. But if I was also able to execute an ls ../.. from one of my scripts, I could get those too.

Edit: I tried this and it seems PHP can be configured to only allow files to be opened in certain directories.